Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1274
Views
0
Helpful
7
Replies

Add a second WAN CIDR range to ASA 5505

pk1000001
Level 1
Level 1

‎08-27-2014 12:02 PM - edited ‎03-04-2019 11:38 PM

Forgive me if this has already been covered as i couldn't find any clear answers to do this with a lone ASA 5505 running sec plus. 

 

How would i go about adding a second /28 CIDR range on anther segment given to us by our ISP which is on another segment? 

Our outside is configured with 68.2.2.2/255.255.255.255 and we have been given a new block of 98.98.98.0/255.255.255.240. ISP has routed the 98 to the 68 on their side as of now. 

Curious is the 5505 capable of doing this without a router in front? Any suggestions are welcomed. thanks!

Labels:
0 Helpful
7 Replies 7

michael o'nan
Level 4
Level 4

‎08-27-2014 02:17 PM

Did they give you a second link or just added the IPs to your current connection? If same connection you could use a basic switch as a "breakout" and use 2 interfaces as your outside connection.

0 Helpful

pk1000001
Level 1
Level 1
In response to michael o'nan

‎08-27-2014 04:50 PM

Good question, no second physical drop. 

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to pk1000001

‎08-28-2014 04:39 AM

You really do not want to use it as a second physical connection unless you intend to use the second address block only as a backup in case the primary physical connection has a problem. And given the description that the ISP has routed the 98 to the 68 I think it is highly likely that there is only a single physical connection from the ISP. So putting a switch in place to split them does not really buy you any redundancy.

 

What you really want to do is to use the second address block to create a pool of addresses to use for address translation. The ASA5505 should do this quite easily and well.

 

HTH

 

Rick

HTH

Rick
0 Helpful

pk1000001
Level 1
Level 1

‎08-28-2014 08:07 AM

Thanks. Yes, we do not want to use a router or switch in front.  i do understand the 5505 is not a router but is there any tricks we could do to add the additional /28 block of IPs from a single ISP drop to our ASA 5505? Would i assign the new /28 to the inside interface?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to pk1000001

‎08-28-2014 11:01 AM

You do not need to assign the block to an interface to be able to use it for address translation with the ASA5505.

 

HTH

 

Rick

HTH

Rick
0 Helpful

pk1000001
Level 1
Level 1
In response to Richard Burts

‎08-28-2014 11:11 AM

Thank you, Richard. 

 

By leveraging PAT to point a 98 address to an internal 172 address, would we be allowed to use one-to-one NAT? 

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to pk1000001

‎08-28-2014 12:10 PM

You should be able to use 98 addresses to create one to one translations for 172 addresses and you could, if you want, use some 98 addresses to do dynamic NAT.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents