11-03-2016 11:20 AM - edited 03-05-2019 07:24 AM
Hello all,
I have a question and I am hoping you can answer it for me.
I have a situation where I am going to have a isr 1941 connected to an ASA 5508.
The public IP for the outside interface of the router and the ASA need to be on the same /29. This will mean my connection will have to pass through my inside interface of the Router.
I know it can be done, I just cant find the right article to show me examples.
Also I need a good article that can show me how to pass traffic from the ASA to the Router if my router will be at the border and the ASA is behind it.
11-03-2016 12:38 PM
Gregory,
can you post a brief topology map indicating how your router and the ASA are connected and which interface on the router needs access (to what, the Internet) ?
11-03-2016 01:24 PM
Topology is as follows
Internet 184.90.180.129/29
-
-
-
Router (outside int) 180.90.180.134/29
(inside int) this is where i need help
-
-
-
-
ASA (Outside int) 180.90.180.130/29
(inside int) 10.10.10.1/24
11-03-2016 02:08 PM
Sorry again for the confusion, but how is your ASA connected to the router ? You would obviously only need a public IP address on the ASA outside interface if it were connected to the Internet.
11-03-2016 02:17 PM
This is why I need the help. For the time being the outside interface of the ASA has to keep the public ip for VPN purposes. We are transitioning to Azure and are trying to cutover but the meshed network that is using the ASA as its VPN needs to stay up until the end.
we should be able to pass the traffic through.
11-03-2016 02:27 PM
Hello,
I also found this older article on how to add a secondary IP address to an outside interface of an ASA. Have a look and give it a try...
http://www.ducea.com/2008/05/31/adding-a-secondary-ip-address-on-a-cisco-asa-ethernet-interface/
11-03-2016 02:17 PM
On the ASA, the global config command:
arp permit-nonconnected
allows for ARP requests and ARP responses from ARP packets that are not on the same subnet as the connected interface.
I am not sure how this would work in your case, but assuming that the inside interface of your router is configured with an IP address, enable the arp permit-nonconnected feature on the ASA and check if you can reach the network on the inside of the router (obviously don't forget to add the default route on the ASA pointing to the IP address of the inside interface of the router, since that is your next hop)...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide