09-05-2019 01:51 AM - edited 02-21-2020 09:27 AM
Hi! We just bought Cisco 5516-x with FTD preinstalled on the device. We already have router/FW from another vendor and want to replace it by NGFW from Cisco.
I start configuration of Outside interfaces and noticed that ASA doesn't support multiple IPs from the same subnet on the one physical network interface in subinterfaces.
Our environment is subnet provided by our ISP provider: XXX.XX.37.48/29, GW is XXX.XX.37.49 and our IPs are
XXX.XX.37.50-54
We want to use at least two IPs from this list to NAT traffic to two different Exchange MX servers, which both placed in our local network. In our DNS mail record, we have two MX records. We don't want to completely change our internal infrastructure, if possible of course. And I ask you to help me by providing a useful link to technology which can help us to deal with it.
09-05-2019 03:16 AM
You don't need something like secondary IPs in your scenario. Just configure the FTD with one IP; this will later be used for termination VPNs and such.
For the public IPs that will be used for NAT, you only have to configure NAT-rules and allow this traffic in the access-control.
09-05-2019 03:24 AM
You don't have to worry about the two subnet. When you create NAT entry it will take care of the second subnet/IP that you want to use. Make sure your ISP send the traffic to your ASA's OUTSIDE interface's IP.
You do need to configure access list to allow traffic in.
For reference.
https://community.cisco.com/t5/firewalls/multiple-wan-subnets-on-asa-5516/td-p/3039350
Bhaggu.
09-05-2019 04:06 AM
Thank you for your fast answers!
But How can I be sure in "ISP sends the traffic to your ASA's OUTSIDE interface's IP." I think it impossible if outside interfaces IP is not router's IP which routes traffic to mine subnet (XXX.XX.37.48/29), and in this case, we need to route our subnet by ourselves, using our device.
Also, we have a configuration which was shared by our ISP provider:
atn3-140: interface GigabitEthernet0/2/20.XXX vlan-type dot1q XXX description mtu 9500 ip binding vpn-instance internet ip address XXX.XX.2.229 255.255.255.252 ip address XXX.XX.37.49 255.255.255.248 sub statistic enable loop-detect enable qos-profile uni-102400K inbound qos-profile uni-102400K outbound trust upstream not_6_7
Is that enough?
Also, I just read the link you provided, and I think I need to ask my ISP provider to do it or suggest any other ways to implement it.
09-05-2019 04:34 AM
Your existing Firewall/Router has an IP XXX.XX.2.229 255.255.255.252 on which ISP is sending traffic to for XXX.XX.37.49 255.255.255.248 subnet.
So you have to configure that IP to ASA's OUTSIDE interfcae if you are replacing the existing one.
I hope you got this. Do let me know if you need any further assistance.
Bhaggu.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide