ASA 5540 internal secondary address possible?

Unanswered Question
Jan 3rd, 2010

Is it possible to add a secondary address to an internal interface in order to combine two internal lans on the same physical one, like you can do with most l3 routers?

Thanks,  Roger

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
YANGCCIE4 Sun, 01/03/2010 - 08:48

Hi,

>Is it possible to add a secondary address to an internal interface   ------------ do you mean to a pc or a server NIC  , ---- YES. we can set a second ip address for the other LAN

>in  order to combine two internal lans on the same physical one, like you  can do with >most l3 routers?

hope it helps

Yang

rwiechman Sun, 01/03/2010 - 09:20

On a traditional router, you can do this to have a shared lan:

Interface g0/0

  IP address 10.10.10.1 255.255.255.0

  IP address 10.20.20.1 255.255.255.0 secondary

allowing hosts using either address range to use the same routed interface, and

share the same physical lan.

I don't see any way to do something similar with an internal asa interface, which

would be very helpful to expand the size of an internal network.

Roger

YANGCCIE4 Sun, 01/03/2010 - 09:55

can we use the sub-interface instead of  one interface with second ip address,

I guess it would be more clear for the network design, right ?

hope it helps

Yang

rwiechman Sun, 01/03/2010 - 10:33

Well, a sub-interface is a fully functional second lan.  This is not what I need to accomplish

my intended use.

Roger

vilaxmi Sun, 01/03/2010 - 13:40

Hello,

Cisco ASAs are not designed to support secondary addresses at this point.

May the developers see the customer's demands online..

HTH

Vijaya

Kureli Sankar Mon, 01/04/2010 - 05:40

People with this requirement point the route to the interface IP in which case FW will arp for the destination IP.

Pls. read command reference here:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/qr.html#wp1767323

If the route command uses the IP address from one of the interfaces on the security appliance as the gateway IP address, the security appliance will ARP for the destination IP address in the packet instead of ARPing for the gateway IP address.

-KS

Actions

This Discussion