Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1087
Views
5
Helpful
13
Replies

ASA5512 multiple public IP ranges

richard.quick1
Level 1
Level 1

‎09-21-2016 04:38 AM - edited ‎03-05-2019 07:06 AM

Hi, 
I hope someone can help me, I have a ASA5512-X which is configured with a single 'outside' interface connected to my providers network. With this link we have a /26 ip address range which a single IP is allocated to the 'outside' interface and the rest off the IP's are NAT'd to devices on the 'inside' interface's. This is working as expected and connectivity is good.
I now have a second public IP range (/28) on the same link which I would like to use to allocate public addresses to devices on inside networks as with the first range of IP addresses. I have tried configuring a second 'outside' interface with the new range but connectivity doesn't seem to work.
How do I ensure the second range is 'seen' as the first range and NAT'd traffic passed to 'inside' devices using a public IP from the second range? I do all my configuration via the ASDM and can not figure a way out to add this secondary range to the 'outside' interface. In addition we will soon have a third IP range which will also need to be seen by the 'outside' interface.
Thanks in advance
Labels:
0 Helpful
13 Replies 13

Pawan Raut
Level 4
Level 4

‎09-21-2016 04:53 AM

You need not configure second 'outside' interface. Firewall should have one outside interface with one subnet and do the NAT for second third and so on  without configuring IP subnet on interface just make sure that ouside world know that second,third and so on range on your Firewall I mean routing.

0 Helpful

richard.quick1
Level 1
Level 1
In response to Pawan Raut

‎09-21-2016 05:18 AM

Hi, Thank you for your quick response. how do I set up NAT for the second/third ranges using ASDM?

Thank in advance

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to richard.quick1

‎09-21-2016 11:57 AM

How did you set up NAT for the first range? I am guessing that perhaps you created objects for the addresses in the range and then configured NAT with the object of the inside address and of the public address. Or perhaps you just configured NAT for the object of the inside address to the public address. You would do essentially the same for the second or third range.

HTH

Rick

HTH

Rick
0 Helpful

richard.quick1
Level 1
Level 1
In response to Richard Burts

‎09-22-2016 02:46 AM

Hi, 

The 'outside interface was allocated an IP in the public range 1.1.1.40, all other addresses were allocated to internal devices using ASDM and creating a public facing server. This created a public to internal NAT rule.

I am not sure how to add 3.3.3.x and 6.6.6.x to the outside interface, allowing me to allocate additional public addresses to internal servers.

Thanks in advance

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to richard.quick1

‎09-22-2016 05:53 AM

The thing is that you do not need to add those addresses to any interface. All you need to do is to create the NAT rules.

HTH

Rick

HTH

Rick
0 Helpful

richard.quick1
Level 1
Level 1
In response to Richard Burts

‎09-22-2016 10:55 PM

Thank you, how would i create the rules in the ASDM manager? Is it literally in the NAT section and select the I/F and IP ranges?

Thanks

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to richard.quick1

‎09-23-2016 06:44 AM

Yes it is literally in the NAT section (with appropriate entries in the object section).

HTH

Rick

HTH

Rick

richard.quick1
Level 1
Level 1
In response to Richard Burts

‎09-27-2016 07:38 AM

Thanks, which option do I choose (image attached).

Thanks once again.

Preview file
129 KB
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to richard.quick1

‎09-27-2016 07:43 AM

I believe that you want the middle option which add an object nat rule.

HTH

Rick

HTH

Rick
0 Helpful

richard.quick1
Level 1
Level 1
In response to Richard Burts

‎09-27-2016 08:09 AM

I will give it a try. Thanks

0 Helpful

richard.quick1
Level 1
Level 1
In response to richard.quick1

‎09-28-2016 06:06 AM

Hi, 

Any ideas what the Translated Address should be set to, I don't have any targets for the secondary IP range yet and they wont all be on the same network segment anyway?

Thanks

Preview file
125 KB
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to richard.quick1

‎09-28-2016 07:04 AM

The translated address would be taken from the set of addresses that the ISP gives you. If you do not have these addresses yet then it is too early to be configuring this address translation.

I am not sure that it makes any difference whether the translated addresses are in the same subnet or not.

HTH

Rick

HTH

Rick
0 Helpful

Paul
Level 1
Level 1

‎09-22-2016 02:07 PM

Is the new IP block from the same ISP? If it is, are they routing this new /28 to your current interface?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card