Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

Re-Use Public IP for Router

hi all,

we almost ran out of public IP addresses and would like to re-use one of the public IP used for PAT on our ASA.

can i use this public IP address to assign it to a router interface?

will routing to this router interface and PAT on ASA work concurrently?

see attached sample design.

 

1 ACCEPTED SOLUTION

Accepted Solutions

Yes,  because if you intend

Yes,  because if you intend to PAT 1.1.1.1 to an IP on the LAN then 1.1.1.1 needs to be routed to the ASA.  In that scenario CE router would not recieve any traffic for 1.1.1.1.  If you go the other way that 1.1.1.1 is to be routed to the CE router then the ASA will not recieve traffic for 1.1.1.1 network.

You could try to use PBR on either the internet router or if the core switch is an L3 switch you could configure PBR there.  Then you might be able to route, for example, 1.1.1.1 with destination port 80 to the ASA and everything else goes to the CE router.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to rate and select a correct answer
4 REPLIES

I do not believe that this

I do not believe that this setup will work.  For the ASA to be able to do PAT for 1.1.1.1 you would need to route 1.1.1.1 to the ASA outside interface from the internet router via the core switch.  Now if you assign 1.1.1.1 to the CE router no traffic destined for the CE router 1.1.1.1 will reach the router since all traffic is routed to the ASA.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to rate and select a correct answer

Hi Marius,Even if the

Hi Marius,

Even if the Internet Edge, ASA outside interface and the prospective CE router will be on the same public IP subnet?

Yes,  because if you intend

Yes,  because if you intend to PAT 1.1.1.1 to an IP on the LAN then 1.1.1.1 needs to be routed to the ASA.  In that scenario CE router would not recieve any traffic for 1.1.1.1.  If you go the other way that 1.1.1.1 is to be routed to the CE router then the ASA will not recieve traffic for 1.1.1.1 network.

You could try to use PBR on either the internet router or if the core switch is an L3 switch you could configure PBR there.  Then you might be able to route, for example, 1.1.1.1 with destination port 80 to the ASA and everything else goes to the CE router.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to rate and select a correct answer

Ok. Will just order new

Ok. Will just order new public IP range with our ISP. It's also about time to do this. Thanks!

74
Views
0
Helpful
4
Replies
CreatePlease to create content