Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
407
Views
0
Helpful
2
Replies

Configure second Public Range on ASA

shaftin2003
Level 1
Level 1

‎07-19-2016 03:39 AM - edited ‎03-07-2019 12:13 AM

Hi

I have a Cisco ASA 5515X running version 9.5, I have a /29 public range already configured and working, i now have a /28 which the ISP have supplied in addition to the /29

The /29 is presented via a WAN router on int1, the /28 is presented on int3 on the wan router, i have connected a cable from int3 to a spare port on the ASA and enabled the port, I havent configured anything, by doing this I am now able to ping the /28 gateway from outside, I have added some NAT rules on the ASA to use the new /28 with some internal services, but cannot access any of these services.

i have spoken to the ISP support company who have said that the new range has been routed through the original WAN port and should just work.

i'm at a loss and hoping someone here can help me througn this

Thanks

Sam

Labels:
0 Helpful
2 Replies 2

Karsten Iwen
VIP
VIP

‎07-19-2016 04:22 AM

What you write sounds contradictory to me ... So some questions:

  1. Is the new network configured on the same port of the ISP-router or not? Initially you write it's on int3, but later you write that it's routed on the original WAN-port.
  2. Is that network routed to your ASA or is it configured as a secondary subnet? If you got a gateway from your ISP for that network, then it's probably a secondary network.

Is the ASA the only device that will get connected to the ISP or do you also have additional firewalls or routers in place? If the ASA is the only device then do the following:

  1. Tell the ISP to statically route the new network to your outside ASA IP and not to configure it as a secondary subnet.
  2. On the ASA disable the spare interface that you already used for that.
  3. The *only* thing to configure on the ASA are your NAT/ACLs as you did for other services running on your primary network.
0 Helpful

shaftin2003
Level 1
Level 1
In response to Karsten Iwen

‎07-19-2016 06:04 AM

Hi Karsten,

Thank you for your response, to confirm a few things

The new range is configured on Interface 3 on the ISP router, the support team have said that its routed via the WAN IP (1st Range)

the 1st range is configured on interface 1 of the ISP router

i get replies to the gateway from external once i connected a cable from Interface 3 (ISP router) to spare port of ASA and enabled, if I disable the ASA port the pings stop

I have added 2 nat rules to a webserver with an internal ip

1st rule - from old range public ip to internal ip- works fine i'm able to see the webpage

2nd rule - from new range public ip to internal ip - doesnt work

Your suggestion to ask the ISP to statically route seems like the best way to go, so will ask them, in the meantime time if you have any other ideas please do  say

thanks

0 Helpful
Customers Also Viewed These Support Documents