Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1271
Views
0
Helpful
4
Replies

Can the ASA 5555 translate to a secondary ip address block?

Go to solution
Scot Hollingsworth
Level 1
Level 1

‎10-15-2012 02:16 PM - edited ‎03-11-2019 05:09 PM

I just purchased an ASA 5555 and started to configure.  I was successful in natting all the IPs that are on the same subnet as the ASA eth0.  I could not get the nat working for the 2nd address block.  Any ideas?

Ex:

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 192.168.1.33 255.255.255.224

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

object network WEBSERVER1

host 10.1.1.2

object network WEBSERVER1

nat (inside,outside) static 172.22.22.22

#################################################

I can't NAT to my 2nd address block. 

However, if I change the NAT of WEBSERVER1 to an address of 192.168.1.34, it works just fine.

The pix doesn't have any issues, but I can't move over to the ASA until I get this resolved.

Any ideas?  Am I missing something?

Thanks.

Scot

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎10-19-2012 08:20 AM

This is a restriction that was introduced in 8.4.x. If you still want to use the IPs of the non-connected subnet, you have to upgrade to 8.4.4.5 where an additional arp-command is available to respond to arp-requests for addresses of non-connected subnets.


Sent from Cisco Technical Support iPad App

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-15-2012 06:35 PM

How could you have the single outside interface using addresses from two separate subnets? You'd need to use a second interface (or subinterfaces) to do that.

0 Helpful

Go to solution
Scot Hollingsworth
Level 1
Level 1
In response to Marvin Rhoads

‎10-16-2012 04:43 AM

Thanks Marvin. That was my next step. Just wasn't sure if I could configure like the pix.

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Scot Hollingsworth
Level 1
Level 1
In response to Scot Hollingsworth

‎10-19-2012 05:59 AM

Ok.  I was able to solve my problem.  My ASA software is 8.6.  I want not able to create two default routes.

ASA had 1.1.1.1 as the outside interface.  I could not get 2.2.2.2 to nat, because the ASA doesn't do proxy arp in 8.6

My OGW 3750 had 1.1.1.254 & 2.2.2.254 on the interface.

Step 1

Remove all 2.2.2.x from all physical interfaces.

Step 2

Route from the OGW 2.2.2.x to 1.1.1.1 of the ASA

Step 3

Setup NAT on the ASA to NAT internal host to 2.2.2.2-10

Worked perfectly.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎10-19-2012 08:20 AM

This is a restriction that was introduced in 8.4.x. If you still want to use the IPs of the non-connected subnet, you have to upgrade to 8.4.4.5 where an additional arp-command is available to respond to arp-requests for addresses of non-connected subnets.


Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card