Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ASA 5510 Proxy ARP two subnets on same interface possible?

Hi all

Please se attached drawing hope you understand it.

I have a FrontEnd Firewall (ASA 5510). Outside Interface on this firewall is connected to ISP edge router with a /30 network in between.

The FrontEnd Firewalls Inside interface is in a /28 network (public ip adresses) this /28 is static routed by my ISP to the FrontEnd Firewalls Outside Interface and Proxy Arp is enabled.

I now need more public IP's on the DMZ network Between the FrontEnd and the Backend Firewall. My ISP has static routed another /29 network to my FrontEnd Firewall Outside interface.

But how do i route this new network assigned by my ISP, the FrontEnd Firewall Inside interface can only be in one subnet not two different subnets at once? Is there som clever solution or do i have to add the new subnet to a new psyical Interface on the FrontEnd Firewall?

Best Regards

Steffen.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

ASA 5510 Proxy ARP two subnets on same interface possible?

Steffen

Backend Firewall is running NAT so clients can access the internet with one public IP (from the DMZ) but the servers in the DMZ zone i assigned Real Public IP's because they are webservers in the DMZ.

No problem. You could still use private addressing and NAT on the front end firewall for the servers, which is a common setup, but it doesn't matter.

So what i'm understand from you and Jouni is that i need to create a new DMZ zone on a new interface (or use trunk and VLAN on my DMZ switch)?

Yes, although Jouni also gave another option but i have never tried that so i didn't comment. Another DMZ would be the option i would recommend, either using a new interface on the ASA or by trunking if you don't have a spare interface.

Jon

5 REPLIES
Super Bronze

Re: ASA 5510 Proxy ARP two subnets on same interface possible?

Hi,

Even though you have shared the picture of the setup I am not 100% sure of it. Are you saying that you have a network with hosts/servers between the 2 firewalls?

Typically Proxy ARP would be used on the Internet edge of the firewall towards the ISP. Now what you want to achieve is essentially have a "secondary" network on the "inside" interface of the Front End Firewall.

One option that was used in the older softwares and I guess will work with the newer softwares would be to do the following

  • Check the MAC address of the "inside" interface of the Front End Firewall
  • Decide the gateway address of the new public subnet
  • Configure a Static ARP entry for the new public subnets gateway using the MAC address of the existing interface
  • Route the new network towards the current "inside" interface IP address

For example network 2.2.2.0/29

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 1.1.1.1 255.255.255.240

arp inside 2.2.2.1 aaaa.bbbb.cccc alias

route inside 2.2.2.0 255.255.255.248 1.1.1.1

You could test this out.

Not a really suggestable approach to get this done.

Another option might be to configure a new DMZ on the Front End Firewall

- Jouni

Hall of Fame Super Blue

ASA 5510 Proxy ARP two subnets on same interface possible?

Steffen

I'm not clear on whether you want the /29 and the /28 to be seen as the same subnet ?

Usually private IPs are used for real IPs and then you use the public IPs for NAT on the front end firewall. Then,as long as the ISP routes the public subnets to your front end firewall you can simply use them for NAT and have all your actual devices using a private IP range.

If you do the above then running out of public IPs just means getting a new range.

But it looks like you have assigned the devices real public IPs from the /28 range. Now you want additional IPs to assign to real devices. 

The best solution is, as Jouni says, create a new DMZ for the new public IP range. If you don't have spare interfaces then you could look to use a trunk link between the switch (i'm assuming there is one) and the inside interface of the front end firewall and then have subinterfaces for each public IP range.

This would obviously require some downtime whilst it was configured.

Note also that if there is a chance of running out of public IPs again then it may be better to use private addressing for the new subnet and simply use the new public IPs for NAT on the front end firewall although this would mean having different setups for your existing public IPs and new public IPs so you may want to stay consistent with your current design and simply assign the new public IPs to the actual devices.

Jon

ASA 5510 Proxy ARP two subnets on same interface possible?

Hi Jon

Backend Firewall is running NAT so clients can access the internet with one public IP (from the DMZ) but the servers in the DMZ zone i assigned Real Public IP's because they are webservers in the DMZ.

So what i'm understand from you and Jouni is that i need to create a new DMZ zone on a new interface (or use trunk and VLAN on my DMZ switch)?

Regards Steffen.

Super Bronze

Re: ASA 5510 Proxy ARP two subnets on same interface possible?

Hi

From the perspective of the ASA and rest of the network it would probably be simpler to setup a new DMZ network on the ASA itself.

Naturally you can try the configuration I provided if possible but as I said its not really something that would be suggestible in a production environment. I usually run into such thing when there is no real other option in the short term to get things working for the user/customer.

- Jouni

Hall of Fame Super Blue

ASA 5510 Proxy ARP two subnets on same interface possible?

Steffen

Backend Firewall is running NAT so clients can access the internet with one public IP (from the DMZ) but the servers in the DMZ zone i assigned Real Public IP's because they are webservers in the DMZ.

No problem. You could still use private addressing and NAT on the front end firewall for the servers, which is a common setup, but it doesn't matter.

So what i'm understand from you and Jouni is that i need to create a new DMZ zone on a new interface (or use trunk and VLAN on my DMZ switch)?

Yes, although Jouni also gave another option but i have never tried that so i didn't comment. Another DMZ would be the option i would recommend, either using a new interface on the ASA or by trunking if you don't have a spare interface.

Jon

593
Views
5
Helpful
5
Replies