02-06-2018
01:52 PM
- last edited on
02-21-2020
11:35 PM
by
cc_security_adm
We have an Active/Standby pair of ASA5520 devices connected to the core with a /27 public IP address. We also have an Active/Standby pair of ASA5525-X devices connected to the core with a /28 public IP address. The default route from the core goes out the ASA5520 devices. The ASA5525-X devices handle remote access users and P2P VPN links to remote sites. There are services on our private network that are accessed publically from both sets of ASAs. We would like to retire the ASA5520 devices. However, the ISP who provides us with the /27 IP space refuses to allocate more IPv4 addresses. As such, we don't have enough public IP addresses in our /28 IP address space to accommodate all the services we provide on the /27 public IP address space along with the existing services already provided using the /27 IP address space. How can we go about properly setting up the ASA5525-X devices dual homed with both of our current ISPs and external facing services?
Thanks
02-06-2018 02:21 PM
If the address space is from the same ISP - can you not just ask them to route the existing /27 down your /28?
02-06-2018 02:25 PM - edited 02-06-2018 02:25 PM
@Philip D'Ath wrote:
If the address space is from the same ISP - can you not just ask them to route the existing /27 down your /28?
The /27 is from AT&T, the /28 is from Windstream.
02-06-2018 02:28 PM
I have done this before, but it can be a bit nasty sometimes.
Configure two outside interfaces, outside-att and outside-windstream. Then use policy routing to decide which outside interface to use.
For example, traffic from a public DMZ in the /27 goes out the ISP link that it belongs to.
02-06-2018 02:36 PM
@Philip D'Ath wrote:
I have done this before, but it can be a bit nasty sometimes.
Configure two outside interfaces, outside-att and outside-windstream. Then use policy routing to decide which outside interface to use.
For example, traffic from a public DMZ in the /27 goes out the ISP link that it belongs to.
In my case, I would move the /27 [AT&T] connection over to the ASA5525-X devices which already have the existing /28 [Windstream] curcuit. The default route would go out the Windstream connection. My concern is how to properly route for *incoming* connections from the Outside-ATT interface to services on my private network. Can you give more details on what kind of policy routing I need to do here?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide