Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
660
Views
0
Helpful
5
Replies

secondary ip on ASA

acid_kewpie
Level 1
Level 1

‎08-13-2007 12:45 AM - edited ‎03-11-2019 03:56 AM

Hi,

I'm looking at a phased migration from PIX to ASA and our ISP is currently routing a seperate public subnet through the PIX into our network. As the IP of the PIX pair is used in their routing tables, and the ASA's are being commisioned of different public IP's (it's too complex to just keep the same IP's for other reasons), I'd ideally like to be able to take the IP being used as the routing HOP and keep it on the ASA's as a secondary IP or such like, without having to liaise with the ISP to do a timed routing change, which is never fun. This would also give a nice bit of abstraction from hardware IP's and functional IP's. if this was an IP being used for a NAT or such then obviously that move would be simple, but as this is a routing hop, the NAT wouldn't make sense (would it?)

If this were IOS, i'd personally be looking at an HSRP IP, but on ASA I don't think this is possible, but hopefully someone might be able to prove me wrong.

Thanks

Chris

Labels:
0 Helpful
5 Replies 5

gmarogi
Level 5
Level 5

‎08-20-2007 06:33 AM

This sample configuration shows how to set up multiple VPN Group Clients to use different VLANs after the IPsec tunnel is established with the PIX 500 Series Security Appliance

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806ab788.shtml

0 Helpful

acid_kewpie
Level 1
Level 1
In response to gmarogi

‎08-21-2007 02:42 AM

erm, thanks. BUT that appears to have nothing to do with the question i asked at all...

0 Helpful

anandramapathy
Level 3
Level 3
In response to acid_kewpie

‎08-22-2007 12:57 AM

Do you have public servers exposed to the Internet in your PIX & a DMZ ?

Are you using this only for NAT ?

if it is case 2, it is pretty simple,

ON your LAN gateway, put a policy route for a test subnet pointing towards the ASA & test all functionalities.

The default route will be via the PIX.

When everything is ok, just change the default route to the ASA & remove the Route map

0 Helpful

acid_kewpie
Level 1
Level 1
In response to anandramapathy

‎08-22-2007 01:02 AM

thanks,

as above, we do not control the gateway device which is routing to the PIX and ASA internet presentations, this is our service provider. these addresses are not NAT addresses on the devices, but are routed through the devices into our LAN.

0 Helpful

anandramapathy
Level 3
Level 3
In response to acid_kewpie

‎08-22-2007 01:10 AM

could you pls explain again as what is your requirement ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card