Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
544
Views
0
Helpful
4
Replies

Re-Use Public IP for Router

Go to solution
johnlloyd_13
Level 9
Level 9

‎10-31-2014 01:21 AM - edited ‎03-11-2019 10:00 PM

hi all,

we almost ran out of public IP addresses and would like to re-use one of the public IP used for PAT on our ASA.

can i use this public IP address to assign it to a router interface?

will routing to this router interface and PAT on ASA work concurrently?

see attached sample design.

 

Labels:
Preview file
29 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to johnlloyd_13

‎10-31-2014 02:48 AM

Yes,  because if you intend to PAT 1.1.1.1 to an IP on the LAN then 1.1.1.1 needs to be routed to the ASA.  In that scenario CE router would not recieve any traffic for 1.1.1.1.  If you go the other way that 1.1.1.1 is to be routed to the CE router then the ASA will not recieve traffic for 1.1.1.1 network.

You could try to use PBR on either the internet router or if the core switch is an L3 switch you could configure PBR there.  Then you might be able to route, for example, 1.1.1.1 with destination port 80 to the ASA and everything else goes to the CE router.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marius Gunnerud
VIP
VIP

‎10-31-2014 01:52 AM

I do not believe that this setup will work.  For the ASA to be able to do PAT for 1.1.1.1 you would need to route 1.1.1.1 to the ASA outside interface from the internet router via the core switch.  Now if you assign 1.1.1.1 to the CE router no traffic destined for the CE router 1.1.1.1 will reach the router since all traffic is routed to the ASA.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Marius Gunnerud

‎10-31-2014 02:44 AM

Hi Marius,

Even if the Internet Edge, ASA outside interface and the prospective CE router will be on the same public IP subnet?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to johnlloyd_13

‎10-31-2014 02:48 AM

Yes,  because if you intend to PAT 1.1.1.1 to an IP on the LAN then 1.1.1.1 needs to be routed to the ASA.  In that scenario CE router would not recieve any traffic for 1.1.1.1.  If you go the other way that 1.1.1.1 is to be routed to the CE router then the ASA will not recieve traffic for 1.1.1.1 network.

You could try to use PBR on either the internet router or if the core switch is an L3 switch you could configure PBR there.  Then you might be able to route, for example, 1.1.1.1 with destination port 80 to the ASA and everything else goes to the CE router.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Marius Gunnerud

‎10-31-2014 02:59 AM

Ok. Will just order new public IP range with our ISP. It's also about time to do this. Thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card