New IP Block Assigned - need help Implementing.

Answered Question
Dec 18th, 2009
User Badges:

First, a brief summary of how we got to where we are. Our current internet connection comes in via a 10Mb ethernet handoff.  This circuit is terminated on our Cisco 5520 ASA (outside int).  When we got this circuit the IP block assigned was just a 2 host (/30) block and that was fine when we started. Now we have recently had the need to have a couple of public IPs accessible so we contact the ISP and we were told they assigned us an additional /29 block and are "routing it to our circuit". The problem is, I have no idea how to implement this to use these new IPs.  My end goal is to be able to use IPs in the "new" IP block and NAT them to 2 different hosts on the inside network.  How can I do this on the ASA?

My initial thought was to create a sub-interface off of the outside int but I was told that it wouldn't accomplish my goal due to the ASA not being able to do asymmetrical routing.

Let's use these IPs of an example

ASA 5510

outside (  /30)

inside ( /24)

New IP Block ( /29)

How do I implement a NAT that translates to and allows external hosts to hit my internal host via port 80?

This is what I came up with but unsure what else is needed do to it being a seperate subnet from the outside int.

static (inside,outside) netmask
access-list acl_outside extended permit tcp any host eq www

access-group acl_outside in interface outside

Please help and sorry if this is unclear.

Correct Answer by acomiskey about 7 years 7 months ago

You don't need to do anything else. You have it right. There is no need to have a subinterface. As long as the ISP is routing the new subnet to your firewall address, you are good to go.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Correct Answer
acomiskey Fri, 12/18/2009 - 10:38
User Badges:
  • Green, 3000 points or more

You don't need to do anything else. You have it right. There is no need to have a subinterface. As long as the ISP is routing the new subnet to your firewall address, you are good to go.

erxengineer Fri, 12/18/2009 - 10:40
User Badges:

Thank you, I will give the above a shot then.  It just seemed like I would need something else to define that new subnet on the ASA.


erxengineer Fri, 12/18/2009 - 10:45
User Badges:

I do have one other question regarding this implementation.  As described above I will be applying the "acl_outside" ACL to my outside int.  Currently I do not have an ACL applied on that interface. Once I apply it, will it cause problems for the current IPSEC L2L tunnels I have configured on there.  I seem to remember that I may need to allow a few ports from my VPN peers to my outside if I apply that ACL to allow the tunnels to establish.

Is that a correct assumption?

If so, what would I need to allow?  isakmp? and ?

Thanks again!

acomiskey Fri, 12/18/2009 - 11:08
User Badges:
  • Green, 3000 points or more

No, it will not cause issues.

Without an acl on the outside interface, all traffic is denied by default anyway, so adding statements to permit traffic will not affect your vpns. The exception here is when you have "sysopt connection permit-vpn" enabled, which it most likely is, all vpn traffic will bypass any interface acls you have created.

erxengineer Fri, 12/18/2009 - 12:57
User Badges:

Ok, a new challenge has surfaced. I mad the above changes and configured the NAT and ACL etc. All of that is fine, and the ACL takes hits when I try to brose to that new NAT'd IP.  However, I never get a response and it times out.  I have figured out why, but am unsure how to get around it.

We have two firewalls, and two different internet connections:

ASA-1 (from above) -  this is where we terminate allof our IPSEC VPNs

and ASA-2  - - This is used stricly for internet access/traffic

ASA-1 is where our new IP block is assigned.   The problem is, ASA-1 is not our default route out to the internet.

On our CORE LAN ROUTER the default route is out ASA-2.

Given that info and the scenario above, I am assuming the traffic is getting in through ASA-1 fine, but is then being sent out ASA-2 via the default route.

Is there a way around this or do I either need to

a. use ASA-1 for internet traffic and the default route


b. request an IP block from the ISP on ASA2 and do my statics on there.


c. is there a way to make it work as we have it setup now?



This Discussion