Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5510 and multiple static WAN IP's

So I have an ASA 5510 connected to our ISP that's providing us a block of 5 static IP's.  One of the interfaces is setup to use one of those IP's.  The other interfaces that are configured are all directed to and seen as that static IP.  When I try to setup a new interface or subinterface with another IP from that block of 5, I get an error that it falls within the rage of the already configured interface.  How do I make use of the other IP's that I have so I can direct traffic from another interface to it instead of the original public IP?  Is there a KB article that covers this scenario?  I'm not quite sure which search tearms would give me this scenario.  So far I just get articles with public release specs.

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

ASA 5510 and multiple static WAN IP's

Hi,

So if you have a /29 subnet assigned by the ISP, you configure one of the IP address on the interface

Lets take this example situation

Network 1.1.1.0/29

interface GigabitEthernet0/0

nameif outside

security-level 0

ip add 1.1.1.2 255.255.255.248

route outside 0.0.0.0 0.0.0.0 1.1.1.1

Naturally the NAT configurations depends on your software level. You have not mentioned it in your post so I will give example of both NAT configurations formats.

Software level 8.2 and below

global (outside) 1 interface

nat (inside) 1 10.10.10.0 255.255.255.0

static (inside,outside) 1.1.1.3 10.10.10.10 netmask 255.255.255.255

static (inside,outside) 1.1.1.4 10.10.10.11 netmask 255.255.255.255

Software level 8.3 and above

nat (inside,outside) after-auto source dynamic any interface

object network STATIC-1

host 10.10.10.10

nat (inside,outside) static 1.1.1.3

object network STATIC-2

host 10.10.10.11

nat (inside,outside) static 1.1.1.4

So as you can see, in both examples above we first use interface IP address as the Dynamic PAT address for all the users on the LAN. Next we configure 2 Static NAT configurations using 2 other public IP addresses from the same subnet assigned by the ISP.

So no additional interfaces involved. The only place the additional public IP addresses are configured on the ASA are the NAT configurations where they are used.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

4 REPLIES
Super Bronze

Re: ASA 5510 and multiple static WAN IP's

Hi,

You use the single IP address from the block as the interface IP address as you are currently doing.

The rest you will simply use with NAT configurations. They are NOT configured on any interface. The NAT configurations are enough.

You naturally cant configure IP addresses from the same subnet in different L3 interfaces.

- Jouni

New Member

ASA 5510 and multiple static WAN IP's

Thank you for your response.  I get the error "The IP address xxx.xxx.xxx.xxx/255.255.255.248, cannot overlap with the subnet of interface outside".  Which outside is the interface currently setup to use one of the static IP's.

Super Bronze

ASA 5510 and multiple static WAN IP's

Hi,

So if you have a /29 subnet assigned by the ISP, you configure one of the IP address on the interface

Lets take this example situation

Network 1.1.1.0/29

interface GigabitEthernet0/0

nameif outside

security-level 0

ip add 1.1.1.2 255.255.255.248

route outside 0.0.0.0 0.0.0.0 1.1.1.1

Naturally the NAT configurations depends on your software level. You have not mentioned it in your post so I will give example of both NAT configurations formats.

Software level 8.2 and below

global (outside) 1 interface

nat (inside) 1 10.10.10.0 255.255.255.0

static (inside,outside) 1.1.1.3 10.10.10.10 netmask 255.255.255.255

static (inside,outside) 1.1.1.4 10.10.10.11 netmask 255.255.255.255

Software level 8.3 and above

nat (inside,outside) after-auto source dynamic any interface

object network STATIC-1

host 10.10.10.10

nat (inside,outside) static 1.1.1.3

object network STATIC-2

host 10.10.10.11

nat (inside,outside) static 1.1.1.4

So as you can see, in both examples above we first use interface IP address as the Dynamic PAT address for all the users on the LAN. Next we configure 2 Static NAT configurations using 2 other public IP addresses from the same subnet assigned by the ISP.

So no additional interfaces involved. The only place the additional public IP addresses are configured on the ASA are the NAT configurations where they are used.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

New Member

ASA 5510 and multiple static WAN IP's

I see.  So I create the extra network objects for each static IP then use those when determining which IP I want specific traffic to exit.

Thanks a million for your help!

899
Views
5
Helpful
4
Replies