Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Migrating Subnet to New Firewall

Hi All,

I just purchased a new ASA5510 to replace our old firewall. With help from experts in the forum, the device is configured to have an inside, outside and dmz interfaces. Now here's my question, how should/do i subnet my IP block?

My ISP has given me a block of IPs x.x.x.32/27. In my current setup the ISP gateway is x.x.x.33/27, my old firewall gateway is on x.x.x.34/27, two VPN gateways on x.x.x.37 and x.x.x.40/27. My three gateways are running parallel. I have 2 machines setup with one to one nat to provide web services on x.x.x.35/27 and x.x.x.36/27. I have a DMZ setup with x.x.x.55/27 to x.x.x.62/27.

I was thinking having the first x.x.x.32/29 block for the devices running parallel to the new firewall. The second x.x.x.40/29 block for my outside interface (and one to one NATs) and the last block of x.x.x.48/28 for my DMZ interface. Does this sound ok?

If I proceed with the config, what IPs would I assign to the devices running in parallel? For example, if i choose to give the x.x.x.35 ip to my VPN gateway, would I assign it x.x.x.35/27 or x.x.x.35/29 IP?

Thanks for your reply.

Hall of Fame Super Blue

Re: Migrating Subnet to New Firewall


1) Your addressing scheme is fine. Bear in mind that you could just use a private IP address range for your DMZ and just setup static translations using some of your public IP addresses.

There is nothing wrong with breaking up your /27 subnet into 3 x /29 but you keep losing addresses this way as the network and broadcast addresses are not useable. But if you have enough public addresses then fine.

2) You will need to use the /29 subnet mask otherwise the route lookups could go wrong.



Community Member

Re: Migrating Subnet to New Firewall

Hi Jon,

Thanks for your reply.

Does this look right? Or should I be putting the 3 perimeter devices and the machines with one to one NAT (inside, outside) on the same subnet?

EDIT: the IP for VPN-1 should be

Community Member

Re: Migrating Subnet to New Firewall

Any suggestions for the above diagram?

Thanks for your help in advance.

CreatePlease to create content