Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
353
Views
2
Helpful
4
Replies

non-continuous wan subnet

f_westerlund
Level 1
Level 1

‎07-14-2014 04:19 AM - edited ‎03-11-2019 09:27 PM

Hi,

We are assigned some IP’s from our ISP, Subnetmask /27. Actualy 217.x.187.194-198 and from 217.x.187.203-213 The IP’s between are given to someone else. This should be 30 available hosts. GW 217.x.187.193

I will use the range 217.x.187.194-198 for my internal networks.

Question. Will there be a problem not having entire full subnet or is this possible on the ASA 5505? Or should I ask for a complete range?

Also, is there any possibility to do static nat through the asa and allow all traffic from IP 217.x.187.196 to another router on the inside. This router belongs to another company who needs to regularly open and close ports through to their company. we do not want to give out access to ASA.  

Br
Fredrik

Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎07-14-2014 04:58 AM

Hi,

 

If we are strictly talking about having the 2 subnets on the WAN interface of the ASA then that is no problem at all. Though you have to consider the fact that ASA can not have 2 different subnet configured on a single interface (in your case a Vlan interface). But there is a way to implement that, the second subnet just is not configured under any interface. The subnet and/or its IP addresses are only present on the ASA in its NAT configurations.

 

There is 2 ways you can handle this with your ISP

  1. You can configure the other subnet between your ASA and the ISP Router and request the ISP to route the second subnet towards your ASAs WAN interface IP address (that belongs to the first subnet)
  2. You can configure the other subnet between your ASA and the ISP can configure both of the subnet on their link towards the ASA. Even though the second subnet is not configured on your ASAs WAN interface you are able to configure NAT using the second subnets IP addresses on the ASA. In this case when traffic is incoming to the second subnet from the Internet the ISP router will send ARP requests for the second subnets IP addresses (as the ISP has the subnet as directly connected) and the ASA will respond to those ARP requests with its WAN interface MAC address IF there is a NAT configuration present. You will also have to make sure that the ASA is configured to answer to ARP requests on the WAN interface. If you were to go with this option then let us know the software the ASA is running and we can confirm what commands you need enabled/disabled.

 

To avoid any ARP related problems and other problems I would suggest that you ask the ISP to route the second subnet towards the ASA WAN IP address. Much more simple that way.

 

Now you mention that you want to do a Static NAT on the ASA for the internal router? This should be no problem and there should not be any problem allowing all traffic to the internal host when it has the Static NAT configured.

 

Since you have 2 public subnets you also have the option to configure the second public subnet directly on the internal interface of the ASA and the other company can use the public IP address directly on their Router. Naturally configuring this second subnet on the ASA might waste some public IP address (since you need one for the gateway etc.) but it completely depends on your setup.

 

Hope I made any sense :) Feel free to ask more if needed

 

- Jouni

0 Helpful

f_westerlund
Level 1
Level 1
In response to Jouni Forss

‎07-14-2014 05:16 AM

Thanks for fast answer. 

 

Actually it's the same subnet. 217.x.187.192/27 only the ISP gave us the first ip's (194-198) then maby 1 year later the other ones (203-213) other IP's in the range the ISP have given to somone else. 

/Fredrik

 

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to f_westerlund

‎07-14-2014 05:33 AM

Hi,

 

Guess I was reading a bit too fast and missunderstood the situation a bit. Sorry about that :)

 

So am I correct to assume that you would now have at your disposal the 217.x.187.192/29 range? (192 - 199). I assume you mean this as you specify the .193 used for GW and .194 - .198 being the usable IP addresses from that range.

 

I guess in that situation I would use the subnet 217.x.187.192/29 between the ISP and the ASA and would have the ISP route all the rest of the IP addresses free from the /27 subnet towards the ASA WAN IP address.

 

Naturally it would be ideal to have either a single subnet or several subnets so there is no need for anything special though in this case the complexity is on the ISP side. You should be able to utilize the /29 subnet and all the IP addresses that the ISP has routed towards your ASA.

 

- Jouni

f_westerlund
Level 1
Level 1
In response to Jouni Forss

‎07-14-2014 06:27 AM

Yes, You assume correct. 

I will call the ISP right now and make sure this is doable. 

single subnet would be best. But if this is doable then we do not need to change IP's. We have allot of connections to inside systems. 

Thanks
/Fredrik

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card