/29 subnet required for this intent, or is /30 ok?

MicJameson1 · ‎01-10-2024

Hello.

-My goal is to allow 2 ASA-5525s in a HA primary-standby pair to both have connectivity to the (new) ISP controlled adjacent router via a L2 switch.
This new ISP for the enterprise has given me a single public IP address with a /30 mask that is in the subnet of the ISP device, and also 4 nearby IP addresses with a /29 mask.
It seems to me that this offering is ineffective for my needs, because I need 2 IP addresses in the same subnet as the adjacent ISP device.

QUESTION: Are the given /29 addresses effective for my configuration intent, or must i contact the ISP and tell them to make 2 addresses available, requiring a /29 subnet?

Thank you!

MHM Cisco World · ‎01-10-2024

If ypu have ASA HA then you need two public IP pluse one that ISP use' that make it three and /30 only give you 2 so it not work.

You need /29 for this case.

MHM

MHM Cisco World · ‎01-10-2024

https://community.cisco.com/t5/network-security/active-standby-asa-with-only-1-ip-address-on-outside-interface/td-p/1891394

Check this link for workaround.

MHM

MicJameson1 · ‎01-10-2024

Thanks for the link.

With only one IP-address available on the /30 subnet, I dont understand how the linked solution is configured-- on the standby unit, what is the IP-address of the outside interface?

MHM Cisco World · ‎01-10-2024

The standby not mandatory have IP if you disable monitoring in outisde interface.

So if standby dont have IP then you

One IP for active and one for ISP that two IP and /30 give you this two IP.

Dont confuse the link I share talking if ISP give you one IP it not include ISP ip.

MHM

MicJameson1 · ‎01-10-2024

Thanks for the reply. I still dont understand...

I have 1 interface on each ASA labeled "outside" (2 total interfaces). These connect to L2 switch. L2 switch has 1 cable to ISP.

Primary ASA has "outside" IP address.1.1.1.1/30. Primary ASA explodes in big fireball.

QUESTION-- How does ISP router know that secondary ASA now has ip-address 1.1.1.1 on "outside" interface?

MHM Cisco World · ‎01-10-2024

the active ASA outside have 1.1.1.1
the standby ASA outside dont have any IP
and ISP always in ASA HA send traffic toward the ACTIVE IP not standby

MHM

MicJameson1 · ‎01-10-2024

OK, so the reason the technology works for 1 IP is because of the virtual mac address that is pushed through a gratuitous arp on the ASA? Correct?

May you please give me an example of a minimum config for this standby outside interface (that wont have an IP-address on it)?

Thank you.

MicJameson1 · ‎01-11-2024

Hi. Regarding my task...

The ISP gave us 1.1.1.1/30

They also gave us SIX IPs on 1.1.3.0/29. Can I use 1.1.3.0/29 for DMVPN connections to 7.7.7.7? If so, for the DMVPN to work, all I need to do is add route-- ip route 7.7.7.7 255.255.255.255 1.1.1.1

?

Thank you!

MHM Cisco World · ‎01-11-2024

but the DMVPN not work in ASA.
for two subnet in outside I will check this point
MHM

MicJameson1 · ‎01-11-2024

I already have active in different circuit, architecture... DMVPN >> ASA >>-www->> ASA >> DMVPN. Difference is that on "DMVPN>>ASA" connections, the public IPs are in same subnet (29/).

QUESTION: Can this architecture work with variation...

"The ISP gave us 1.1.1.1/30

They also gave us SIX IPs on 1.1.3.0/29. Can I use 1.1.3.0/29 for DMVPN connections to 7.7.7.7? If so, for the DMVPN to work, all I need to do is add route-- ip route 7.7.7.7 255.255.255.255 1.1.1.1 "