Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5525-X Second Second IP Range

Hi Guys,

I hope you can help me out with this one. I have a ASA 5525-X with one OUTSIDE interface for IP range 1.1.1.0/29. But this range is full.

Our ISP assigned us another range 2.2.2.0/29, but I want to have this range also on my Cisco ASA 5525-X. I made a second outside interface for the range 2.2.2.0/29 but I cannot route any traffic to this interface.

Is there a solution to have two OUTSIDE interface hosting both IP ranges? The new range 2.2.2.0/29 is for incoming traffic only.

Please could you advice me on this issue?

Regards

VIraj

2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

ASA 5525-X Second Second IP Range

Hi,

So you have 2 public subnets from the same ISP?

If this is the case then dont configure an additional external interface.

You should be able to start using these IP addresses in your NAT configurations just like the original public subnet you had.

There are some considerations depending how your ISP added the second subnet on their ISP Gateway

  • If they added the second subnet as a "secondary" subnet on their gateway interface then you need to configure "arp permit-nonconnected" for the ASA to be able to use second subnet
  • If they added a route for the second subnet that is pointing to the next hop IP of the current ASA "outside" interface THEN you wont need any additional configurations on the ASA

So please remove the extra External interface you created and start using the new subnet in the NAT configurations by using the original "outside" interface that you had.

- Jouni

Super Bronze

ASA 5525-X Second Second IP Range

Hi,

Pretty much how you described.

Though the "arp permit-nonconnected" is not configured under interface, although the ASA would probably still accept the command there but insert it as a global configuration.

Ofcourse the ISP has to have a route for this new network pointing towards your Cisco 2951 Router which I imagine they have already done?

- Jouni

4 REPLIES
Super Bronze

ASA 5525-X Second Second IP Range

Hi,

So you have 2 public subnets from the same ISP?

If this is the case then dont configure an additional external interface.

You should be able to start using these IP addresses in your NAT configurations just like the original public subnet you had.

There are some considerations depending how your ISP added the second subnet on their ISP Gateway

  • If they added the second subnet as a "secondary" subnet on their gateway interface then you need to configure "arp permit-nonconnected" for the ASA to be able to use second subnet
  • If they added a route for the second subnet that is pointing to the next hop IP of the current ASA "outside" interface THEN you wont need any additional configurations on the ASA

So please remove the extra External interface you created and start using the new subnet in the NAT configurations by using the original "outside" interface that you had.

- Jouni

New Member

ASA 5525-X Second Second IP Range

Hi JouniForss,

Thanks for your reply, really appreciated it! I will explain my network topology, so I can verify my idea:

This is my topology:

Could I configure the second subnet 2.2.2.0/29 on the same interface where 1.1.1.0/29 is configured at the Cisco 2951, with the ip address 2.2.2.0 255.255.255.248 secondary command? And then on the Cisco ASA 5525-X, under the OUTSIDE interface I issue ASA(config-if)# arp permit-nonconnected command?

Super Bronze

ASA 5525-X Second Second IP Range

Hi,

Pretty much how you described.

Though the "arp permit-nonconnected" is not configured under interface, although the ASA would probably still accept the command there but insert it as a global configuration.

Ofcourse the ISP has to have a route for this new network pointing towards your Cisco 2951 Router which I imagine they have already done?

- Jouni

New Member

ASA 5525-X Second Second IP Range

Hi,

Yes the new subnet is active. Thanks for your help!

726
Views
0
Helpful
4
Replies
CreatePlease login to create content