03-06-2007 12:28 PM - edited 03-11-2019 02:42 AM
I have a ASA 5510 currently running with a configured subnet from our ISP. Our ISP issued us an additional subnet for us to use.
Is it possible to add this new subnet to our ASA appliance somehow?
We need to IP address to map to machines that are in our DMZ.
What is the correct way to do this?
thanks.
TCG
03-06-2007 12:52 PM
if ur isp could route the ip addresses to the pix's outside interface,then there's no problem.
what u can do is implement this configuration:
new ip address range which you want to implement in dmz:
44.44.44.44 /24
static (dmz,outside) 44.44.44.45 44.44.44.45
static (dmz,outside) 44.44.44.46 44.44.44.46
access-l out_in permit tcp any host 44.44.44.45 eq 80
this is an example configuration where u have a web server is dmz which has the ip address 44.44.44.45.
i hope this will help!!
sushil
Cisco TAC.
03-06-2007 01:30 PM
I think that should be ok. It is kind of odd (just stepped into this job), but the ISP actually controls and configures the router on our end. From what I have been told, they have already configured the router with the new subnet.
They have given me a /27 subnet.
Lets just say the subnet is 63.140.19.128/27 (random numbers).
If it is already configured on the router, I don't need to setup anything on the ASA itself? I could just start using the IP addresses when i need them?
Can I still map a private IP address range to the new subnet? That is how we currently do it:
static (dmz,outside) 10.0.0.1 63.140.19.129
access-list out_in permit tcp any host 63.140.19.129 eq www
I appreciate the help.
03-06-2007 01:39 PM
" static (dmz,outside) 10.0.0.1 63.140.19.129
"
this in incorrect.
it should be
static (dmz,outside) 63.140.19.129 10.0.0.1
let's say the NEW subnet is 63.140.19.128/27 .
when i ( anyone on internet ) initiate a request for this subnet it's reaching the outside router and then to the asa.
till here,it's the isp's responsibility.
if they are able to route two different subnet's to your location,that's great. ( generally this does n't happen ).
now,when any packet menat for this ip address reaches the outside router,it should come to the asa's outside interface.
for that ,the asa's outside interface should do the proxy arp for this ip address.
that proxy arp is done by the static.
so,if you put in a static statement
static (dmz,outside) 63.140.19.129 10.0.0.1
then,the packet will hit the asa's outside interace,asa will redirect the packet to the dmz interface ,to the private ip address.
hope this helps!!
Sushil
03-06-2007 02:30 PM
Got it...that makes sense.
So in a nutshell, as long as the ISP has taken care of their part by configuring that block of IP's on the router, and I configure things properly on ASA (using static) then everything SHOULD be good to go.
That correct?
Thank you very much. You have been very helpful.
03-07-2007 05:10 AM
yes,absolutely correct.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide