Create NAT with secondary Public IPs block on ASA5515

ccna-angus · ‎07-07-2017

Hi,

I have ASA5515 and assigned by ISP first IPs block with multiple NATs on 'outside' interface. Now I am given secondary IP block (completely different set of IP subnet) by the same ISP. I want to use new IP block to create NAT. I have configured IP on another interface (called 'outside2') so that the setting shows like this:

IP block1: 218.220.10.16/28 ==> first IP assigned to 'outside' interface, last IP assigned to next-hop

IP block2: 72.154.26.32/28 ==> first IP assigned to 'outside2' interface, last IP assigned to next-hop

How do I create a new NAT using outside2 interface as working the same as creating NAT on outside interface? I ran into issue when trying to create NAT for outside2 interface. The incoming traffic from outside hit the interface outside2, but the return path used default route outside interface. It appeared a routing problem cause packet drop when return.

I appreciate for the help in advance.

GRANT3779 · ‎07-07-2017

Hi,

I had similar scenario in the past which was kindly answered here.

You don't really need to have your secondary Interface for what you want to achieve.

If the isp is routing the new subnet to your current outside interface, then you can configure nat with these new addresses.

If the ISP has configured a secondary IP address on the new subnet you will need to add the following command.

arp permit-nonconnected

Just use nat as you would normally with the new addresses in either case.

ccna-angus · ‎07-12-2017

Thanks for your information. This works when using the same outside interface on firewall.

However, My client wants to use separate firewall interface to allow NAT outgoing/incoming via IP Block2.What should ISP do on their device to make route change in order to make NAT traffic passing on newly configured interface?