09-15-2010 05:14 AM - edited 03-11-2019 11:40 AM
Hi
I have a need to configure a Cisco ASA5505 to support multiple external (public) IP subnets and then translate certain ports to internal services (443, 80 etc). Currently the firewall is setup with an external range and is working fine, however the service provider has now routed an additional new range to one of the existing IPs. For example (using private IPs);
External interface IP = 192.168.0.1/24, with static route to 192.168.0.254/24 for all outbound traffic (ISP gateway).
New subnet of 10.0.0.0/24 being routed to 192.168.0.1
The service provider has assured me that this configuration is possible and that the device on 192.168.0.1 should be able to listen for the 10.0.0.0/24 range on the outside adaptor. Unfortunately they are a Juniper house and dont have the expertise to explain to me the config required.
The feed is supplied on a single CAT5 network connection in to a switch and i have read some Cisco docs on enabling a second 'outside' and adding it to the external VLAN, but the example provided is based on a second seperate feed in to the firewall and not a routed subnet to the existing feed.
Any help on the config would be much appreciated..
Dan
Solved! Go to Solution.
09-15-2010 05:38 AM
There is no need to configure another external interface on the ASA.
All the ISP needs is to route the new range of 10.0.0.0/24 towards the ASA outside interface (192.168.0.1), and you can start using that new ip range for NATing. ASA will proxy ARP for the new ip range as well.
Example:
If you are going to NAT an internal host on the inside interface (172.16.1.1) to the new range of IP, ie: to 10.0.0.1, then all you need is configuring the static translation:
static (inside,outside) 10.0.0.1 172.16.1.1 netmask 255.255.255.255
Hope that helps.
09-15-2010 05:38 AM
There is no need to configure another external interface on the ASA.
All the ISP needs is to route the new range of 10.0.0.0/24 towards the ASA outside interface (192.168.0.1), and you can start using that new ip range for NATing. ASA will proxy ARP for the new ip range as well.
Example:
If you are going to NAT an internal host on the inside interface (172.16.1.1) to the new range of IP, ie: to 10.0.0.1, then all you need is configuring the static translation:
static (inside,outside) 10.0.0.1 172.16.1.1 netmask 255.255.255.255
Hope that helps.
09-15-2010 06:56 AM
Thanks very much for the prompt reply.
You answer ties in with what the ISP suggested would work, so sounds like the answer.
Regards
Dan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide