Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1240
Views
0
Helpful
5
Replies

Using new public subnet with ASA

Go to solution
Mohammed El-Batniji
Level 1
Level 1

‎02-24-2013 10:41 AM - edited ‎03-11-2019 06:04 PM

Hello,

Our ASA is configured with a public IP address on its outside interface. This public IP is part of a subnet that we obtained from our ISP. Recently, we have used up all the IP address in this subnet and we obtained another subnet. I want to staticaly NAT an internal server to one of the IP addresses, which belongs to the new subnet. However; I cannot get ASA to respond to this new IP address (form the new subnet.) Is there anything that I have to do to make ASA own this IP address. Or is what I am doing wrong? What should I do to make use of this new subnet?

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Mohammed El-Batniji

‎02-26-2013 09:07 AM

Hi,

I would probably configure a simple Static NAT with

object network SERVER

host 10.1.1.15

nat (inside,Outside) static 217.237.129.177

If the upstream router has been configured with a route towards the current ASA IP address, I dont think there should be a problem. Since if the upstream router has a nexthop route for the new subnet it will not do ARP for the IP address but pass the traffic towards the ASA instead. If on the other hand the upstream router has the new network as a directly connected network it will naturally ARP for that networks host IP addresses to determine the correct device to send to.

In the very new softwares there is a command something like

arp permit-nonconnected

That has helped with some ARP related problems and multiple subnets in use.

Think this is only available in the 8.4(5) and 9.x softwares. Though I dont remember exactly, so not 100% sure.

- Jouni

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-24-2013 11:02 AM

Hi,

There should be no problem using an additional public subnet on the ASA

For this to work it depends to some degree on your ASA software level and the actual configurations naturally.

How has the new subnet been configured on the ISP side?

  • Have they routed the new subnet towards the current ASA "outside" interface IP address?
  • Or have they configured the new subnet as "secondary" network to their router interface facing the ASA?

- Jouni

0 Helpful

Go to solution
Mohammed El-Batniji
Level 1
Level 1
In response to Jouni Forss

‎02-26-2013 09:02 AM

Hi Jouni,

Thank you for your response.

The upstream router was configured with a route towards the outside interface IP address of the ASA, which belongs to the old subnet.

I have tried to place my PC on the outside of ASA (just L2 with the outside interface) and gave myself an IP address from the new subnet but i could not reach the new IP address. A packet capture shows the ARP requests for the new IP but no replies.

Here is the statci NAT entry, which i am trying:

object network VPN_ASA_Private

host 10.1.1.15

object network VPN_ASA_Public

host 217.237.129.177

nat (inside,Outside) source static VPN_ASA_Private VPN_ASA_Public

the outside interface is just configured with an IP address that belongs to the old subnet not the new one.

Any suggestions on how to troubleshoot this issue?

Thanks.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Mohammed El-Batniji

‎02-26-2013 09:07 AM

Hi,

I would probably configure a simple Static NAT with

object network SERVER

host 10.1.1.15

nat (inside,Outside) static 217.237.129.177

If the upstream router has been configured with a route towards the current ASA IP address, I dont think there should be a problem. Since if the upstream router has a nexthop route for the new subnet it will not do ARP for the IP address but pass the traffic towards the ASA instead. If on the other hand the upstream router has the new network as a directly connected network it will naturally ARP for that networks host IP addresses to determine the correct device to send to.

In the very new softwares there is a command something like

arp permit-nonconnected

That has helped with some ARP related problems and multiple subnets in use.

Think this is only available in the 8.4(5) and 9.x softwares. Though I dont remember exactly, so not 100% sure.

- Jouni

0 Helpful

Go to solution
Mohammed El-Batniji
Level 1
Level 1
In response to Jouni Forss

‎03-14-2013 01:03 AM

Hello Jouni,

Thanks alot.. This command resolved the issue. However; the configuration guide warns about using this command.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Mohammed El-Batniji

‎03-14-2013 01:32 AM

Hi,

I think the risk is higher if you have host directly connected to the ASA without going through some router/L3 hop on the way.

So lets say you have ASA5505 or ASA 5510 and have a flat switch network behind the ASAs interfaces and dont have any L3 devices on the LAN then there could potentially be a situation where someone could fill the ARP table of the ASA.

If however you have a link network between your ASA and the actual hosts so that the hosts arent directly connected to the ASA interfaces then I supposed there is no risk of malicious activity causing the problem of ASAs ARP table filling up.

Or atleast thats how I think it would work.

Using 2 subnets on the "outside" while the ISP configured them both on its gateway interface became problem only at 8.4(3) software. (You could still probably find the thread about it with Google on these forums.) So I imagine that setting this command "on" was the default behaviour all the way up to 8.4(2) software, in 8.4(3) it didnt work and in 8.4(4/5) it became configurable with "arp permit-nonconnected"

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card