cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
392
Views
0
Helpful
2
Replies

Routing new additional Public IP's on existing firewall

Mark Cavendish
Level 1
Level 1

Hi

We have run out of IP addresses on our current subnet and we have been given a new additional IP address subnet range by our ISP.

Reading this paragraph from a post a couple of years ago:

The ISP would simply forward all traffic regarding the new subnet to the ASAs current WAN interface IP address and the ASA would match the destination IP address to an existing NAT you have from the new subnet. Traffic would be forwarded back to the ISP using the current default route on the ASA. No additional default route needs to be added. There would be no need for ARP/Proxy ARP between the ISP gateway and ASA for this new subnet.

I have added a static NAT for the new public IP address to an existing DMZ host and then done a firewall rule to allow it. Based on the above I thought this would then work or am I missing something else? I can't see any traffic for the new subnet hitting our firewall logs to show the connection is even being denied based on destination or source IP's. However I can see traffic leaving the system as the new public IP hitting our sister firewall logs on another site whilst trying to surf to a web page to test the routing (but the webpage doesn't display on the source).

I am also trying to triple check with the ISP that they have routed the new subnet to the correct address of our existing firewall, yet would appreciate any other suggestions in the meantime?

Many thanks,

Mark

1 Accepted Solution

Accepted Solutions

Hi

It sounds like the ISP hasn't done its work with the routing. If you outside of your own network tries to do a traceroute it shouldn't reach you. Also the server you have done the static NAT statement for shouldn't be able to reach the internet.

View solution in original post

2 Replies 2

Hi

It sounds like the ISP hasn't done its work with the routing. If you outside of your own network tries to do a traceroute it shouldn't reach you. Also the server you have done the static NAT statement for shouldn't be able to reach the internet.

Hi Henrik

Thanks for replying and after lots of chasing you were correct. All working perfectly now.

Mark

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: