Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Two public subnets cisco asa 5520

I just recevied a second block of IP addresses from my ISP and I would to configure the cisco asa 5520 to use both.  The current set up is as follow:

- interface GigabitEthernet0/0
nameif outside
security-level 0
ip address (this is not the real IP range)


then there is a global outside statement:

global (outside) 1 1.1.4 netmask


I received a second IP address block from our ISP and it's on different subnet. How can I  I integrate this second range? Any ideas ?

Cisco Employee

Re: Two public subnets cisco asa 5520

ASA/PIX does not allow secondary IP address on the interface like the routers.

You can add/use this new block of addresses as globals and static as usual on the firewall. Just like the ones that you have. The question is which route will the packets take? You can only have one default route pointing to one interface.  Will both the ISPs route for both blocks of IPs?

What is the reason for dual ISP? Load Balance or redundancy?

If it is load balance you need another layer 3 device  like a router and you can do PBR on that.

This has been discussed previously in the following thread:

If it is redundancy then, you can do route tracking on the ASA.

ASA route tracking:


Community Member

Re: Two public subnets cisco asa 5520

Thanks for the answer... Oh let me clarify the two IP address blocks  are from one ISP. I have contacted them already and the PE router is ready to route both IP address blocks. So, I think what you are suggesting is to add another global command with the new IP address block and then just add static for the 'one to one' translation... using the new IP address block range... right ? and of course the appropiate acl statements as well.

Thanks again,


Community Member

Re: Two public subnets cisco asa 5520

Yes, all you have to do is create a one to one NAT mapping if you want to use them on a server.  Or a dynamic nat to global if you want to use it that way.

If you run your own router outside your ASA you will need to add an IP in the new subnet as a secondary IP on your inside interface.

Cisco Employee

Re: Two public subnets cisco asa 5520


So you mean to say that you need to use your second ISP  ALONG with your primary ISP ? If that is the case, then sorry Cisco ASA cannot do Policy Based Routing. Please check :

For the above sceanrio you can use routers. Make sure your ISP will route for both blocks of IPs.

But, if  you wish to use the second ISP just as a backup, then ASA can handle that, using the route tracking feature as per the sample scenario below :

I hope this is what you mean from integrating second block of IP addresses into first one.



CreatePlease to create content