07-22-2019 09:50 AM
Hi,
We have a 5516-X with a /27 public address range. Within our company I have another dept who would like their own network which they can manage with their own firewall, part of the requirements is to split the public address range and assign them a /29. I thought that engaging the ISP would be the easiest solution, but due to restrictions on the ISP's router they can't modify the address range and give them a dedicated port off of it.
This then leads me to giving them a port off of our ASA, fine no problem. So my question is, is it possible to provide them a range of IP addresses and so that traffic destined for their firewall just passes through, do i just create an access rule with the source as Any and destination the IP of their firewall?
Any advice greatly appreciated.
07-22-2019 12:11 PM
you can allocate the IP to other department with different port and make access-rule from to any any - and they need to make their own rules, since you allowing them everything thing.
07-22-2019 02:31 PM
Hello,
how about multiple context mode, would that be an option ? There are few drawbacks (multiple context mode e.g. doesn't support QoS and remote access VPNs). All models support two contexts with the base license. Not sure if that is something you might consider...
07-26-2019 12:54 AM
Thanks for the replies.
I am thinking about putting a L2 Switch in between our ASA and the ISP router. This will allow us to split the public subnet and provide the other department with a dedicated connection without needing to come via our ASA.
Does anyone see any potential issues with this?
07-26-2019 02:20 PM
The issue is that you are wanting to forward certain IP addresses to that department. But a layer 2 switch by definition forwards based on layer 2 addresses and not layer 3 IP addresses.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide