Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
995
Views
0
Helpful
2
Replies

Multiple Global IP address range on ASA outside i/f

jeff_green
Level 1
Level 1

‎03-18-2011 09:52 AM - edited ‎03-11-2019 01:09 PM

Got an ASA5520 running V8.2(3) and we want to upgrade our internet bandwidth. Our ISP says OK but we need to install different physical circuit,

upgrade CPE router, etc.

Then they say, btw your globally allocated IPs will change - this is a problem as we have Site-to-Site VPN Tunnels, IPSEC RA, etc.

ISP are proposing to give us a 3 month period whereby old & new IP blocks will be routed to our ASA (by means of secondary IP

address on their Cisco CPE).

Multiple IPs on the same physical i/f on the ASA require sub-interfaces/IP Addresses/VLAN ids on my "outside" i/f.

Is this going to horiibly break Site-to-Site VPN Tunnesl, IPSEC remote access ?

Will VLANs work at all with IPSEC on the "oustide" i/f at all ?

Anybody have any experiences in doing this sort of thing ?

                Many Thanks,

Labels:
0 Helpful
2 Replies 2

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎03-18-2011 10:16 AM

Hi,

If you're going to change the IP shceme on the ASA outside interface, just need to provide the new IP to the Site-to-Site VPNs and RAs VPNs.

If they change the peer IP to the new one instead than the current one there should be minimal problems during transition.

You can still use your current public IPs because the ASA can still NAT using the old IPs (even if having a new IP assigned to the outside) because the ISP will continue to route to the ASA the old IPs.

Hope it helps.


Federico.

0 Helpful

Yudong Wu
Level 7
Level 7

‎03-18-2011 10:30 AM

It doesn't matter if you use subinterface with VLAN as your outside interface. As long as you have IP connectivity, your VPN should work fine.

I think the CPE router might need configure the interface which is facing to ASA as subinterface with same VLAN as well instead of using secondary interface.

How your CPE router is connected to ASA? Via a switch or connected back to back directly?

If both sides can configure subinterface with vlan,  you just need to make sure both side use the same vlan tag, for example, vlan 10 for old public IP on both sides and vlan 20 for the new IP on both sides.

If ISP don't want to use subinterface and you have a switch between CPE router and ASA, you can use the other physical interface instead of subinterface for the new IP. On switch, all 3 ports ( 2 to ASA and 1 to CPE) should be in the same vlan.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card