Two public subnets cisco asa 5520

Unanswered Question
Jan 18th, 2010
User Badges:

I just recevied a second block of IP addresses from my ISP and I would to configure the cisco asa 5520 to use both.  The current set up is as follow:


- interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.224 (this is not the real IP range)


----------------------------------------


then there is a global outside statement:


global (outside) 1 1.1.4 netmask 255.255.255.224


-----------------------------------------------------------------------


I received a second IP address block from our ISP and it's on different subnet. How can I  I integrate this second range? Any ideas ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Mon, 01/18/2010 - 12:18
User Badges:
  • Cisco Employee,

ASA/PIX does not allow secondary IP address on the interface like the routers.


You can add/use this new block of addresses as globals and static as usual on the firewall. Just like the ones that you have. The question is which route will the packets take? You can only have one default route pointing to one interface.  Will both the ISPs route for both blocks of IPs?


What is the reason for dual ISP? Load Balance or redundancy?


If it is load balance you need another layer 3 device  like a router and you can do PBR on that.

This has been discussed previously in the following thread:


https://supportforums.cisco.com/message/894921


If it is redundancy then, you can do route tracking on the ASA.


ASA route tracking:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml


-KS

marramix01 Fri, 01/22/2010 - 09:50
User Badges:

Thanks for the answer... Oh let me clarify the two IP address blocks  are from one ISP. I have contacted them already and the PE router is ready to route both IP address blocks. So, I think what you are suggesting is to add another global command with the new IP address block and then just add static for the 'one to one' translation... using the new IP address block range... right ? and of course the appropiate acl statements as well.


Thanks again,


marramix01

trippi Fri, 01/22/2010 - 14:53
User Badges:

Yes, all you have to do is create a one to one NAT mapping if you want to use them on a server.  Or a dynamic nat to global if you want to use it that way.

If you run your own router outside your ASA you will need to add an IP in the new subnet as a secondary IP on your inside interface.

vilaxmi Mon, 01/18/2010 - 20:27
User Badges:
  • Cisco Employee,

Hello,


So you mean to say that you need to use your second ISP  ALONG with your primary ISP ? If that is the case, then sorry Cisco ASA cannot do Policy Based Routing. Please check :


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#pbr


For the above sceanrio you can use routers. Make sure your ISP will route for both blocks of IPs.


But, if  you wish to use the second ISP just as a backup, then ASA can handle that, using the route tracking feature as per the sample scenario below :


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml


I hope this is what you mean from integrating second block of IP addresses into first one.


HTH


Vijaya

Actions

This Discussion