cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3397
Views
0
Helpful
2
Replies

2 public subnets on an ASA 5510

grobinson23
Level 1
Level 1

I've seen some posts where the following scenario is working and most other posts that state that the following scenario cannot be accomplished on an ASA 5510.

We have an ISP that is pushing out two separate public IP ranges, and we are to implement an ASA 5510. The setup will be:

ISP --> Cisco 2800 --> ASA 5510 --> Internal network.

The Cisco 2800 has three interfaces:

e0 65.65.65.82/28

e1 99.99.99.81/28

e2 2.2.2.201/29

ip route 0.0.0.0 65.65.65.81

We want the ASA to be set up as follows:

e0 outside 4.4.4.82/28

e1 outside2 2.2.2.202/29

e3 inside 192.168.0.0/16

The caveats are that both public ranges must be active at the same time. The public addresses have web servers attached to them. We also cannot use multiple security contexts (virtual firewalls) on this ASA because we want it to negotiate remote user VPN connections.

The problems that I have run into is that traffic will not respond on one range while the default route (eigrp or static) is set to one interface or another.

Can this be done? If so, how? I've looked at doing a default route on multiple tracks, and that didn't do the trick.

Thanks!

1 Accepted Solution

Accepted Solutions

Kureli Sankar
Cisco Employee
Cisco Employee

Right. This cannot be done. The only way I can think of is policy based routing on the upstream router to use both ISPs (based on source IP address) and the ASA translate them to two diff. block of IPs based on diff. interfaces.

ASA inside 912.168.x.x

ASA dmz - 10.10.10.x (ASA will translate these to Z.Z.Z.Z)

ASA outside - y.y.y.y

Router on the outside if sees a packet with z.z.z.z will send it via interface-1 and if it sees packets with source ip y.y.y.y will send it out via interface-2.

Would this work for you?

View solution in original post

2 Replies 2

Kureli Sankar
Cisco Employee
Cisco Employee

Right. This cannot be done. The only way I can think of is policy based routing on the upstream router to use both ISPs (based on source IP address) and the ASA translate them to two diff. block of IPs based on diff. interfaces.

ASA inside 912.168.x.x

ASA dmz - 10.10.10.x (ASA will translate these to Z.Z.Z.Z)

ASA outside - y.y.y.y

Router on the outside if sees a packet with z.z.z.z will send it via interface-1 and if it sees packets with source ip y.y.y.y will send it out via interface-2.

Would this work for you?

Yes. This would work for me. I am now looking for examples on how to set this up on my 2800.

Thank you!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: