Multiple IP addresses on ASA 5510?

Unanswered Question

I'm new to the world of cisco. (asa 5510).

I have a rack at a data center that has multiple IP addresses - thru (obviously not the acutal addresses.)

I need to integrate it slowly into my rack, pulling one server behind it at a time.

How do i configure a single ethernet port to respond to multiple ip addresses?

For example - today i would like the external interface to answer to and tomorrow i'd like to add in, the the next day, and so on.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
husycisco Fri, 12/14/2007 - 00:22

Hi Brian

When you assign an IP address to an interface with a valid subnetmask, the interface becomes responsile for the IPs in network. For example, if you assign to your outside interface, traffic of IP range is controlled by outside interface. Connection attempt to any IP in this range is controlled by your outside interface.

If you are on to use the IPs you type as interface IPs, this is not possible. You can create sub-interfaces and do VLAN tagging with a VLAN compatible switch with a trunk port, but assigned IPs must be in different networks.

If you tell us what you are on to in details, we may produce some alternative suggestions


That is what i was afraid of.

Here's my scenario:

I have my ethernet coming into my rack that is presently hooked into my switch. So the traffic comes into my dell powerconnect 2724 switch, then goes directly to the boxes from there. all of my servers have external IP addresses currently. (I didn't design it - no firewall.)

What i'd love to do is be able to stage the depolyment of the firewall so that i can bring the servers behind the firewall one at a time, and not have to reconfigure the entire rack at once.

I was hoping to have the ether come in, plug into the switch, plug the firewall into the switch and tell it what IPs to route as i implement the solution.

Make any sense?

csco11029214 Fri, 12/14/2007 - 04:33

Hi Brian,

As far as what I think, the ASA also acts as a routing device so it can not be configured after an already routed network consisting hosts with global IP addresses. If the firewall is to be deployed, it has to be made as the gateway for the hosts behind it. Individual hosts can be added to its internal interface but not on the network/switch the hosts are already connected to the ethernet through. I am in a same situation just like you and I do not want to change the addresses of current hosts when I deploy the firewall before them, but I am still awaiting assistance from the senior techies for my issue as well.


hwknight53 Fri, 12/14/2007 - 04:46

I think that you have two choices.

1. Use an ASA in Transparent mode. Then the servers could continue to use their current public addresses.

2. Use the ASA in Routed mode and use a different static nat for each server. For instance, move behind the ASA, assign it a private IP address, and create a static nat entry that maps that private IP address to



This Discussion