How to configure 2 external IPs on ASA Outside Interface

Unanswered Question
May 12th, 2009
User Badges:
  • Bronze, 100 points or more

I need to have two external ip addresses configured on the ASA Outside interface. Both ip addresses will be on the same subnet and one will have VPNs terminated on it. I know it would be easier to just terminate everything on a single IP, but I have VPN peers that simply refuse to change the IP address on their side of the tunnel.


Is there a "secondary" ip address command or something similar that will enable me to do this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 05/12/2009 - 14:27
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jim


As far as i know ASA does not support secondary addressing but even if it did it probably still wouldn't work as you are trying to apply 2 addresses from the same subnet.


Is there a reason you can't just stick with the IP address that is used for VPN peers.


Jon

jim_berlow Tue, 05/12/2009 - 14:44
User Badges:
  • Bronze, 100 points or more

Thanks, Jon. That is what I needed to know (back to the drawing board).


Two IP addresses on the outside would have helped me with a political issue (one group insists on 1 ip and another group already has their VPNs terminated to a different IP). As you can probably guess, no one wants to budge and they definetly don't want to share an ip.

Jon Marshall Tue, 05/12/2009 - 14:46
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jim


How about charging the most unreasonable group for a new ASA :-)


Jon

darkbeatzz Fri, 05/15/2009 - 08:09
User Badges:

what about splitting up the subnet you have? if you have another interface/VLAN you can use give it that IP

Richard Burts Fri, 05/15/2009 - 12:35
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jim


Perhaps it is possible to satisfy both groups. The VPN peer needs to be the interface address and I do not know much way around that. But I am not convinced that the second address for the second group needs to also be an interface address. You can use the second address in the subnet for address translation without it being an interface address. You just use that address in an address pool and translate traffic from the second group using that pool address.


Looks to me like both groups can feel like they won: the VPN works using the address that they do not have to change, and the traffic from the second group uses "their" address when it goes to the Internet.


HTH


Rick

Patrick Laidlaw Fri, 05/15/2009 - 17:28
User Badges:
  • Gold, 750 points or more

Rick I was going to suggest that very same thing.

Richard Burts Sat, 05/16/2009 - 13:32
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Patrick


I am glad that we both believe that this may be a solution for Jim. I look forward to a response from him telling us whether this does resolve his issue.


HTH


Rick

lpassmore Wed, 06/03/2009 - 15:58
User Badges:
  • Bronze, 100 points or more

I'm really sorry for hijacking this thread but I, too, am interested in Jim's feedback on whether this worked or not.


I will have very similar requirement so would like to understand how it works. Am I right in thinking that a destination NAT rule inside the ASA can redirect the VPN packets to any ASA interface address?


Or I could, in theory, configure the DMZ interface for VPN termination and have packets destined for the DMZ interface enter the ASA through the Outside interface?


Again, sorry for the interruption, but as this is related I thought it better to keep this topic going rather than create a new one

Thanks

LP

Kureli Sankar Thu, 06/04/2009 - 11:42
User Badges:
  • Cisco Employee,

Two groups.


One group's purpose is vpn termination on the ASA.


What is other group intending to do? It is not clear.


If they want to translate everyone on the inside to look like another IP on the outside then, it is very simple nat/global to a diff. IP or static 1-1 if it is a server that they would like to reach from the internet.


Pls. clarify on the second group's requirement.



Actions

This Discussion