Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
501
Views
0
Helpful
5
Replies

cisco ASA 5505 Dual active public interfaces with Base Licens

Go to solution
Georgi Kostov
Level 1
Level 1

ā€Ž08-14-2014 06:05 AM - edited ā€Ž03-11-2019 09:38 PM

Hello there, 

 

I read about this but still am not sure. So the my question is:

Is it possible to have two outside public interfaces, that are active in the same time (not like a backup/ failover connection) with ASA Base Licens? I know that with Base Licens i can config 3 Vlans  two unrestricted and on restricted. But i dont need the the two public interfaces/networks to comunicate one another.

 

Please give your opinion how i can resolve my issue

Regards.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nkarthikeyan
Level 7
Level 7
In response to Georgi Kostov

ā€Ž08-15-2014 04:47 AM

Hi,

 

If you have just an another public ip stack from isp given to you... if this is the case, then you have to do a routing for that additional public ip stack and should get routed to your firewall outside ip....

say you have isp router (1.1.1.1)----1.1.1.2(asa) and you additional public ip segment 2.2.2.0/29 is given to you... then from the internet router you need to advertise that route to firewall outside ip (1.1.1.2).

for eg: ip route 2.2.2.0 /29 <gateway as 1.1.1.2>

you can use the 2.2.2.0/29 in your firewall and you can use all the 8 IP's for PAT/NAT purpose.... 2.2.2.0, 2.2.2.1,.... 2.2.2.7 :)

Regards

Karthik

View solution in original post

0 Helpful
5 Replies 5

Go to solution
nkarthikeyan
Level 7
Level 7

ā€Ž08-14-2014 08:58 PM

Hi,

 

you cannot have both isp/wan interfaces as active at both the times..... since you will not be able to do policy based routing using asa... you cannot do so.....

 

rather you can tweak at some level..... if you have a site to site vpn running..... then you can have site to site vpn to go via wan2 and all other traffic should go via wan1.... something like this....

 

Regards

Karthik

0 Helpful

Go to solution
Georgi Kostov
Level 1
Level 1
In response to nkarthikeyan

ā€Ž08-15-2014 01:44 AM

Hi and thanks for answer.

I dont have site to site vpn. My main issue is that our ISP gave us two scope of public ips. One scope is assign to ASA outside interface and also our mail server goes out with an ip from that scope. But we have a public server that use a public address from the other scope. The problem is that this server have two NIC and its not behind the ASA. Its public without any restrictions. We have a lot of clients and all they are conf to request that public ip from the second scope. It will be a big pain to reconfig all them without remote access. I asked the ISP to forward the traffic from one ip to the other but they cant.

I want that server behind the ASA.

 

So please give an advise how can sove that problem 

 

 

 

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to Georgi Kostov

ā€Ž08-15-2014 04:47 AM

Hi,

 

If you have just an another public ip stack from isp given to you... if this is the case, then you have to do a routing for that additional public ip stack and should get routed to your firewall outside ip....

say you have isp router (1.1.1.1)----1.1.1.2(asa) and you additional public ip segment 2.2.2.0/29 is given to you... then from the internet router you need to advertise that route to firewall outside ip (1.1.1.2).

for eg: ip route 2.2.2.0 /29 <gateway as 1.1.1.2>

you can use the 2.2.2.0/29 in your firewall and you can use all the 8 IP's for PAT/NAT purpose.... 2.2.2.0, 2.2.2.1,.... 2.2.2.7 :)

Regards

Karthik

0 Helpful

Go to solution
Georgi Kostov
Level 1
Level 1
In response to nkarthikeyan

ā€Ž08-15-2014 08:14 AM

I have a question. 

I set a stat route to 2.2.2.0/29 on the asa and now i have access to that network. The public ip that the server have and the clients use to update data is 2.2.2.3 . Shoud it be done something to the ISP router to redirect  a traffic coming from outside to 2.2.2.3 to be redirect to 1.1.1.2. 

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to Georgi Kostov

ā€Ž08-15-2014 09:59 AM

Hi,

 

If you have that server is behind your firewall.... say 10.0.0.100 (real ip address of the server) and you are NATing that in firewall as 2.2.2.3 right?. If so you do not need to have any static route for that in firewall, rather you need to have that route in internet router, which is connected to firewall outside interface.... so from internet anyone accesses that 2.2.2.3 server, will get routed to your internet router.... your internet router in turn will route it down to your firewall.... in your firewall you will be having the NAT rules in place to accept that request and respond back....

 

Regards

Karthik

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card