Can I do this: Add a new subnet to ASA 5510?

Unanswered Question
Mar 6th, 2007

I have a ASA 5510 currently running with a configured subnet from our ISP. Our ISP issued us an additional subnet for us to use.

Is it possible to add this new subnet to our ASA appliance somehow?

We need to IP address to map to machines that are in our DMZ.

What is the correct way to do this?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
suschoud Tue, 03/06/2007 - 12:52

if ur isp could route the ip addresses to the pix's outside interface,then there's no problem.

what u can do is implement this configuration:

new ip address range which you want to implement in dmz: /24

static (dmz,outside)

static (dmz,outside)

access-l out_in permit tcp any host eq 80

this is an example configuration where u have a web server is dmz which has the ip address

i hope this will help!!


Cisco TAC.

thecoffeeguy Tue, 03/06/2007 - 13:30

I think that should be ok. It is kind of odd (just stepped into this job), but the ISP actually controls and configures the router on our end. From what I have been told, they have already configured the router with the new subnet.

They have given me a /27 subnet.

Lets just say the subnet is (random numbers).

If it is already configured on the router, I don't need to setup anything on the ASA itself? I could just start using the IP addresses when i need them?

Can I still map a private IP address range to the new subnet? That is how we currently do it:

static (dmz,outside)

access-list out_in permit tcp any host eq www

I appreciate the help.

suschoud Tue, 03/06/2007 - 13:39

" static (dmz,outside)


this in incorrect.

it should be

static (dmz,outside)

let's say the NEW subnet is .

when i ( anyone on internet ) initiate a request for this subnet it's reaching the outside router and then to the asa.

till here,it's the isp's responsibility.

if they are able to route two different subnet's to your location,that's great. ( generally this does n't happen ).

now,when any packet menat for this ip address reaches the outside router,it should come to the asa's outside interface.

for that ,the asa's outside interface should do the proxy arp for this ip address.

that proxy arp is done by the static.

so,if you put in a static statement

static (dmz,outside)

then,the packet will hit the asa's outside interace,asa will redirect the packet to the dmz interface ,to the private ip address.

hope this helps!!


thecoffeeguy Tue, 03/06/2007 - 14:30

Got it...that makes sense.

So in a nutshell, as long as the ISP has taken care of their part by configuring that block of IP's on the router, and I configure things properly on ASA (using static) then everything SHOULD be good to go.

That correct?

Thank you very much. You have been very helpful.


This Discussion