Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1544
Views
0
Helpful
2
Replies

Multiple external IP subnet on ASA5505

Go to solution
danny.williams
Level 1
Level 1

‎09-15-2010 05:14 AM - edited ‎03-11-2019 11:40 AM

Hi

I have a need to configure a Cisco ASA5505 to support multiple external (public) IP subnets and then translate certain ports to internal services (443, 80 etc). Currently the firewall is setup with an external range and is working fine, however the service provider has now routed an additional new range to one of the existing IPs. For example (using private IPs);

External interface IP = 192.168.0.1/24, with static route to 192.168.0.254/24 for all outbound traffic (ISP gateway).

New subnet of 10.0.0.0/24 being routed to 192.168.0.1

The service provider has assured me that this configuration is possible and that the device on 192.168.0.1 should be able to listen for the 10.0.0.0/24 range on the outside adaptor. Unfortunately they are a Juniper house and dont have the expertise to explain to me the config required.

The feed is supplied on a single CAT5 network connection in to a switch and i have read some Cisco docs on enabling a second 'outside' and adding it to the external VLAN, but the example provided is based on a second seperate feed in to the firewall and not a routed subnet to the existing feed.

Any help on the config would be much appreciated..

Dan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎09-15-2010 05:38 AM

There is no need to configure another external interface on the ASA.

All the ISP needs is to route the new range of 10.0.0.0/24 towards the ASA outside interface (192.168.0.1), and you can start using that new ip range for NATing. ASA will proxy ARP for the new ip range as well.

Example:

If you are going to NAT an internal host on the inside interface (172.16.1.1) to the new range of IP, ie: to 10.0.0.1, then all you need is configuring the static translation:

static (inside,outside) 10.0.0.1 172.16.1.1 netmask 255.255.255.255

Hope that helps.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎09-15-2010 05:38 AM

There is no need to configure another external interface on the ASA.

All the ISP needs is to route the new range of 10.0.0.0/24 towards the ASA outside interface (192.168.0.1), and you can start using that new ip range for NATing. ASA will proxy ARP for the new ip range as well.

Example:

If you are going to NAT an internal host on the inside interface (172.16.1.1) to the new range of IP, ie: to 10.0.0.1, then all you need is configuring the static translation:

static (inside,outside) 10.0.0.1 172.16.1.1 netmask 255.255.255.255

Hope that helps.

0 Helpful

Go to solution
danny.williams
Level 1
Level 1
In response to Jennifer Halim

‎09-15-2010 06:56 AM

Thanks very much for the prompt reply.

You answer ties in with what the ISP suggested would work, so sounds like the answer.

Regards

Dan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card