configure ASA secondary address

Unanswered Question
Apr 2nd, 2009


I got a second block of ip address, and i need to configure my asa to support second address.

I know that in cisco router that is supported and easy to deploy, but in asa i have some trouble to make it working.

please can you help me with this

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Thu, 04/02/2009 - 04:33

You don't need a secondary address on the ASA.

Lets say that your ISP has allocated you an new block - When they allocate these addresses they will ensure they route them to the outside interface of your ASA. So anyone trying to get to one of those adresses will end up at the ASA.

You simply use the new addressing in NAT statements on the ASA eg.

static (inside,outside) netmask

allow access to the address in your outside acl and it will all work fine.


mezgani.ali Thu, 04/02/2009 - 04:53

I don't use NAT, well my firewall is into router mode.

In my outside interface i have a private address ip like and the first block of public address is assigned to my inside interface eth0/1.

well i've create the vlan 1 on eth0/1.1, i assigned to it the second block of address and i added a static arp entry of this vlan.

But that still not working

Richard Burts Thu, 04/02/2009 - 08:09


I am a bit confused about your environment and your requirements. Like Jon I assumed that the way to use the addresses was to translate. But if I am understanding correctly your response you are not translating addresses but have the public addresses used directly on PCcs or servers in your network. If that understanding is correct and if you want to do this also with the new address block, then it would make sense to create a VLAN interface and assign the new address on the VLAN interface.

If you have created a VLAN interface on the ASA, have you also created the corresponding VLAN on the switch to which the ASA connects? And do you have hosts in the VLAN with addresses configured from the new address block?



John Blakley Thu, 04/02/2009 - 08:18

In my outside interface i have a private address ip like and the first block of public address is assigned to my inside interface eth0/1.

This sounds backwards to me. What is the gateway that your hosts use? The public address that's assigned or the private address of Do you have any other devices in front of the ASA like a router?



mezgani.ali Thu, 04/02/2009 - 08:25

my hosts use the public address of my firewall as their default gateway it is not a private one like, as i sayed my firewall is into router mode.

and in front of the asa i have the supplier router with an private address

mezgani.ali Thu, 04/02/2009 - 08:22

Thank you for reply,

I've created a VLAN interface on the ASA but not on the switch.

And about hosts, yes i've already configured some servers with new address.

Richard Burts Thu, 04/02/2009 - 08:29


Thank you for the additional information. If you have associated the new address block with the VLAN interface on the ASA then the VLAN needs to be configured on the switch and the hosts with the new addresses need to be in that VLAN. This would be a requirement to get the new addresses to work in the approach that you have started.

Without hosts in that VLAN and without that VLAN configured on the switch then it can not work.



mezgani.ali Thu, 04/02/2009 - 08:52

As you say Rick may be the problem is between the switch that may contain VLAN and the ASA.

but i still not able to ping the VLAN from the outside interfaces. I think that i don't need to set VLAN there


This Discussion