Solved

Configure two outside IP blocks on an ASA5505

Posted on 2014-02-18
4
469 Views
Last Modified: 2014-02-21
Hello,

We have an ASA5505 running  8.2(1) and ASDM 6.2. We recently upgraded to fiber and we were given a second outside IP Address Block by AT&T but can't get them to work with our current outside IP Block. AT&T has the first block of IP's assigned to one port on their Router and the second block on another port of their router. We have the first outside range plugged into our ASA on port 0/0 (as "Outside") and we just added the second range of IP's on port 0/1 of our ASA (as "outside40").  We need to somehow add this second outside range of IP's so they can be used by outside vendors to get into our LAN.  It seems like we need to add a second Static Route for this new block of IP's to work but the ASA won't allow it. Is there some way around this or is it  just not possible? Any help would be greatly appreciated.

Thanks,
pbmtech
0
Comment
Question by:pbmtech
  • 2
4 Comments
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 333 total points
ID: 39868094
The proper way to do it (if you only needed an additional assignment) would be for AT&T to route the 2nd subnet to the IP of your existing inside interface.

Then, as you create static NAT entries, it will just work.
0
 
LVL 24

Accepted Solution

by:
Ken Boone earned 167 total points
ID: 39868101
Actually what needs to happen is that both addresses are used on the same outside interface.  So you have address space A and space B.

Address space A is currently used between ATT and the outside interface of the ASA.

What normally happens when a second block is used is that ATT will add that second address space as a secondary network on their router on the same interface as the first block.

When you build your NAT statements on the ASA, it tells the ASA to handle ARP on the outside interface for these new addresses.  

So you shouldn't have to add a route, or add an extra interface on your ASA for this additional block to work.  Just start building your NAT rules and ACL as if they actually lived on the outside interface.
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 333 total points
ID: 39868132
Darn it, I meant outside interface.
0
 

Author Comment

by:pbmtech
ID: 39868159
Ok great. We were stumped on this one and were not sure where to go from here. I will contact AT&T and request that they put the new IP Block on the same address space as the first. Thanks to both of you for the quick response!
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

 One of the main issues with network wires is that you never have enough.  You run plenty and plan for the worst case but you still end up needing more.  What many people do not realize is with 10BaseT and 100BaseT (but not 1000BaseT) networks you …
Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now