Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

2 firewalls connected to the vlan

We are in process of migrating to different ISP thus we have to change the Public IP Addresses.

I have no issue changing inside and outside ip address but the servers in the DMZ are the issue.

We want clients access the DMZ servers from new and current ISP than turn the current one off after about a month or so.

My idea is assign new IP address for inside and outside interfaces and connect the DMZ in to the existing DMZ.

current FW:

inside: 192.168.1.1/24: vlan 192

outside: 10.1.1.1/24: vlan 10

dmz: 172.16.1.1./24: vlan 172

new FW:

inside: 192.168.20.1/24: vlan 168

outside: 10.2.2.2/24: vlan 20

dmz: 172.16.1.2/24 vlan 172

do you see any issue configuring FW like this?  ACL and NAT rule will be simlar where outside clients will be reaching the same DMZ servers using different outisde IP addresses.  I have ASA5520

ie)

10.1.1.10 -> 172.16.1.10

10.2.2.10 -> 172.16.1.10

Everyone's tags (3)
5 REPLIES
Bronze

2 firewalls connected to the vlan

Hello,

What version are you using on the ASA?

8.3 + no problem

8.2 - not possible.

static (DMZ,outside) 10.1.1.10 172.16.1.10

static (DMZ,outside) 10.2.2.10 172.16.1.10

ERROR: duplicate of existing static

  inside:172.16.1.10 to outside:10.1.1.10 netmask 255.255.255.255

Regards,

Felipe.

Remember to rate useful posts.

New Member

2 firewalls connected to the vlan

i am running 8.45

Bronze

2 firewalls connected to the vlan

Then it should be fine. You will need to have both ranges of IPs on the outside at the same time and make sure you have the command:

arp permit-nonconnected

Regards,

Felipe.

Remember to rate useful posts.

New Member

2 firewalls connected to the vlan

what will happen if i don't have the command ?

arp permit-nonconnected

Bronze

2 firewalls connected to the vlan

If you have two networks on the outside, you need the command for the ASA to respond to arp requests:

http://www.cisco.com/c/en/us/td/docs/security/asa/command-reference/cmdref/a3.html#pgfId-1837762

Cisco Worldwide Contact link:  http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html

Regards,

Felipe.

Remember to rate useful posts.

127
Views
0
Helpful
5
Replies
CreatePlease to create content