Solved

Need some help using multiple subnets on WAN interface for 5510

Posted on 2013-12-06
3
721 Views
Last Modified: 2013-12-06
Hello Cisco Experts!  I've recently taken over a new role from a co-worker and could really use some expert advice.  I'm attempting to setup Outlook Web Access and a secondary MX record over at my failover datacenter.  There I have a 5510 which already has an IP assigned by our ISP bound to the WAN interface.  I purchased a new block of addresses on a different subnet that I'd like to use for OWA and a secondary MX record at my datacenter.  I can't seem to bind more than one public address in a different subnet to the WAN interface which is how I thought this would work.  I further read that the work-around is to use Proxy ARP and NAT.  Being new to this I could really use some step-by-step help in configuring the ASA so the new addresses I have are properly forwarded to Exchange (OWA) and Websense (secondary MX).  I can have Cisco support do it but I want to understand how this works so I can be more useful in the future.  Many thanks in advance for any assistance!
0
Comment
Question by:First Last
3 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 39701679
What you want to do is create a sub interface and use VLAN.  Here is a post from Cisco forum that describes how:

https://learningnetwork.cisco.com/thread/10502
0
 
LVL 24

Accepted Solution

by:
Ken Boone earned 500 total points
ID: 39701847
So basically you have something like this:


ISP  - public IP address space - ASA Outside - Inside IP Address space

but now you have the following:

ISP - 2 public IP address spaces - ASA outside - Inside IP Address space

If that is the case, then the ISP simply routes traffic to the new IP address space to the outside ip address of your firewall.

Your ASA DOES NOT have to have an interface on this new public ip address block in order to utilize it.  When you set up your nat rules,  you define a host on the inside(or DMZ) that will have a static nat address of a host on the new ip address block.

When traffic is routed to the ASA for this new block, the ASA knows that that public address you defined in the NAT statement is "published", if you will, on the outside, and will perform the correct translation and pass the traffic appropriately.
0
 
LVL 1

Author Comment

by:First Last
ID: 39701933
We actually got it working using proxy arp, just had to make sure the NAT line was in the right order, we had it at the bottom and it had to be moved up.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question