Different interfaces with IP in the same subnet

marcio.tormente · ‎06-16-2016

Hello Folks!

I have to migrate the configuration of Linux firewall to ASA 5516, but I have a problem:

My customer have 3 different links with the same ISP with the same subnet, example:

Link 4MB IP 201.1.1.1/24

Link 15MB IP 201.1.1.3/24

Link 10MB IP 201.1.1.10/24

When I try to configure it on ASA, I have the problema with overlap.

Anyone knows how to solve this problem?

Thanks

Marcio

Philip D'Ath · ‎06-16-2016

And it should not work. The is not a valid IP addressing scheme. You need to fix the fundamental IP address issue first.

You could potentially plug all three circuits into a switch, and then into the outside interface of the ASA. Configure it with one of those IP addresses, and then NAT the other two to where ever you want them to go to.

marcio.tormente · ‎06-17-2016

Philip,

thanks for your support

In the Linux firewall there are a lot of NAT to each link, if I install all links in the switch, I have to do NAT twice, right?

Or do you think is better do the NAT on the L3 switch and in the ASA only controll the access?

Thanks

Philip D'Ath · ‎06-17-2016

No, there would be no need for double NAT.

L3 switches typically do not do NAT.

marcio.tormente · ‎06-24-2016

I know some switches have some limitations, but in this case, the switch is not Cisco, then, my customer will be responsable to all configuration.

He give me the sugestion to use proxy-arp and NAT to solve this problem.

To be honest, I don´t know nothing about proxy-arp.

James Leinweber · ‎06-27-2016

You might look into the 9.6 series "zone" support, which is the first time we've seen ASA cope with multiple uplinks gracefully. It's been a historical pain point.

marcio.tormente · ‎06-27-2016

Thanks James,

I´ve been talk to others experts in ASA, and none of then knows another way to do it, only with NAT 1:1 or dynamic PAT.