Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2717
Views
0
Helpful
3
Replies

Secondary IP address in ASA5510/PIX515e

oyd110380
Level 1
Level 1

‎03-09-2010 11:24 PM - edited ‎03-11-2019 10:19 AM

Hi All,

Just want to know if there is a way to configure secondary IP address on the outside/public interface of ASA/PIX.

One of our clients have used most of their IP on the subnet given by their ISP. They use those IP's for statically

mapping to Servers inside their local LAN. Thus, they requested another block/subnet from their ISP. They will also

use this for static mapping/port forwarding to other servers in their network. The current UTM they are using is allowing this

but they would like to use ASA/PIX as their main Firewall. Is this even possible or is there

a workaround for this kind of scenario?

Many Thanks!

Labels:
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎03-10-2010 03:15 AM

Lloyd

Pix/ASA firewalls do not support using secondary addressing on an interface. However the good news is that they don't need to.

As long as the ISP routes the new block of IP addresses to the outside interface of your firewall then you simply use the new block of IPs as you have the existing block ie. you set up static translations and allow access via the access-list.

The new IP block does not actually have to be allocated to an interface.

Jon

0 Helpful

oyd110380
Level 1
Level 1
In response to Jon Marshall

‎03-10-2010 06:06 PM

Thanks for your response jon. Will just verify with the ISP then. Really Appreciate it!

0 Helpful

lovedam
Level 1
Level 1
In response to oyd110380

‎10-27-2011 09:48 AM

I have a situation like this one.  I get the routing part, but if I want to use the firewall as a VPN head end, how do I make it such that the firewall outside interface can be in the range of new ISP IPs?  how can I make the outside interface accessible over the internet if I have 2 ranges?

Thanks,

Damon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card