cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
413
Views
0
Helpful
4
Replies

ASA5500-x and multiple public IPs

Dan Torres
Level 1
Level 1

We have five public ip addresses from Comcast. Right now they are being used by one firewall and four routers (one public ip per device). Is it possible to have a single ASA5500-x to utilize all five public ips? For example, have the outside interface take one public IP address and have devices on the DMZ to take the other four.

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

 

You can utilize the 5 IP addresses on the ASA. Typically one public IP address is configured on the interface and is used in the NAT configurations also (typically the Dynamic PAT for all users)

 

I assume that you have been allocated a /29 subnet of which one IP address is configured on the ASA external interface? The rest of the IP addresses from that subnet can be used in the ASA NAT configurations but naturally you are not able to use it behind the ASA as the same subnet is already configured on the external interface of the ASA. So you would have to use private IP addressing for the hosts/devices behind the ASA on the internal network and then perform NAT to the public IP addresses on the ASA.

 

Hope this helps :)

 

- Jouni

View solution in original post

4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

 

You can utilize the 5 IP addresses on the ASA. Typically one public IP address is configured on the interface and is used in the NAT configurations also (typically the Dynamic PAT for all users)

 

I assume that you have been allocated a /29 subnet of which one IP address is configured on the ASA external interface? The rest of the IP addresses from that subnet can be used in the ASA NAT configurations but naturally you are not able to use it behind the ASA as the same subnet is already configured on the external interface of the ASA. So you would have to use private IP addressing for the hosts/devices behind the ASA on the internal network and then perform NAT to the public IP addresses on the ASA.

 

Hope this helps :)

 

- Jouni

Hi Jouni,

 

Yes we’ve been allocated the /29 subnet. One IP is indeed configured on the ASA outside/external interface. I tried to assign more public ip to another interface but like you said, ASA didn’t like it as it was using the same subnet.

 

So it sounds like I can connect 4 routers on the ASA and have them use the four public IPs but I can’t use them behind the ASA, meaning they wouldn’t take advantage of the ASA? in that case, I guess I should just keep our existing setup where I have one firewall and four routers that have their own public IP, connected to a modem? How do others utilize multiple public IPs?

 

We also have centurylink with 5 public ips (/29). I was going to setup a dual ISP line and I understand that ASA only supports active/standby. I suppose two interfaces having the same subnet wouldn't be an issue here as it will be active/standby dual  isp line? 

Hi,

 

If you want to directly use the public IP addresses on the device then they really cant be located behind the ASA on the internal side. If you were to locate the 4 routers behind the ASA they would have to be configured with different IP addresses and NAT would be performed on the ASA to translate the routers IP address to the public IP address.

 

Naturally if you had a small link subnet from the ISP to configure between your ASA and the ISP gateway then the ISP could route the current /29 subnet towards the ASA and you could then configure the subnet on some internal interface and place the devices on that subnet directly. I am not really sure what the current setup is since you have 4 routers? What are they used for?

 

Naturally if you were to place the ASA in Transparent mode between the modem and some internal switch for example then you could use the public subnet directly on the devices. Naturally using the ASA as Transparent would limit its functionality.

 

I am not sure what you mean with the last paragraph? Only thing I can say is that you can not use the same subnet on 2 different interfaces of the ASA. To my understanding the ASA should prevent you from configuring this. Even in a Active/Standby Failover setup with a pair of ASAs the configurations on the devices are actually identical so that does not allow you configure the same subnet in 2 different interfaces.

 

- Jouni

 

The four routers are used to create isolated test networks. It is no big deal if I cannot use them behind the ASA as the devices behind the routers are nothing critical.

 

It sounds like I’d need to change the number of public IPs on either Comcast or centurylink to setup active/standby failover.

 

Thank you for your help

Review Cisco Networking for a $25 gift card