Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
662
Views
0
Helpful
3
Replies

ASA 5585 with Two Outside networks and one Inside

allenferdinand
Level 1
Level 1

‎04-12-2012 04:21 PM - edited ‎03-11-2019 03:53 PM

I have two class C IP blocks that terminate on my router.  I currently have been using an ASA 5520 to provide DMZ VLANs from one of those IP blocks and ignoring the other one.  I am migrating to a 5585 now and want to add the second IP block as a series of VLANS.  The current config is:

IP Addressing is as follows (not my real IPs, but representative of actual setup.

IP Blocks

     External:  12.111.107.0/24 and 12.41.107.0/24

Router inside interface address has both IP blocks set up as a primary and a secondary Address on the inside interface.  Inside interface is 12.111.107.1/28

Current ASA 5520 has an address in the first IP block as my outside interface on GigE0/0 12.111.107.9/28

Gig E/01 is connected to my core switch and has an IP address on the internal block 10.1.10.2  (core switch acts as a router for internal networks)

Gig E/02 has several DMZs set up in the same IP block as the outside interface of the ASA 12.111.107.33/28 and 12.111.107.65/26.  These are fed into my VSphere clusters as a trunk.

I'm assuming that I can move the existing config to the 5585 (working through the issues around updating to new code) and add the second IP block to GigE0/3 and then create my vlans/sub interfaces on GigE/04.  Gig E/03 will be 12.41.107.5/28  (there are other devices on that IP block)

I think my two questions are, am I assuming correctly, and how do I set up a static route so that devices on GigE0/4 go out through GigE0/3 as their gateway because I want my corporate traffice to go through Gig E0/0 and my DMZ traffic that is mostly dev stuff to go through Gig E/03

I'm sorry if I sound like an idiot, i've done all the LAN work and have no problem with VLANs or getting things/keeping things running, but this one I figured i'd get some advice on.

TIA

Allen

Labels:
0 Helpful
3 Replies 3

Dennis Mink
VIP Alumni
VIP Alumni

‎04-12-2012 05:57 PM

Because ASA's do not support Policy Based routing, i would use NAT.

so NAT between ge0/4 and ge 0/3

Even better, as you will be deploying a new 5585, use 2 contexts, one for Prod and one for DEV

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

allenferdinand
Level 1
Level 1
In response to Dennis Mink

‎04-12-2012 07:50 PM

I think the two security contexts is a good idea.  Time to hit the books again.  Thanks.

0 Helpful

allenferdinand
Level 1
Level 1
In response to allenferdinand

‎04-20-2012 04:22 PM

Turns out that I cannot do this. I have to provide VPN via ipsec and anyconnect on one of the interfaces on the production side. I have 18 vlans on the second class C and I can ping my interfaces, but once there they don't know where to go. Obviously a routing issue. I have network identities for each network and device and have set up my NAT rules in a manner which I think is right.

This device is using 8.4 code

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card