Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5394
Views
1
Helpful
2
Replies

How to Configure Secondary IP on inside interface of ASA 5520

pravin.naidu
Level 1
Level 1

‎11-25-2012 10:56 PM - edited ‎03-11-2019 05:27 PM

Hi, We already have a subnet defined to inside interface and is in produciton. the default gateway is this interface ip. In that setup now I have to add one more subnet and as the first subnet is been defined in ASA indside interface, I have to assign secondary Ip to the inside interface so that new subnet users can easily reach here and go outside.

MY ASA is not internet facing but is facing my private MPLS cloud.

Kindly advice

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎11-25-2012 11:59 PM

Hi,

I have run into situation where this would have been usefull but I have always gone with a different setup and not configured any secondary networks under one interface.

If you are indeed configuring another subnet under the same LAN interface I guess you can do it a few commands. I'm not sure if theres been some changes to the ASA software that might cause problems.

To my understanding the configuration used to be like this

  • Existing subnet: 192.168.1.0/24
  • ASA Interface IP: 192.168.1.1

  • New subnet: 192.168.2.0/24
  • ASA Interface IP: 192.168.2.1

Commands

  • arp inside 192.168.2.1 1234.5678.90ab alias
  • route inside 192.168.2.0 255.255.255.0 192.168.1.1
  • same-security-traffic permit intra-interface

I would expect this has limitations but I can't say for sure as I have never resorted to it myself. It might not even work anymore depending on your software. I would suggest looking at the whole network setup, perhaps handling this with a real router instead of ASA. Perhaps configuring a Trunk between ASA and some LAN Switch and creating a separate ASA interface for both subnets.

But this is just my personal suggestion. I always try to keep things simple and avoid special setups. In the long run you might either be causing a bigger headache for yourself or just end up doing the change which would have been best in the first place

- Jouni

f.renault
Level 1
Level 1
In response to Jouni Forss

‎04-19-2016 06:13 AM

IOS 9.2(3)4

Invalid next hop address 192.168.1.1, it matches our IP address.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card