Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
544
Views
0
Helpful
4
Replies

Two separate address pools on the same interface?

Go to solution
d.vinnedge
Level 1
Level 1

‎12-26-2012 01:50 PM - edited ‎03-11-2019 05:41 PM

I'm something of a routing novice so bear with me...

We have an ASA 5510 and we also have two separate address pools which have been provided by our ISP.  The addresses are not contiguous.  Is there a way to configure an interface on the ASA to handle both sets of public address pools?  If the outside interface is set up on eth0/0 would I create two subinterfaces (eth0/0.1, eth0/0.2) and assign each subinterface an address pool?  Then just NAT/PAT to my heart's content?   At that point I would want both to route to our inside network.  So it's basically two inbound sets of IP addresses comming into one interface and then comming into the network...  Right now the outside interface is configured with our first set of IP addresses.  We wanted additional addresses and when we called our ISP they told us we already had them - just a different pool.  Hence the question.  I'm guessing that I wouldn't put anything specific on the outside interface and I would put the specifics on the subinterfaces?

I've never done something like this before - that's why I'm asking the question!  Any help/direction would be appreciated!

Thank you!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
lcaruso
Level 6
Level 6

‎12-26-2012 02:42 PM

It works. Nothing needed except NAT statments that have the 2nd ip range addresses specfied. As long as your ISP routes them to the ASA's outside interface, the ASA is smart enough to NAT them for you.

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to lcaruso

‎12-26-2012 02:44 PM

Hi,

You shoud not create subinterfaces for this purpose. You will only complicate your setup and cause problems.

To  be able to use the new public IP address range its basicly mostly up to  the ISP configurations. As long as the ISP has routed the new public  subnet towards ASA outside interface it should be usable. What you do  with it is up to you.

You could

  • Start  using the new public IP address range for server NAT addresses directly  on the ASA firewall and configure Static NAT when a new LAN/DMZ server  needs it.
  • You can also route the new public subnet further in to  your LAN behind the ASA and use the public subnet directly as some  subnet for server etc.
  • You could also configure the public  subnet directly to some interface on the ASA if you want the ASA to be  the gateway of the network. (This would be ofcourse some other interface than the current "outside" interface)

All of the above  depends on how your network is built. Meaning for example how your link  to ISP is configured and what kind of devices you have on your network.

Pleare rate if the information was helpfull and/or ask more questions if the above didnt answer your questions.

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
lcaruso
Level 6
Level 6

‎12-26-2012 02:42 PM

It works. Nothing needed except NAT statments that have the 2nd ip range addresses specfied. As long as your ISP routes them to the ASA's outside interface, the ASA is smart enough to NAT them for you.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to lcaruso

‎12-26-2012 02:44 PM

Hi,

You shoud not create subinterfaces for this purpose. You will only complicate your setup and cause problems.

To  be able to use the new public IP address range its basicly mostly up to  the ISP configurations. As long as the ISP has routed the new public  subnet towards ASA outside interface it should be usable. What you do  with it is up to you.

You could

  • Start  using the new public IP address range for server NAT addresses directly  on the ASA firewall and configure Static NAT when a new LAN/DMZ server  needs it.
  • You can also route the new public subnet further in to  your LAN behind the ASA and use the public subnet directly as some  subnet for server etc.
  • You could also configure the public  subnet directly to some interface on the ASA if you want the ASA to be  the gateway of the network. (This would be ofcourse some other interface than the current "outside" interface)

All of the above  depends on how your network is built. Meaning for example how your link  to ISP is configured and what kind of devices you have on your network.

Pleare rate if the information was helpfull and/or ask more questions if the above didnt answer your questions.

- Jouni

0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to lcaruso

‎12-26-2012 02:47 PM

NAT and ACLs are both needed.

0 Helpful

Go to solution
d.vinnedge
Level 1
Level 1

‎12-27-2012 07:23 AM

Thank you both.  I didn't realize that the ASA would be "smart" enough to handle two IP ranges on the same interface.  I simply created the access rules and then the nat translations and it worked!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card