Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
732
Views
0
Helpful
3
Replies

ASAv - Multiple Outside Subnets?

Go to solution
smorrissey88
Level 1
Level 1

‎01-27-2017 01:25 PM - edited ‎03-08-2019 09:05 AM

Hi,

Say I have 2 public IP subnets: 

  • 1.2.30.1/24 
  • 1.2.50.1/24 (NEWLY ADDED)

The subnet 1.2.50.1/24 is NEW, and being routed to me by the ISP. I'm seeing ARP requests come in when I do a debug arp:

arp-in: request at outside from 1.2.50.1 0005.8562.ddee for 1.2.50.100 0000.0000.0000 having smac 0005.8562.ddee dmac ffff.ffff.ffff

The issue is that, even with a NAT rule, I can't seem to get anything to actually load. What am I missing here? It's like the firewall can see the ARP request but isn't answering it. 

My NAT rule:

nat (ASA_DMZ,outside) source static internal-haproxy-vip 1.2.50.100-vip service https https description NEW NETWORK TEST

Any ideas? I DID create a static route as well:

route outside 1.2.50.0 255.255.255.0 1.2.50.1 1
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎01-27-2017 03:13 PM

Hi

The new subnet is routed by your provider then everyone from outside can reach your firewall. You don't need to create a static route on asa for this public subnet.

Asa isn't replying to arp because you don't have a real interface within this subnet. To allow that you'll need to user the command arp permit-nonconnected

If you have created your nat, do you see your traffic arriving on asa? Did you do a test with packet-tracer as well to test your nat?

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎01-27-2017 03:13 PM

Hi

The new subnet is routed by your provider then everyone from outside can reach your firewall. You don't need to create a static route on asa for this public subnet.

Asa isn't replying to arp because you don't have a real interface within this subnet. To allow that you'll need to user the command arp permit-nonconnected

If you have created your nat, do you see your traffic arriving on asa? Did you do a test with packet-tracer as well to test your nat?

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
smorrissey88
Level 1
Level 1
In response to Francesco Molino

‎01-27-2017 10:24 PM

You were correct, adding arp permit-nonconnected fixed it, thanks!

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to smorrissey88

‎01-28-2017 07:20 AM

You're very welcome


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card