Secondary IP address in ASA5510/PIX515e

Unanswered Question
Mar 9th, 2010
User Badges:

Hi All,

Just want to know if there is a way to configure secondary IP address on the outside/public interface of ASA/PIX.

One of our clients have used most of their IP on the subnet given by their ISP. They use those IP's for statically

mapping to Servers inside their local LAN. Thus, they requested another block/subnet from their ISP. They will also

use this for static mapping/port forwarding to other servers in their network. The current UTM they are using is allowing this

but they would like to use ASA/PIX as their main Firewall. Is this even possible or is there

a workaround for this kind of scenario?

Many Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Wed, 03/10/2010 - 03:15
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Pix/ASA firewalls do not support using secondary addressing on an interface. However the good news is that they don't need to.

As long as the ISP routes the new block of IP addresses to the outside interface of your firewall then you simply use the new block of IPs as you have the existing block ie. you set up static translations and allow access via the access-list.

The new IP block does not actually have to be allocated to an interface.


oyd110380 Wed, 03/10/2010 - 18:06
User Badges:

Thanks for your response jon. Will just verify with the ISP then. Really Appreciate it!

I have a situation like this one.  I get the routing part, but if I want to use the firewall as a VPN head end, how do I make it such that the firewall outside interface can be in the range of new ISP IPs?  how can I make the outside interface accessible over the internet if I have 2 ranges?




This Discussion