Secondary IP address in ASA5510/PIX515e

Unanswered Question
Mar 9th, 2010

Hi All,

Just want to know if there is a way to configure secondary IP address on the outside/public interface of ASA/PIX.

One of our clients have used most of their IP on the subnet given by their ISP. They use those IP's for statically

mapping to Servers inside their local LAN. Thus, they requested another block/subnet from their ISP. They will also

use this for static mapping/port forwarding to other servers in their network. The current UTM they are using is allowing this

but they would like to use ASA/PIX as their main Firewall. Is this even possible or is there

a workaround for this kind of scenario?

Many Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Wed, 03/10/2010 - 03:15


Pix/ASA firewalls do not support using secondary addressing on an interface. However the good news is that they don't need to.

As long as the ISP routes the new block of IP addresses to the outside interface of your firewall then you simply use the new block of IPs as you have the existing block ie. you set up static translations and allow access via the access-list.

The new IP block does not actually have to be allocated to an interface.


oyd110380 Wed, 03/10/2010 - 18:06

Thanks for your response jon. Will just verify with the ISP then. Really Appreciate it!


This Discussion