cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2481
Views
0
Helpful
5
Replies

Multiple Subnets Single Interface ASA5508

m01101101
Level 1
Level 1

Hello,

We're replacing a failed ASA5505 with a 5508 and noticing they're not similar right away.  

The previous ASA had a vlan with 2 subnets configured, then configured the switchports to access members of the vlan.  This was ideal for our servers since it allowed a single ASA to accomplish L2/L3.  

While trying to configure this replacement I see there's no more switchports, so all vlans are configured to each physical interface, but there's also the added negative that there's no option for a secondary subnet.  

Can someone help me figure out how to get 3 servers to share two subnets on a 5508 running 9.4?

Previous config was similar to:

interface vlan 1

 ip address 10.6.6.1 255.255.255.240

 ip address 10.6.5.1 255.255.255.0 secondary

!

int g1/2-4

 switchport mode access

!

5 Replies 5

Tim Y
Level 1
Level 1

Hi there,

Is there a reason why you want two subnets on VLAN 1? If everything is all connected to a single ASA, then you could make this work without using a secondary IP address.

For example, let's say you have two servers on 10.6.6.1/28 and one server on 10.6.5.1/24. You could do:

interface redundant1

 member-interface GigabitEthernet1/2

 member-interface GigabitEthernet1/3

 ip address 10.6.6.1 255.255.255.240

 nameif serverint1

 security-level 100

interface redundant2

 member-interface GigabitEthernet1/4

 ip address 10.6.5.1 255.255.255.0

 nameif serverint2

 security-level 100

same-security-traffic permit inter-interface

Then plug in the servers accordingly.

If you otherwise want one Redundant interface that responds to two IP addresses, then it should be possible using proxy-ARP, but that would most likely be unnecessary and a non-recommended Cisco design. It's already not best practice to have two subnets answer to one VLAN.

If you want to learn a little more about how proxy ARP can help you in this situation, you can read the following guide (scroll to the bottom): http://www.internetworkingcareer.com/firewall/configure-nat-asa-firewall/

Regards,

Tim

Thanks,

One thing that confuses me is this "best practice".  Not all systems work behind NAT's and even less support vlans.  

What's Cisco's "best practice" for system that needs to share multiple subnets and can't use a NAT?  

Also did this "best practice" change since IOS days because we have plenty of IOS devices that allow secondary subnets on the same vlan, in fact there's even configuration options to change the limit of subnets per vlan.  

Not all systems need private broadcast domains, let alone use broadcast.

Hi,

Did the above suggestion with proxy ARP point you in the right direction?

If a system needs to have multiple subnets over one VLAN, then it needs it. I'm not saying there is no basis for doing what you're doing. However if it doesn't have that requirement, then you have other options in case the proxy ARP solution doesn't work for you.

In any case, to maintain your design with a 5505 on the 5508 and without adding any switches, you will have to utilize proxy ARP/NAT to have the one interface respond to both addresses. If anyone else can suggest another way under these circumstances, I'd love to hear it!

Regards,

Tim

I get the proxy ARP suggestion but doesn't that go hand in hand with a NAT?  I still don't see how that allows me to configure multiple subnets on this vlan.

Hmm not necessarily. You just need one of the gateway IP addresses to respond for the other. To do so you have to create a permanent ARP entry for the second IP to point to the MAC of the configured IP and then route it to that interface.

Try this configuration:

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

!

interface redundant1

 member-interface GigabitEthernet1/2

 member-interface GigabitEthernet1/3

 member-interface GigabitEthernet1/4

 ip address 10.6.6.1 255.255.255.240

 nameif inside

 security-level 100

!

show int r1 (To obtain the MAC of the interface)

E.g. MAC address aaaa.aaaa.aaaa, MTU not set

arp inside 10.6.5.1 aaaa.aaaa.aaaa alias

!

route inside 10.6.5.0 255.255.255.0 10.6.6.1 1

That should work for you. If not, I'd like to hear other suggestions because that's the only way I can think of without adding a switch, changing to a firewall that supports VLANs, or my original suggestion in my first reply of separating the subnets and routing between them.

Regards,

Tim

Review Cisco Networking for a $25 gift card