cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1053
Views
0
Helpful
7
Replies

Add a second WAN CIDR range to ASA 5505

pk1000001
Level 1
Level 1

Forgive me if this has already been covered as i couldn't find any clear answers to do this with a lone ASA 5505 running sec plus. 

 

How would i go about adding a second /28 CIDR range on anther segment given to us by our ISP which is on another segment? 

Our outside is configured with 68.2.2.2/255.255.255.255 and we have been given a new block of 98.98.98.0/255.255.255.240. ISP has routed the 98 to the 68 on their side as of now. 

Curious is the 5505 capable of doing this without a router in front? Any suggestions are welcomed. thanks!

7 Replies 7

michael o'nan
Level 4
Level 4

Did they give you a second link or just added the IPs to your current connection? If same connection you could use a basic switch as a "breakout" and use 2 interfaces as your outside connection.

Good question, no second physical drop. 

You really do not want to use it as a second physical connection unless you intend to use the second address block only as a backup in case the primary physical connection has a problem. And given the description that the ISP has routed the 98 to the 68 I think it is highly likely that there is only a single physical connection from the ISP. So putting a switch in place to split them does not really buy you any redundancy.

 

What you really want to do is to use the second address block to create a pool of addresses to use for address translation. The ASA5505 should do this quite easily and well.

 

HTH

 

Rick

HTH

Rick

pk1000001
Level 1
Level 1

Thanks. Yes, we do not want to use a router or switch in front.  i do understand the 5505 is not a router but is there any tricks we could do to add the additional /28 block of IPs from a single ISP drop to our ASA 5505? Would i assign the new /28 to the inside interface?

You do not need to assign the block to an interface to be able to use it for address translation with the ASA5505.

 

HTH

 

Rick

HTH

Rick

Thank you, Richard. 

 

By leveraging PAT to point a 98 address to an internal 172 address, would we be allowed to use one-to-one NAT? 

You should be able to use 98 addresses to create one to one translations for 172 addresses and you could, if you want, use some 98 addresses to do dynamic NAT.

 

HTH

 

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: