Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
584
Views
0
Helpful
3
Replies

FWSM: Two Outside interfaces

Go to solution
javiercastro
Level 1
Level 1

‎02-23-2009 09:13 AM - edited ‎03-11-2019 07:55 AM

I've just ran out of IP adresses in my outside network segment. I'll have to configure a new outside vlan in the same context in order to assign new static translations for new servers in my inside network. I'm currently using a default route pointing to the outside interface.

My question is... what happens with routing to the outside once I configure the second outside interface? I figure that connections initiated from the outside (any of the two interfaces) will work ok. What about any connection attempted from the inside?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to javiercastro

‎02-23-2009 10:45 AM

No you don't need a secondary IP address.

There is no default-gateway for the subnet because it is not actually attached to anything ie. it is just used for NAT.

So lets say you pick a new subnet of 192.168.7.0/24. All you have to do is make sure that any traffic destined for 192.168.7.x is sent to the outside interface of your FWSM. How you do this depends on your topology but typically it would be done with static route on MSFC redistributed into your internal routing protocol. So on MSFC

ip route 192.168.7.0 255.255.255.0

then as stated you need to ensure this route is propogated throughout your network or at least to the parts of the network that need access to these servers.

Then on your FWSM

static (inside,outside) 192.168.7.x netmask 255.255.255.255

and add access rules to your existing acl that is on the outside interface eg.

access-list outside_in permit tcp any host 192.168.7.x eq 80

Jon

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-23-2009 10:17 AM

Francisco

You don't need to create a second interface, just point the route for the new subnet to the existing outside interface and then use addresses out of your new subnet for static translations.

This will keep your routing etc. a lot simpler. If you create multiple outside interfaces then you may have issues with traffic entering one interface and being routed back via the other outside interface.

Jon

0 Helpful

Go to solution
javiercastro
Level 1
Level 1
In response to Jon Marshall

‎02-23-2009 10:38 AM

In that case... Should I configure a secondary address for the SVI in the supervisor engine? if not, who acts as a default gateway for this new subnet?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to javiercastro

‎02-23-2009 10:45 AM

No you don't need a secondary IP address.

There is no default-gateway for the subnet because it is not actually attached to anything ie. it is just used for NAT.

So lets say you pick a new subnet of 192.168.7.0/24. All you have to do is make sure that any traffic destined for 192.168.7.x is sent to the outside interface of your FWSM. How you do this depends on your topology but typically it would be done with static route on MSFC redistributed into your internal routing protocol. So on MSFC

ip route 192.168.7.0 255.255.255.0

then as stated you need to ensure this route is propogated throughout your network or at least to the parts of the network that need access to these servers.

Then on your FWSM

static (inside,outside) 192.168.7.x netmask 255.255.255.255

and add access rules to your existing acl that is on the outside interface eg.

access-list outside_in permit tcp any host 192.168.7.x eq 80

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card