?
Solved

Cisco ASA 5520 - Multiple IP Blocks

Posted on 2010-01-08
7
Medium Priority
?
790 Views
Last Modified: 2012-05-08
Ok - here's the situation - We've got a Cisco ASA 5520 at our Colo (small business) - we had a block of 5 public IP's, now we need a few more, but obviously all the IP's in the initial range are taken, so they've given us a new block...is it possible to use both through a single ASA 5520?

Ideally I'd just like to throw these new IP's in and start NATing them to servers behind the firewall.

any help would be greatly appreciated.

thanks!
0
Comment
Question by:247ITSolutions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 26273540
It depends on how they've been assigned.  If the second block is reachable through the same customer-to-provider IP network, then you can just assign them to a DMZ interface and start setting up NAT.  Does the provider have a default router in this block of IPs?  If so, then it becomes more complicated.  Please let me know.
0
 
LVL 21

Accepted Solution

by:
Rick_O_Shay earned 2000 total points
ID: 26273567
As long as the ISP has routing set up to get to those new addresses through your public side interface you should be able to use them.
0
 

Author Comment

by:247ITSolutions
ID: 26273632
Well, from the info they gave me - our first block has a gateway of 66.xxx.xxx.105 - the second IP block is a gateway of 66.xxx.xxx.209 (the xxx.xxx numbers are the same on both)

Do I need to upload my config?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 26273703
No, that tells us everything we need.  It's not going to be done the easy way, unfortunately. You *could* call your ISP and see if they would be willing to route that block to your outside interface, in which case we can just NAT those addresses normally.  If not, the cleanest thing to do would be to request an entirely new subnet with the address space you need.  Lastly, if neither of those appeal, you could put a router in front of the ASA to handle both blocks and policy route the traffic to the correct gateway.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 26273849
--> You *could* call your ISP and see if they would be willing to route that block to your outside interface, in which case we can just NAT those addresses normally.  

Just to clarify, he means the outside interface of the first device you manage.  If you manager your own router, then it is the outside interface of your router, if your first point of presene is your firewall, then its the outside interface of your firewall.

I have one ISP tech tell me, sure we are routing to the outside interface, how do you think we get it to the router at your location.  They managed the router and expected to have it directly on the LAN side of their router.  He just did not understand, took a few days and a more senior tech to get it cleared up.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 26273911
Regardless, it depends on if the ISP has the routing in place for those address ranges pointing to your router's public address as the next hop. If they said they are good to go you should be all set to use them..
0
 

Author Closing Comment

by:247ITSolutions
ID: 31674909
This was the first solution that got the job done, so if I need to do something else someone let me know - i'm still new to this.

basically they routed that block to our public interface and I can just NAT those IP's as usual.

The only other option was to get a whole new IP block

thanks so much for your help everyone.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question