Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
866
Views
0
Helpful
4
Replies

ASA Passthrough

EvorioSupport1
Level 1
Level 1

‎07-22-2019 09:50 AM

Hi,

 

We have a 5516-X with a /27 public address range.  Within our company I have another dept who would like their own network which they can manage with their own firewall, part of the requirements is to split the public address range and assign them a /29.  I thought that engaging the ISP would be the easiest solution, but due to restrictions on the ISP's router they can't modify the address range and give them a dedicated port off of it.

 

This then leads me to giving them a port off of our ASA, fine no problem.  So my question is, is it possible to provide them a range of IP addresses and so that traffic destined for their firewall just passes through, do i just create an access rule with the source as Any and destination the IP of their firewall?

 

Any advice greatly appreciated.  

0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎07-22-2019 12:11 PM

you can allocate the IP to other department with different port and make access-rule from to any any - and they need to make their own rules, since you allowing them everything thing.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Georg Pauwen
VIP
VIP

‎07-22-2019 02:31 PM

Hello,

 

how about multiple context mode, would that be an option ? There are few drawbacks (multiple context mode e.g. doesn't support QoS and remote access VPNs). All models support two contexts with the base license. Not sure if that is something you might consider...

0 Helpful

EvorioSupport1
Level 1
Level 1

‎07-26-2019 12:54 AM

Thanks for the replies.

 

I am thinking about putting a L2 Switch in between our ASA and the ISP router.  This will allow us to split the public subnet and provide the other department with a dedicated connection without needing to come via our ASA.

 

Does anyone see any potential issues with this?

 

 

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to EvorioSupport1

‎07-26-2019 02:20 PM

The issue is that you are wanting to forward certain IP addresses to that department. But a layer 2 switch by definition forwards based on layer 2 addresses and not layer 3 IP addresses.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card