11-27-2017 07:48 PM - edited 03-05-2019 09:33 AM
Hi,
I've requested static public ip range from my ISP and was given a different block from my existing WAN ip.
Current existing WAN IP: 1.1.1.0/30
ISP end: 1.1.1.1
My end: 1.1.1.2
The new public range is 2.2.2.0/29 and need to use the gateway of 1.1.1.0/30.
I don't have a router. Currently I'm using Cisco ASA for 1.1.1.2.
So can I use this new segment for the ASA failover? If yes, how do I do that?
It will be easy if the IP is in the same segment 1.1.1.0/29.
Please advise.
Solved! Go to Solution.
11-28-2017 09:45 AM
The suggestion by Julio would be more appropriate if the original poster had a router, which does support secondary addressing. But the original post indicates that they have ASA and not router. The simple and effective thing to do with the new block of public IP addresses is to use them on the ASA to do address translation. If there are some devices on the inside network to need to be accessible from the public Internet then static translations can be configured so that an address from the new block is associated with the server that needs to be accessible from the public Internet. Other addresses in the new block could be used for translation of addresses for traffic originated inside and going to Internet destinations.
The original poster asks if the new address block could be used for ASA failover. I do not see any way that the new addresses could be used for failover.
HTH
Rick
11-28-2017 03:58 AM - edited 11-28-2017 03:59 AM
Hi
I have seen cases where the ISP provided a different network segment but they include the subnet into the same VLAN where the other segment is configured. So the new network segment is configured as secundary, for example:
vlan 100
interface vlan 100
ip add 1.1.1.1 255.255.255.240
ip add 2.2.2.2 255.255.255.240 secondary
So you can still use the gateway 1.1.1.1, the new one is seen as an extension of the primary network.
11-28-2017 09:45 AM
The suggestion by Julio would be more appropriate if the original poster had a router, which does support secondary addressing. But the original post indicates that they have ASA and not router. The simple and effective thing to do with the new block of public IP addresses is to use them on the ASA to do address translation. If there are some devices on the inside network to need to be accessible from the public Internet then static translations can be configured so that an address from the new block is associated with the server that needs to be accessible from the public Internet. Other addresses in the new block could be used for translation of addresses for traffic originated inside and going to Internet destinations.
The original poster asks if the new address block could be used for ASA failover. I do not see any way that the new addresses could be used for failover.
HTH
Rick
11-30-2017 06:19 AM
Thank you! I'm checking with my ISP whether we can have block of IPs instead of 2.
Hopefully this can be done.
Regards
Shan
07-11-2019 10:57 PM
Hi Julio,
It would be a great help if you could help me on below query somewhat similar to this case.
Actually im also having two public ip pool from ISP
Lan public ip pool 2.2.2.0/29
Wan public ip pool 1.1.1.0/30
Wan ip 1.1.1.2 is connected to my ftd outside interface and default gateway of ftd is 1.1.1.1
What i want to achieve is my user should be able to access my server(192.168.1.10) in internal zone of FTD using lan public ip pool 2.2.2.2.
What are the configuration need to do on FTD to achieve this ?
Regards,
Vishal
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: