Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1581
Views
0
Helpful
7
Replies

Two Public IP Blocks on ASA 5505

kyle.mcauliffe
Level 1
Level 1

‎01-17-2013 04:48 AM - edited ‎03-11-2019 05:48 PM

We have 2 IP blocks from my ISP.  We have been using just one a /30 block with one IP address used on the outside interface of the device.  The new block is a /29 range and I would need to use just two of those IP addresses.  Here is the situation I am facing.

A company we partnered with wants to set up a VPN, they will send us 2 Cisco 861s to put behind our ASA.  Is it possible to assign these 861's with public IPs from the block that we are not currently using? (the /29 range)?  I know that it might require an upgrade to the Security Plus.

I just want to make sure that this setup is possible before I go any further.

I appreciate the help before hand, let me know if any further information is needed.

Labels:
0 Helpful
7 Replies 7

i.va
Level 3
Level 3

‎01-17-2013 05:26 AM

The ASA can do "proxy arp" for that /29 network. Check out the explanation here:

https://learningnetwork.cisco.com/thread/38398

Please rate if helpful.

0 Helpful

ALIAOF_
Level 6
Level 6

‎01-17-2013 09:46 AM

You can also simply put the 861's on your local network and NAT the 2 available IP's to those two 861's.  I'm assuming they want to use the 861's to setup an IPSec VPN.  You'll just have to make sure that udp ports 500 and 4500 are OPEN (NOT FORWARDED) from your partner company to you so that the 861's can establish the VPN.

Lot of companies especially related to PCI stuff do it like this.

0 Helpful

kyle.mcauliffe
Level 1
Level 1
In response to ALIAOF_

‎01-17-2013 10:14 AM

Would it matter that the gateway for the IPs which i will assign to the 861's is different from the public IP on the outside interface?

eg. The IP on the outside interface of the ASA is 200.100.50.25/30 (GW: 200.100.50.25), the other IP block is 200.100.50.150/29 (GW: 200.100.50.150).

0 Helpful

ALIAOF_
Level 6
Level 6
In response to kyle.mcauliffe

‎01-17-2013 12:20 PM

Actually you will not be assigning those IP's directly on the 861's.  861's will get the IP from the LAN.  So for example

- 861#1 = 192.168.1.25

- 861#2 = 192.168.1.26

Now you will setup a NAT on your ASA and NAT 192.168.1.25 to 200.100.50.151 and second one to 200.100.50.152

0 Helpful

mickyq
Level 1
Level 1

‎01-17-2013 01:15 PM

You could put a switch between the outside of your ASA and the Internet feed. Connect the 861's to that switch with the public IP's. You can then terminate the vpn on each 861 and connect them to your network or create dmz's on the asa and bring them in that way. It depends how secure you want to be and the licence on the ASA.

Or, again, depending on ASA licence, you could terminte the vpn direct to the ASA. I think a base licence allows 2 vpn peers.

The gateway of each public subnet you have should be routable from the isp router. Im not sure if you can ping these from your firewall?

0 Helpful

kyle.mcauliffe
Level 1
Level 1
In response to mickyq

‎01-18-2013 03:03 AM

I would rather terminate the VPN at the ASA, but the company wants us to use their devices behind our firewall, not quite sure why.

I think I'll end up going the NATing route.  Will do some testing next week before the devices get here and post an update.

0 Helpful

ALIAOF_
Level 6
Level 6
In response to kyle.mcauliffe

‎01-18-2013 07:44 AM

It might be due to the compliance reasons. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card