Secondary IP address in ASA5510/PIX515e

oyd110380 · ‎03-09-2010

Hi All,

Just want to know if there is a way to configure secondary IP address on the outside/public interface of ASA/PIX.

One of our clients have used most of their IP on the subnet given by their ISP. They use those IP's for statically

mapping to Servers inside their local LAN. Thus, they requested another block/subnet from their ISP. They will also

use this for static mapping/port forwarding to other servers in their network. The current UTM they are using is allowing this

but they would like to use ASA/PIX as their main Firewall. Is this even possible or is there

a workaround for this kind of scenario?

Many Thanks!

Jon Marshall · ‎03-10-2010

Lloyd

Pix/ASA firewalls do not support using secondary addressing on an interface. However the good news is that they don't need to.

As long as the ISP routes the new block of IP addresses to the outside interface of your firewall then you simply use the new block of IPs as you have the existing block ie. you set up static translations and allow access via the access-list.

The new IP block does not actually have to be allocated to an interface.

Jon

oyd110380 · ‎03-10-2010

Thanks for your response jon. Will just verify with the ISP then. Really Appreciate it!

lovedam · ‎10-27-2011

I have a situation like this one. I get the routing part, but if I want to use the firewall as a VPN head end, how do I make it such that the firewall outside interface can be in the range of new ISP IPs? how can I make the outside interface accessible over the internet if I have 2 ranges?

Thanks,

Damon