Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2305
Views
5
Helpful
4
Replies

Multiple WAN subnets on ASA 5516

Go to solution
douglas.shupe
Level 1
Level 1

‎03-10-2017 07:52 AM - edited ‎03-12-2019 02:02 AM

We are upgrading our ISP link to a VRRP connection and in doing so they needed two of our public IP addresses.  Due to this change they have provided two public subnets that they are providing via one handoff.  My question is how do I set this up on my side so that I can utilize the new subnet for 1:1 NAT.  Would I just create a sub interface on the 'outside' interface?  I would normally think so and they would just route the information to our subnet, but they gave me a separate gateway to use.  Please see information below.

Current Subnet:

111.111.111.240/28

111.111.111.241:Gateway

New Subnet:

222.222.222.136/29

222.222.222.137:Gateway

Interface configuration and route information:

nameif outside
security-level 0
ip address 111.111.111.242 255.255.255.240

route outside 0.0.0.0 0.0.0.0 111.111.111.241

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-10-2017 08:42 AM

Normally they would simply route the new subnet to your existing outside interface. If they did that then you don't need to do anything other than just create NAT statements.

However if they have given you another gateway then it sounds like they are using secondary IP addressing at their end. So instead of routing the traffic their router will arp for any of the new IPs instead.

You still do not need to assign an IP from the new range to any interface but you do need to make sure you have arp for non connected networks allowed on your ASA ie.

"permit arp non-connected"

it may or may not be enabled depending on your software version.

It is worth checking with your ISP to find out exactly what they are doing.

Jon

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-10-2017 08:42 AM

Normally they would simply route the new subnet to your existing outside interface. If they did that then you don't need to do anything other than just create NAT statements.

However if they have given you another gateway then it sounds like they are using secondary IP addressing at their end. So instead of routing the traffic their router will arp for any of the new IPs instead.

You still do not need to assign an IP from the new range to any interface but you do need to make sure you have arp for non connected networks allowed on your ASA ie.

"permit arp non-connected"

it may or may not be enabled depending on your software version.

It is worth checking with your ISP to find out exactly what they are doing.

Jon

0 Helpful

Go to solution
douglas.shupe
Level 1
Level 1
In response to Jon Marshall

‎03-10-2017 08:42 AM

Thanks for the confirmation Jon.  After posting I reached out to the ISP to check with them and they are indeed routing the new subnet to the existing one.  That being said I don't even have to add it as a sub interface correct?  Since they are handling the routing on their end.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to douglas.shupe

‎03-10-2017 11:27 AM

No you don't need to assign any interface an IP from that range, you can just use the new IPs in your NAT statements.

If they are definitely just routing it to your existing outside interface IP then you don't need to worry about the "permit arp non-connected" bit either.

Jon

0 Helpful

Go to solution
ashwanik2008
Level 1
Level 1
In response to Jon Marshall

‎09-16-2021 07:07 AM

Thanks Jon for a great post. In my setup, ISP is routing to the existing outside interface IP of the FW and I`m able to use New range for the NAT statements.

 

My question is, will I be able to use New range for NAT`ing AnyConnect VPN users which connect to the Outside Interface IP from the Existing Range ?

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card