adding a secondary IP to same interface on a Cisco ASA 5510

My ISP gave me another block of IPs to use on the same interface. I know I can just add a secondary IP to the interface but what else do I have to do with the second gateway? Right now I just have a "route outside 0.0.0.0 0.0.0.0 y.y.y.y"   command in the config. What else do I have to do to accomplish this 2nd block of IPs?
fina27Asked:
Who is Participating?
 
batry_boyConnect With a Mentor Commented:
>>"I know I can just add a secondary IP to the interface"

On an ASA, you cannot add a secondary IP address to an interface...are you talking about adding subinterfaces to be used in a VLAN environment, perhaps?

Truthfully, if your ISP has given you a new block of addresses that you want to be able to use, it's really just as simple as configuring static translations for the new block of IP addresses to point to internal IP addresses.  The ASA will perform proxy ARP for the new IP's.  You shouldn't even have to use the second gateway for the new block at all since you're routing would be taken care of by your existing default route.  As long as your ISP is taking care of routing the new block to your connection with them, then you should be OK and not have to specify the second gateway.
0
 
fina27Author Commented:
Yeah as I was thinking about it more i figured that would be the case about the gateway.

So how can I configure this additional IP block? I just need a little more insight on how to implement it. I can't do a "ip address ip-address mask secondary" command on the interface?


"it's really just as simple as configuring static translations for the new block of IP addresses to point to internal IP addresses." ---- so if I just start doing "static (inside,outside) 'new WAN IP' LAN IP netmask mask"    It will work?
0
 
batry_boyCommented:
>>I can't do a "ip address ip-address mask secondary" command on the interface?

No, it doesn't support the "secondary" option in the ASA code.

>>so if I just start doing "static (inside,outside) 'new WAN IP' LAN IP netmask mask"    It will work?

As long as your ISP has done their part in routing that new net block to your edge router or device, then yes it will work.
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

 
fina27Author Commented:
That didn't work. Should I create a sub-interface?
0
 
lrmooreCommented:
All you have to do is create static 1-1 nat xlates to the new ip range. Done.
0
 
fina27Author Commented:
can you give me that command?
0
 
fina27Author Commented:
static (inside,outside) y.y.y.y x.x.x.x netmask mask

y=wan
x=lan


I entered that command and tried to ping it and still cannot. Is there something else?
0
 
td_milesCommented:
you need to permit the traffic through the interface for the NAT to work.

something like:

access-list 101 permit tcp any host y.y.y.y eq 80
acess-group 101 in interface outside

which would allow traffic to a web server on IP y.y.y.y
0
 
lrmooreCommented:
You also cannot ping it from inside.
You also need to make sure that your ISP is routing that block of IP's to your PIX's current outside interface IP
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.