ASA5510: Two distinct public IP ranges on DMZ

p-jeronimo · ‎03-07-2013

I’ve been trying to figure out this for quite a while. I have a range of public IP addresses directly assigned on my dmz servers.

The inside interface of ASA 5510 has one of those public IP addresses assigned (the default gateway for all dmz servers).

Now I have a new range of public IPs that I also want to directly assign to new dmz servers.

My goal is to have two distinct public IP ranges on dmz that should communicate between them. The inside ASA interface should be the default gateway for both networks.

How can I achieve this setup?

Thank you for any help you can give me.

Paul

Jouni Forss · ‎03-07-2013

Hi,

To my understanding there is no official way of having a secondary IP address range on a single physical or logical interface on an ASA firewall.

So you would either have to

To move the L3 point of the DMZ network to some router/L3 switch behind the ASA for you to be able to use 2 different networks on a single interface.
Or you would simply have to configure this new network in a new interface on the ASA.
- In a physical port if you have one free
- Configure existing interface as Trunk if you dont have free physical ports on the ASA

There atleast used to be (might still be) a "workaround" to using secondary IP address range on a single ASA interface. I have never used it and will never use it unless it becomes somehow officially supported on the ASA.

I dont want to first configure something not officially supported and setup a new environment (possibly critical one) relying on that "workaround". When you happen to run into some problem with this special setup you would have wished you had taken the extra time to set it up properly.

- Jouni