Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
442
Views
0
Helpful
1
Replies

Multiple IP's on an ASA

routercpu
Level 1
Level 1

‎04-10-2016 01:19 PM - edited ‎03-12-2019 12:36 AM

I have a couple of questions about configuring an ASA with multiple public IP's and sending traffic in and out of the same interface.  We have two ARIN public IP blocks assigned to us.  They are both advertised through BGP on our frontend routers.  Our ASA's, in our current configuration we have a set of Main ASA's and DMZ ASA's, have a public IP assigned to their outside interfaces from one of the ARIN IP blocks.  The other IP block is routed to the ASA's IP by our routers.  So, for example, 10.1.1.0/24 and 11.1.1.0/24 are the two ARIN IP blocks.  The outside interfaces of both sets of ASA's are assigned an IP from the 10.1.1.0/24 block.  The 11.1.1.0/24 block is routed to the 10.1.1.x IP of the ASA's.  Also, with this configuration, our internal hosts behind the Main ASA's can connect to the internal hosts behind the DMZ ASA's using the public IP's and vice versa.  Attached is a diagram of our current configuration.

This summer, we will be changing this configuration and that is where I have my questions.  We are eliminating the set of DMZ ASA's and only want to use the set of Main ASA's.  So, one issue that arises is that Host 1 will no longer be able to connect to Host 2 because they will be behind the same ASA.  As I understand it, by design, traffic is not allowed to leave and come back in the same ASA interface.  So, I am trying to determine the best way to make this new configuration work.  My first thought is to configure a second outside interface on the ASA and assign a 10.1.1.x IP to one outside interface and a 11.1.1.x IP to the second outside interface.  This will allow Host 1, who has a 10.1.1.x IP, to connect to Host 2, who has a 11.1.1.x IP and vice versa.  But are there any different ways to accomplish this configuration without using a second interface with a separate IP?  Can EtherChannel or trunk ports be used and still handle the two IP blocks and the host connectivity out and back in?  Can subinterfaces be used and still handle the two IP blocks and the host connectivity out and back in?  Other options?

Labels:
Preview file
32 KB
0 Helpful
1 Reply 1

Philip D'Ath
VIP Alumni
VIP Alumni

‎04-11-2016 12:07 AM

Why not get rid of NAT, and put the public IP addresses directly on the hosts?

That would make everything considerably more simple.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card