VLSM is okay, but you should

paveldudaibm · ‎07-07-2016

I'm testing upgrade of one of the older boxes with 8.4(7) to 9.1(7) and I'm trying to fix overlapping address range on multiple interfaces.

I have one public IP range assigned to outside interface and I have split this range into two separate VLANs available inside as seen on example below (I have just replaced public IPs with private range).

This setup works fine on 8.4 however on 9.1 it complains about overlapping network. What is the best way to resolve this? Machines on internal network are using public IPs and I would like to keep the internal ranges intact so I do not have to rewrite the ACLs completely.

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 192.168.84.130 255.255.255.128 
!
interface GigabitEthernet0/1
 speed 100
 duplex full
 no nameif
 no security-level
 no ip address
!             
interface GigabitEthernet0/1.10
 vlan 10
 nameif dmz1
 security-level 40
 ip address 192.168.84.193 255.255.255.192 
!
interface GigabitEthernet0/1.20
 vlan 20
 nameif dmz2
 security-level 50
 ip address 192.168.84.161 255.255.255.224

Marius Gunnerud · ‎07-07-2016

I would be very suprised if this exact config works on the 8.4 version. You are subnetting incorrectly.

you should have the 255.255.255.224 subnet on all the interfaces. Currently your subnets look like this:

192.168.84.128 - 192.168.84.255 ( host addresses 192.168.84.129 - 192.168.84.254)
192.168.84.192 - 192.168.84.255 (host addresses 192.168.84.193 - 192.168.84.254)
192.168.84.160 - 192.168.84.191 (host addresses 192.168.84.161 - 192.168.84.190)

If you subnet to 255.255.255.224 on all subnets (that is a /27) then your subnets should look like the following:

192.168.84.128 - 192.168.84.159 (host addresses 192.168.84.129 - 192.168.84.158)
192.168.84.160 - 192.168.84.191 (host addresses 192.168.84.161 - 192.168.84.190)
192.168.84.192 - 192.168.84.223 (host addresses 192.168.84.193 - 192.168.84.222)

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

paveldudaibm · ‎07-08-2016

This configuration works fine on 8.4. It is configuration inherited / migrated over the years starting on some 7.x. Of course the NAT rules have been overwritten in the past during migration from 8.2 to 8.4.

They need less IPs in DMZ2 zone thats why that zone has /27 and DMZ1 needed more addresses over the time hence /26. Is usage of VLSM not recommended on ASA firewalls for some reason?

Marcel Maeder · ‎07-08-2016

VLSM in general is okay, but you should route the addresses with a transit network between the ISP and ASA.

Marius Gunnerud · ‎07-08-2016

Just checked it on one of the ASAs I have running 8.4 and you are correct that it accepted overlapping subnets (using different subnet-masks) on different interfaces.

My only explanation for this is that the 9.1 version is smarter than the 8.4 and detects overlapping subnets even when the subnet-mask is not the same. Overlapping subnets can cause routing issues.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Overlapping address range on multple interfaces (upgraded to 9.x)