cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
796
Views
5
Helpful
7
Replies

ASA5510 IP Addresses question

haidar_alm
Level 1
Level 1

Hello,

This may seem like a basic question to th eexperienced engineers but I'm having an issue understanding how it works since I'm not that much knowledgable in this.
My question is regarding IP addresseing withint an ASA 5510 configuration.

We've been allocatied a range of IP addresses to use form our ISP.

62.7.80.192 /28 (Not reall Addresses)


we've recently ran out of the allocated ones and been given a new range to add to the existing environment:

217.33.240.192 /27


Looks simillar to below:

(DMZ)

|

|

ASA (Outside Interface 62.7.80.194) ----> (Gateway 62.7.80.193)

|

|

(Internal Network)

The routing is showing:

S*   0.0.0.0 0.0.0.0 [1/0] via 62.7.80.193, OUTSIDE

My question is how will be I be able to incorporate the new Address range so that new servers within the DMZ can access the outside world?

Is there an otion to have subintefraces on the outside interface one for the 62 network and one for the 217 network?

Please let me know if you would any additional detail.

many thanks,

1 Accepted Solution

Accepted Solutions

Hello Haidar,

No problem. Then you don't need to do much, a new interface is not needed in this case. Just place your new servers in the existing DMZ VLAN, assign them the local IPs out of y.y.126.0 (assuming you have free IPs there) and then just create the needed NAT translations on the ASA using external IPs out of the new range assigned to you by the ISP.

As long as the range is correctly routed to your ASA, it should work without any problems. The ASA itself does not need to have an IP out of the new range configured on any of its interfaces, it'll just use proxy arp to attract traffic for the new range.

Best regards,

Stefan

View solution in original post

7 Replies 7

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Do you want to use the new IP address range on the "outside" edge of the firewall as NAT IP addresses or do you want to use the new IP address range directly on the new "dmz" so that the servers are directly configured with a public IP address?

I would not suggest subinterfaces. There really is no need for them.

Could you share you ASA software level as this has an effect on the required configurations to make this work.

Has the ISP stated how they added the IP address range? Is it configured as a "secondary" IP address range on their upstream router/gateway? Or have they routed the said network towards your ASAs "outside" IP address?

Can you let me know the above information and we can look what needs to be done.

I also have a section on this subject in my document I recently created (mostly regarding 8.3+ NAT format though)

https://supportforums.cisco.com/docs/DOC-31116

- Jouni

Hello Jouni,

Many thanks for your reply. Will answer your question soon once I get the details.

many thanks again and apologies about late reply from me .. was on a course, then assigned to a project that just finished.

KR
H

My suggestion would be to simply create a second DMZ, say DMZ2, and just assign IP Adresses from the new range to the servers in that dmz. Of course, a new interface will be needed on the ASA for DMZ2. If you don't have an available interface, then you could convert the existing DMZ interface into a trunk to a DMZ switch, for example. On that switch you would have 2 VLANs, one for the old DMZ, one for the new DMZ.

Routing-wise, you don't need to do anything assuming the ISP routed the new range to your ASA. If you have some sort of perimeter router between your ASA and the ISP router, then you would need add a static route there for the new range to your ASA.

Best regards,

Stefan

Hi Stefan,

Looking at the attached diagram, each one of the servers that sits on the existing DMZs has got a localized IP address within the range y.y.126.0, they also have a public IP address of x.x.89.206, and x.x.89.205.
We ran out of the x.x.89.0 range and we've been given a new range.

Based on your reply, all that I need to do is when there is a new project, is to creat a new DMZ with a localized y.y.126.0 address, and a public address with one of the new ip addresses from within the new range.

Routing on firewall should take care of things since it's got a default route, and all I need then is to ammend the policies depending on requirements for access in/out of the dmz.

Will also need to make sure that our ISP routed the new range to our lan as per your comment.

Please let me know if I understood your comment correctly?

many thanks,

H

Hello Haidar,

First of all we need to clear something out. When you say "each one of the servers that sits on the existing DMZs has got a localized IP address within the range y.y.126.0, they also have a public IP address of x.x.89.206, and x.x.89.205.", what exactly do you mean ? Do the servers only have a local ip from y.y.126.0 configured on on their NICs and x.x.89.205/206 are just NAT IPs configured on the ASA ? Or the servers actually have two IP Addresses configured on their NICs ?

If x.x.89.206 are NAT'ed IP Addresses (which the ASA translates to y.y.126.0) then you don't need another interface. You just need to use IP Addresses from the new range assigned by the ISP to NAT to IPs from x.x.126.0, which you will assign to  the new servers.

Best regards,

Stefan

Hi Stefan,

Apologies about confusing the issue.

These are single servers that sit on the DMZ with a NAT rule on the firewall for their external Public IP address to be translated to the local address.

many thanks,

H

Hello Haidar,

No problem. Then you don't need to do much, a new interface is not needed in this case. Just place your new servers in the existing DMZ VLAN, assign them the local IPs out of y.y.126.0 (assuming you have free IPs there) and then just create the needed NAT translations on the ASA using external IPs out of the new range assigned to you by the ISP.

As long as the range is correctly routed to your ASA, it should work without any problems. The ASA itself does not need to have an IP out of the new range configured on any of its interfaces, it'll just use proxy arp to attract traffic for the new range.

Best regards,

Stefan

Review Cisco Networking for a $25 gift card