Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
571
Views
3
Helpful
3
Replies

FirePower 1000 series add several pools to the outside interface

Go to solution
RicardoMG
Level 1
Level 1

‎04-21-2023 04:31 AM

Hi Community!

 
I have a Firepower 1000 series.
 
We have two public IP pools asigned by our ISP (2x /29). There is only one cable connected directly between the ISP router and our FirePower outside interface. Using one IP from one of the pools (first pool), we have asigned the outside interface IP. The final idea will be use all the public ip (the rest of the first pool and the second one) and create NAT to our local servers.
 
Nowadays, we have running a ASA 5520 consuming these pools with same configutation that I mentioned before and we can consume all the IPs and it is working now but, the idea, is change it for the new FirePower 1000 Series.
 
The option that we use in the ASA 5520 to configure the outside pools is the "Global IP" but unfortunately, in the new FirePower, there is no this option.
 
In addition, testing with the FirePower, using the NAT option, we could configure NAT with the second pool but when we try to make the same with the first pool (in which one of them is used to configure the IP in the outside interface), we can not consume them.
 
Can you give us information about the way to configure serveral pools in the outside interface? Is possible that we need an additional license the have this functionality?
 
Thank you so much for your assistance.
1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-21-2023 04:54 AM

@RicardoMG you just need to get the ISP to route the second /29 network to the IP address of your Firewall. You can then define NAT objects using the second network.

You don't need additional licenses.

View solution in original post

3 Replies 3

Go to solution
MHM Cisco World
VIP
VIP

‎04-21-2023 04:36 AM - edited ‎04-21-2023 05:03 AM

A-I think even with ASA the NATing to POOL, the subnet POOL must match the OUT interface 
if you have one cable from SP and two separate public subnet, then I think you can connect SW between FW and SP and 
use to interface in FW to connect to SW.
the most important is SP know both subet.

B- I check the cisco ASA guide there is not restriction for point A, still please monitor NATing 
but in guide there is solution for your case 
config object group include to object network for each POOL and then use object group in NATing instead of both POOL object network 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎04-21-2023 04:54 AM

@RicardoMG you just need to get the ISP to route the second /29 network to the IP address of your Firewall. You can then define NAT objects using the second network.

You don't need additional licenses.

Go to solution
RicardoMG
Level 1
Level 1

‎04-24-2023 12:10 AM

Thank you so much for your help. In the laboratory that we have created for the issue, it was enough creating the NAT for each IP from the each pool to the local server. For the next step, we are going to ensure with the ISP, that all the traffic is redirected to the IP that we have configured in the outside interface.

 

Thank you so much to all!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card