Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1173
Views
0
Helpful
3
Replies

Multiple External IP Addresses

Go to solution
Stacey Hummer
Level 1
Level 1

‎02-27-2015 09:31 AM - edited ‎03-11-2019 10:34 PM

Very new to ASA so please forgive me if this is right out to lunch.

 

We are upgrading from a Juniper box to an ASA 5525-x. We have numerous none sequential external IP addresses that each have their reasons for being there. I can configure a single address on the external interface but I cannot configure either multiple external interfaces or from what I can tell a range of IP addresses on an interface. This is probably an easy answer and has something to do with NAT or something just running out of time to get this implemented.

 

Any help would be really appreciated.

 

 

Labels:
Preview file
14 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Stacey Hummer

‎02-27-2015 09:58 AM

That should be okay then.

I just wanted to make sure that you didn't have any devices eg. VPN devices,  servers etc. that were using any public IPs from the block that is not assigned to the physical interface.

If you were then adding a route to the ISP router for that block pointing to your ASA doesn't really work and you would have to have the ISP router with an interface in that block as well and use proxy arp again on the ASA for any IPs in the block it was responsible for.

The ASA would still only have just an outside interface

And if that was the case dependant on your version of code it might not be supported or more likely you would need to modify the configuration.

But it sounds like you don't and all devices you want to do NAT for are either connected to other interfaces on the ASA or within your internal network so you should be fine.

Jon

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-27-2015 09:48 AM

Stacey

It is as you say to do with NAT.

The ASA only needs one outside interface with one IP address.

With multiple public blocks if the public IP block that is used for the addressing between the ASA and the ISP router has spare IPs then you use them in your NAT statements and the ASA will use proxy arp and respond with it's outside interface mac address to the ISP router when it requests the mac address for any of those IPs.

For any other public blocks in use the common thing is to have the ISP add a route for that block pointing to the outside interface IP of your ASA. The ASA doesn't need to use proxy arp for these as they are routed directly to it.

You then just configure NAT statements again.

Just one quick question -

there are no devices between your ASA outside and the ISP inside that use any of these public IPs are there ?

Jon

0 Helpful

Go to solution
Stacey Hummer
Level 1
Level 1
In response to Jon Marshall

‎02-27-2015 09:51 AM

There is a 2960 switch for distribution, but it's not configured other then base info on it.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Stacey Hummer

‎02-27-2015 09:58 AM

That should be okay then.

I just wanted to make sure that you didn't have any devices eg. VPN devices,  servers etc. that were using any public IPs from the block that is not assigned to the physical interface.

If you were then adding a route to the ISP router for that block pointing to your ASA doesn't really work and you would have to have the ISP router with an interface in that block as well and use proxy arp again on the ASA for any IPs in the block it was responsible for.

The ASA would still only have just an outside interface

And if that was the case dependant on your version of code it might not be supported or more likely you would need to modify the configuration.

But it sounds like you don't and all devices you want to do NAT for are either connected to other interfaces on the ASA or within your internal network so you should be fine.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card