cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
661
Views
5
Helpful
3
Replies
Highlighted
Beginner

Multiple WAN subnets on ASA 5516

We are upgrading our ISP link to a VRRP connection and in doing so they needed two of our public IP addresses.  Due to this change they have provided two public subnets that they are providing via one handoff.  My question is how do I set this up on my side so that I can utilize the new subnet for 1:1 NAT.  Would I just create a sub interface on the 'outside' interface?  I would normally think so and they would just route the information to our subnet, but they gave me a separate gateway to use.  Please see information below.

Current Subnet:

111.111.111.240/28

111.111.111.241:Gateway

New Subnet:

222.222.222.136/29

222.222.222.137:Gateway

Interface configuration and route information:

nameif outside
security-level 0
ip address 111.111.111.242 255.255.255.240

route outside 0.0.0.0 0.0.0.0 111.111.111.241

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Guru

Normally they would simply

Normally they would simply route the new subnet to your existing outside interface. If they did that then you don't need to do anything other than just create NAT statements.

However if they have given you another gateway then it sounds like they are using secondary IP addressing at their end. So instead of routing the traffic their router will arp for any of the new IPs instead.

You still do not need to assign an IP from the new range to any interface but you do need to make sure you have arp for non connected networks allowed on your ASA ie.

"permit arp non-connected"

it may or may not be enabled depending on your software version.

It is worth checking with your ISP to find out exactly what they are doing.

Jon

View solution in original post

3 REPLIES 3
Highlighted
Hall of Fame Guru

Normally they would simply

Normally they would simply route the new subnet to your existing outside interface. If they did that then you don't need to do anything other than just create NAT statements.

However if they have given you another gateway then it sounds like they are using secondary IP addressing at their end. So instead of routing the traffic their router will arp for any of the new IPs instead.

You still do not need to assign an IP from the new range to any interface but you do need to make sure you have arp for non connected networks allowed on your ASA ie.

"permit arp non-connected"

it may or may not be enabled depending on your software version.

It is worth checking with your ISP to find out exactly what they are doing.

Jon

View solution in original post

Highlighted
Beginner

Thanks for the confirmation

Thanks for the confirmation Jon.  After posting I reached out to the ISP to check with them and they are indeed routing the new subnet to the existing one.  That being said I don't even have to add it as a sub interface correct?  Since they are handling the routing on their end.

Highlighted
Hall of Fame Guru

No you don't need to assign

No you don't need to assign any interface an IP from that range, you can just use the new IPs in your NAT statements.

If they are definitely just routing it to your existing outside interface IP then you don't need to worry about the "permit arp non-connected" bit either.

Jon