Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
962
Views
0
Helpful
4
Replies

How can you handling non overlapping wan subnets with an ASA

Charlie Dick
Level 1
Level 1

‎11-26-2011 09:11 AM - edited ‎03-04-2019 02:25 PM

greetings,

Our IPS has given us a second range of IPs as we were running out.  Unfortunately, they can only give us two non overlapping range.  I am running two ASA 5520 in fail over to handle our traffic but I don't know the best way to use both external ranges.  This is not a failover scenario -- and I need outward facing servers on both ranges.  It is adventageous to us to keep the two external subnets separating two of our operations so we don't want to bring everything into one subnet (long story).

I have one NIC designated outside that will need to cater for both wans.  As there are two subnet there are two gateways.  How do I keep the traffic on track?

Thanks

Charlie

Labels:
0 Helpful
4 Replies 4

kazsiddiqui
Level 1
Level 1

‎11-26-2011 11:01 AM

I have same scenario to be resolved.

0 Helpful

Charlie Dick
Level 1
Level 1

‎12-13-2011 08:06 AM

I have an update on this and how it was solved at least in part.

1. I configured our ASA with only our principle subnet and gateway.

2. our ISP was able to route all our subnets to the ASA.

3. using static NATs I was able to route traffic on the non overlapping subnet to the public facing server. 

I was using the ASDM and created the public server using the Firewall > Public Server.  This works for incoming trafic but not for outgoing.  Going to whatsmyip.org shows the IP of the firewall on the primary subnet.  To solve this I had to recreate the NAT rule manually and place it above the general rules for the servers subnet. 

In the end it was not that hard but for a newbie it caused some sleepless nights. :-)  The learning curve is steep.

0 Helpful

kazsiddiqui
Level 1
Level 1
In response to Charlie Dick

‎12-14-2011 01:18 AM

Dear Charlie,

Have you drop public ip from ISP on ASA or it first drop at any router. in my opinion if we use any router in front of ASA then we can easily route both block towards ASA.

0 Helpful

Charlie Dick
Level 1
Level 1
In response to Charlie Dick

‎12-16-2011 08:28 AM

Good afternoon,

The ASA has a the ISP's public gateway and I only have one configured (from the primary subnet range) even though it is not part of the secondary subnet this does not seem to matter.  I don't know what router tricks the ISP is doing but they are a major outfit with some sharp guys on the staff.  They acted like ti was not a big deal.

I am not sure I have answer your question.

0 Helpful
Customers Also Viewed These Support Documents