Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1607
Views
0
Helpful
1
Replies

Cisco ASA products as RFC 3021 /31 addressing

ROBERT BROOKS
Level 1
Level 1

‎10-04-2013 08:49 AM - edited ‎03-11-2019 07:47 PM

Forgive me if this question has been asked in other forms before but I have not been able to find a recent answer.

Does the Cisco ASA platform support /31 RFC 3021 addressing on it's interfaces in any of the latest versions of code.  We work regularily with a service provider who's default offering is /31 addressing for public addresses and we always have to request at least a /30 address space for the ASA to work with.

It would be really useful to allocate a /31 address to the ASA interface.

As a secondary question linked to this - My understanding is as follows:-

1.  For the ASA to terminate VPNs, the public IP address must be the actual outside interface address on the ASA terminating the VPNs.

2.  All other firewall activities handling traffic via NAT could use an RFC1918 address on the outside interface with the SP provided public address just configured as NAT address/object NAT.

Are items 1 and 2 above correct statements ?

Thanks is advance for any replies and forgive me if these are rather basic questions.

Regards,

Robert

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎10-04-2013 09:00 AM

Hi,

Seems to me that the ASA doesnt support /31 mask subnets. I can't remember I would ever even tried using these on ASAs but I have used them on Cisco routers.

This is the result from my own home ASA5505 9.0(2)

ASA(config)# interface vlan 20

ASA(config-if)# ip add 10.0.255.1 255.255.255.254

ERROR: /31 mask is not allowed

As to your 2 other questions,

1.) For VPNs you will have to use the IP address configured on the ASA interface.

2.) You can use the IP address configured on the ASA interface as the Dynamic PAT IP address for all your internal networks. You can naturally also have additional public subnets (if the ISP provides you those) on that same external interface where the current link network is if you need additional NAT IP addresses.

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card