Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

configure ASA secondary address

Hi,

I got a second block of ip address, and i need to configure my asa to support second address.

I know that in cisco router that is supported and easy to deploy, but in asa i have some trouble to make it working.

please can you help me with this

8 REPLIES
Hall of Fame Super Blue

Re: configure ASA secondary address

You don't need a secondary address on the ASA.

Lets say that your ISP has allocated you an new block - 195.17.17.0/28. When they allocate these addresses they will ensure they route them to the outside interface of your ASA. So anyone trying to get to one of those adresses will end up at the ASA.

You simply use the new addressing in NAT statements on the ASA eg.

static (inside,outside) 192.168.5.10 195.17.17.1 netmask 255.255.255.255

allow access to the 195.17.17.1 address in your outside acl and it will all work fine.

Jon

Community Member

Re: configure ASA secondary address

I don't use NAT, well my firewall is into router mode.

In my outside interface i have a private address ip like 192.168.1.1 and the first block of public address is assigned to my inside interface eth0/1.

well i've create the vlan 1 on eth0/1.1, i assigned to it the second block of address and i added a static arp entry of this vlan.

But that still not working

Hall of Fame Super Gold

Re: configure ASA secondary address

Mezgani

I am a bit confused about your environment and your requirements. Like Jon I assumed that the way to use the addresses was to translate. But if I am understanding correctly your response you are not translating addresses but have the public addresses used directly on PCcs or servers in your network. If that understanding is correct and if you want to do this also with the new address block, then it would make sense to create a VLAN interface and assign the new address on the VLAN interface.

If you have created a VLAN interface on the ASA, have you also created the corresponding VLAN on the switch to which the ASA connects? And do you have hosts in the VLAN with addresses configured from the new address block?

HTH

Rick

Re: configure ASA secondary address

In my outside interface i have a private address ip like 192.168.1.1 and the first block of public address is assigned to my inside interface eth0/1.

This sounds backwards to me. What is the gateway that your hosts use? The public address that's assigned or the private address of 192.168.1.1? Do you have any other devices in front of the ASA like a router?

HTH,

John

HTH, John *** Please rate all useful posts ***
Community Member

Re: configure ASA secondary address

my hosts use the public address of my firewall as their default gateway it is not a private one like 192.168.1.1, as i sayed my firewall is into router mode.

and in front of the asa i have the supplier router with an private address 192.168.1.3.

Community Member

Re: configure ASA secondary address

Thank you for reply,

I've created a VLAN interface on the ASA but not on the switch.

And about hosts, yes i've already configured some servers with new address.

Hall of Fame Super Gold

Re: configure ASA secondary address

Mezgani

Thank you for the additional information. If you have associated the new address block with the VLAN interface on the ASA then the VLAN needs to be configured on the switch and the hosts with the new addresses need to be in that VLAN. This would be a requirement to get the new addresses to work in the approach that you have started.

Without hosts in that VLAN and without that VLAN configured on the switch then it can not work.

HTH

Rick

Community Member

Re: configure ASA secondary address

As you say Rick may be the problem is between the switch that may contain VLAN and the ASA.

but i still not able to ping the VLAN from the outside interfaces. I think that i don't need to set VLAN there

316
Views
0
Helpful
8
Replies
CreatePlease to create content