Solved: WAN and Public LAN IP

chongshanyee · ‎11-27-2017

Hi,

I've requested static public ip range from my ISP and was given a different block from my existing WAN ip.

Current existing WAN IP: 1.1.1.0/30
ISP end: 1.1.1.1

My end: 1.1.1.2

The new public range is 2.2.2.0/29 and need to use the gateway of 1.1.1.0/30.

I don't have a router. Currently I'm using Cisco ASA for 1.1.1.2.

So can I use this new segment for the ASA failover? If yes, how do I do that?

It will be easy if the IP is in the same segment 1.1.1.0/29.

Please advise.

Richard Burts · ‎11-28-2017

The suggestion by Julio would be more appropriate if the original poster had a router, which does support secondary addressing. But the original post indicates that they have ASA and not router. The simple and effective thing to do with the new block of public IP addresses is to use them on the ASA to do address translation. If there are some devices on the inside network to need to be accessible from the public Internet then static translations can be configured so that an address from the new block is associated with the server that needs to be accessible from the public Internet. Other addresses in the new block could be used for translation of addresses for traffic originated inside and going to Internet destinations.

The original poster asks if the new address block could be used for ASA failover. I do not see any way that the new addresses could be used for failover.

HTH

Rick

HTH

Rick

View solution in original post

Julio E. Moisa · ‎11-28-2017

Hi

I have seen cases where the ISP provided a different network segment but they include the subnet into the same VLAN where the other segment is configured. So the new network segment is configured as secundary, for example:

vlan 100

interface vlan 100

ip add 1.1.1.1 255.255.255.240

ip add 2.2.2.2 255.255.255.240 secondary

So you can still use the gateway 1.1.1.1, the new one is seen as an extension of the primary network.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Richard Burts · ‎11-28-2017

The suggestion by Julio would be more appropriate if the original poster had a router, which does support secondary addressing. But the original post indicates that they have ASA and not router. The simple and effective thing to do with the new block of public IP addresses is to use them on the ASA to do address translation. If there are some devices on the inside network to need to be accessible from the public Internet then static translations can be configured so that an address from the new block is associated with the server that needs to be accessible from the public Internet. Other addresses in the new block could be used for translation of addresses for traffic originated inside and going to Internet destinations.

The original poster asks if the new address block could be used for ASA failover. I do not see any way that the new addresses could be used for failover.

HTH

Rick

HTH

Rick

chongshanyee · ‎11-30-2017

Thank you! I'm checking with my ISP whether we can have block of IPs instead of 2.

Hopefully this can be done.

Regards

Shan

Netplace Support · ‎07-11-2019

Hi Julio,

It would be a great help if you could help me on below query somewhat similar to this case.

Actually im also having two public ip pool from ISP

Lan public ip pool 2.2.2.0/29

Wan public ip pool 1.1.1.0/30

Wan ip 1.1.1.2 is connected to my ftd outside interface and default gateway of ftd is 1.1.1.1

What i want to achieve is my user should be able to access my server(192.168.1.10) in internal zone of FTD using lan public ip pool 2.2.2.2.

What are the configuration need to do on FTD to achieve this ?

Regards,

Vishal