Multiple external IP subnet on ASA5505

Answered Question
Sep 15th, 2010

Hi

I have a need to configure a Cisco ASA5505 to support multiple external (public) IP subnets and then translate certain ports to internal services (443, 80 etc). Currently the firewall is setup with an external range and is working fine, however the service provider has now routed an additional new range to one of the existing IPs. For example (using private IPs);

External interface IP = 192.168.0.1/24, with static route to 192.168.0.254/24 for all outbound traffic (ISP gateway).

New subnet of 10.0.0.0/24 being routed to 192.168.0.1

The service provider has assured me that this configuration is possible and that the device on 192.168.0.1 should be able to listen for the 10.0.0.0/24 range on the outside adaptor. Unfortunately they are a Juniper house and dont have the expertise to explain to me the config required.

The feed is supplied on a single CAT5 network connection in to a switch and i have read some Cisco docs on enabling a second 'outside' and adding it to the external VLAN, but the example provided is based on a second seperate feed in to the firewall and not a routed subnet to the existing feed.

Any help on the config would be much appreciated..

Dan

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 2 months ago

There is no need to configure another external interface on the ASA.

All the ISP needs is to route the new range of 10.0.0.0/24 towards the ASA outside interface (192.168.0.1), and you can start using that new ip range for NATing. ASA will proxy ARP for the new ip range as well.

Example:

If you are going to NAT an internal host on the inside interface (172.16.1.1) to the new range of IP, ie: to 10.0.0.1, then all you need is configuring the static translation:

static (inside,outside) 10.0.0.1 172.16.1.1 netmask 255.255.255.255

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Wed, 09/15/2010 - 05:38

There is no need to configure another external interface on the ASA.

All the ISP needs is to route the new range of 10.0.0.0/24 towards the ASA outside interface (192.168.0.1), and you can start using that new ip range for NATing. ASA will proxy ARP for the new ip range as well.

Example:

If you are going to NAT an internal host on the inside interface (172.16.1.1) to the new range of IP, ie: to 10.0.0.1, then all you need is configuring the static translation:

static (inside,outside) 10.0.0.1 172.16.1.1 netmask 255.255.255.255

Hope that helps.

danny.williams Wed, 09/15/2010 - 06:56

Thanks very much for the prompt reply.

You answer ties in with what the ISP suggested would work, so sounds like the answer.

Regards

Dan

Actions

This Discussion