Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3216
Views
0
Helpful
7
Replies

ASA with IP aliases

Joseph S
Level 1
Level 1

‎12-14-2015 06:15 AM - edited ‎03-12-2019 06:09 PM

Coming from a linux firewall environment, I find it very difficult to setup the ASA5585-X with the limitation of 1 IP per interface.

What are the options that we have to handle 5 ip aliases per interface on the ASA?

With linux you can do "ifconfig eth0:X" as many times as you need to add IP addresses to the same interface.

I know there is something that can be done with NAT but this seems complex and hard to trouble shoot in the future.

regards, Joseph.

Labels:
0 Helpful
7 Replies 7

Karsten Iwen
VIP
VIP

‎12-14-2015 01:52 PM

On the ASA it´s NAT that you have to use. There are no secondary ip addresses as on other systems (including IOS routers). But don´t worry, after a short time you´ll get used to this "native" method of handling multiple IPs on the ASA.

0 Helpful

Joseph S
Level 1
Level 1
In response to Karsten Iwen

‎12-14-2015 04:24 PM

Do you have any examples?

interface vlan2 10.10.30.1/24

interface vlan2  10.10.40.1/24

How would I do this?

What about the arp alias method? Is this a good method?

0 Helpful

Karsten Iwen
VIP
VIP
In response to Joseph S

‎12-14-2015 04:45 PM

First you have to ask yourself what you want to do with the additional IP addresses. After that a way to implement it can be discussed.

0 Helpful

Joseph S
Level 1
Level 1
In response to Karsten Iwen

‎12-14-2015 05:08 PM

We have lots of vlans.

And due to redundancy or other requests we have more than one subnet on a given vlan.

Changing vlans or ip addresses involve service outages.

To avoid outages, it seems to make sense to use aliases.

0 Helpful

Karsten Iwen
VIP
VIP
In response to Joseph S

‎12-14-2015 10:52 PM

Ok, now I see what you want to achieve. Sadly, the ASA is the wrong device to support this kind of network-design.

That's a configuration that you should put on a layer 3 switch (or router). Both have more flexibility then the ASA here.

0 Helpful

Joseph S
Level 1
Level 1
In response to Karsten Iwen

‎12-15-2015 02:28 AM

So, with the ASA is there really no way a person can handle more than one subnet per interface? Vlan interface that is?

This traffic does live on L3 routers. But from security concerns, and design it seems hard to think how to use the L3 routers in addition to the ASA.

0 Helpful

Karsten Iwen
VIP
VIP
In response to Joseph S

‎12-15-2015 03:08 AM

You can build subinterfaces that correspomnd to VLANs. But also here you have one IP network per subinterface/vlan. That's the (clean) network design  that the ASA expects.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card