Cisco ASA 5510 Two public IP subnets

Answered Question
Sep 1st, 2011


I just got an extra public subnet from our ISP (co hosting center)

But I can't figure out how to use them on my ASA.


IP-adresses: -

Default gateway:



IP-adresses: -

Default gateway:



route wan 1

And statics like:

static (interface,wan) tcp 3389 3389 netmask

Hope you understand :-)


I have this problem too.
0 votes
Correct Answer by Collin_Clark about 2 years 7 months ago


Your ISP will route the new route to your link. You do not need to assign the new IP to any interface. You can create statics using the new address space and it will work because of the ISP sending the route down to you.


static (interface,wan) tcp 80 80 netmask

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
Collin_Clark Thu, 09/01/2011 - 07:32


Your ISP will route the new route to your link. You do not need to assign the new IP to any interface. You can create statics using the new address space and it will work because of the ISP sending the route down to you.


static (interface,wan) tcp 80 80 netmask

kimilisecco Thu, 09/01/2011 - 08:38

Thanks for your fast reply!

Maybe they don't because I have tried that?

And create a dynamic nat for outgoing trafic:

global (wan) 9 netmask

nat (local-interface) 9

anchacko Thu, 09/01/2011 - 07:33

Hi Kim,

The new route would be:

route wan 1

The static would be:

static (interface,wan) tcp 3389 3389 netmask

The outside IP address of the ASA will be:

ip address

Hope this helps!



Collin_Clark Thu, 09/01/2011 - 07:35

Note this is an additional address space, Kim is not replacing her current one.

kimilisecco Thu, 09/01/2011 - 09:23

Collin Clark is right I'm not going to replace my addresses.

But I'm not a female

ulrikth74 Thu, 09/01/2011 - 13:44

I will listen in on this discussion as we have a similar problem.

We have an ASA with two public IP net. We are a RIPE LIR so we have a little more "control" over assigning the IP net.

Basically we made two IP net in our edge router. Each IP net is forwarded to the ASA on two different VLANs. We have made two outside interfaces on the ASA - one for each IP net (VLAN).

It is no secret that the ASA only support one default gateway, so we route all traffic to the default gateway in the ASA. But when we do static NAT for a server on the second IP net, we would like the server to access the Internet with the static IP. For now, we didn't have success from the server to the Internet. But we can access the server from the outside on the static IP with eg. RDP. So, there is some kind of traffic one way.

This is probably a NAT or routing issue because if we set the server to DHCP we have Internet access in and out immediately (of course on the default gateway).

Collin_Clark Thu, 09/01/2011 - 13:55


You want to do Policy Based Routing (PBR), but he ASA doesn't support that yet (I heard it is coming though). The problem is that the server wants to use the default gateway instead of the static out your second subnet. You need a way to tell it to use that that one instead of the default gateway.

ulrikth74 Thu, 09/01/2011 - 14:16

Hi Collin.

That would be very nice if Cisco implemented PBR on the ASA platform

Actually we are in dialog with TAC who says it should possible. They made some configuration today. A packet tracing and capture showed it should work as we wanted - but it didn't. I had to leave our office so we couldn't test more, but will continue on Monday.


Sent from Cisco Technical Support iPhone App

kimilisecco Thu, 09/01/2011 - 23:14

Output from:

packet-tracer input local-interface tcp 5000 5000


input-interface: local-interface

input-status: up

input-line-status: up

output-interface: wan

output-status: up

output-line-status: up

Action: allow

kimilisecco Fri, 09/02/2011 - 02:52

Should I add a subinterface on the WAN interface?

I can get my ISP to route the range to my wan interface, but that not what I want.

Because another company should have thier own router on our connetion. So that company can use some of our new addresses. And we can use the rest.

Collin_Clark Fri, 09/02/2011 - 05:41

The provider would have to provide trunking on their end. If they do that will work.

kimilisecco Fri, 09/02/2011 - 09:22

Okay, thats not a good idea then.

Any more ideas why this not working?

Collin_Clark Fri, 09/02/2011 - 11:59

So the old address space does not work with a static? Have you tried an outgoing pat as a test?

kimilisecco Fri, 09/02/2011 - 12:41

It works fine:

static (local-interface,wan) tcp smtp smtp netmask

Outgoing PAT?


global (wan) 9

nat (local-interface) 9


kimilisecco Fri, 09/02/2011 - 12:54

I have set up an test server on, that have to use one of the new addresses.

So setting these commands:

global (wan) 9

nat (Servercentral) 9

But there no link to outside, from the server.

creggerd Fri, 09/02/2011 - 17:52

Kim, first, your ISP needs to route the new address range to your circuit. Next, what do the routes on your router look like? If not running BGP it should look something like:

Ip route (range 1) pointing to ASA

Ip route (range 2) pointing to ASA

Ip route pouting to your ISP circuit

You mentioned someone else sharing that IP range, how did you plan on doing that? Are they another interface on your ASA or on the same router? If the same router, you'd have to split that range.

On the ASA you can do either and static translation, or pat like your other range.

Hope that helps.

Sent from Cisco Technical Support iPad App

kimilisecco Sat, 09/03/2011 - 01:12

I have:

Gateway of last resort is to network

C is directly connected, wan

S* [1/0] via, wan

I have removed the directly connected routes to my interfaces in this output.

As a test we have set an L2 switch in front of our ASA, where thier router is connected, and they can use some of our unused IPs from the old range. That works fine.

I hoped that it was that simple to use and spilt the new IP range.

kimilisecco Wed, 09/07/2011 - 04:37

Case closed!

The IP range the ISP gave me was wrong and will never work they told me.

So got a new range, and every thing works!


Login or Register to take actions

This Discussion

Posted September 1, 2011 at 7:29 AM
Replies:22 Avg. Rating:5
Views:5578 Votes:0
Tags: asa_5510

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,165
4 1,473
5 1,446