?
Solved

Configure two outside IP blocks on an ASA5505

Posted on 2014-02-18
4
Medium Priority
?
511 Views
Last Modified: 2014-02-21
Hello,

We have an ASA5505 running  8.2(1) and ASDM 6.2. We recently upgraded to fiber and we were given a second outside IP Address Block by AT&T but can't get them to work with our current outside IP Block. AT&T has the first block of IP's assigned to one port on their Router and the second block on another port of their router. We have the first outside range plugged into our ASA on port 0/0 (as "Outside") and we just added the second range of IP's on port 0/1 of our ASA (as "outside40").  We need to somehow add this second outside range of IP's so they can be used by outside vendors to get into our LAN.  It seems like we need to add a second Static Route for this new block of IP's to work but the ASA won't allow it. Is there some way around this or is it  just not possible? Any help would be greatly appreciated.

Thanks,
pbmtech
0
Comment
Question by:pbmtech
  • 2
4 Comments
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 1332 total points
ID: 39868094
The proper way to do it (if you only needed an additional assignment) would be for AT&T to route the 2nd subnet to the IP of your existing inside interface.

Then, as you create static NAT entries, it will just work.
0
 
LVL 25

Accepted Solution

by:
Ken Boone earned 668 total points
ID: 39868101
Actually what needs to happen is that both addresses are used on the same outside interface.  So you have address space A and space B.

Address space A is currently used between ATT and the outside interface of the ASA.

What normally happens when a second block is used is that ATT will add that second address space as a secondary network on their router on the same interface as the first block.

When you build your NAT statements on the ASA, it tells the ASA to handle ARP on the outside interface for these new addresses.  

So you shouldn't have to add a route, or add an extra interface on your ASA for this additional block to work.  Just start building your NAT rules and ACL as if they actually lived on the outside interface.
0
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 1332 total points
ID: 39868132
Darn it, I meant outside interface.
0
 

Author Comment

by:pbmtech
ID: 39868159
Ok great. We were stumped on this one and were not sure where to go from here. I will contact AT&T and request that they put the new IP Block on the same address space as the first. Thanks to both of you for the quick response!
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month16 days, 1 hour left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question