Solved

Cisco ASA 5505, secondary IP on inside interface, same subnet

Posted on 2014-03-11
6
3,386 Views
Last Modified: 2014-03-19
Greetings,

I have need to have my ASA5505 listen on 2 IP addresses in the same subnet on the INSIDE interface (VLAN1).

The reason - another device with this secondary IP is being removed and I need to have the ASA listen on *both* its own IP and the IP of the device removed, at least until I find every device using the old gateway IP.

Example:
ASA (inside, VLAN1): 192.168.1.1 255.255.255.0

Old device "X":  192.168.1.10 255.255.255.0

I need something similar to (in router-speak):
int vlan 1
  ip address 192.168.1.1 255.255.255.0
  ip address 192.168.1.10 255.255.255.0 secondary
0
Comment
Question by:snowdog_2112
6 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39921978
You need to put the other subnet in its own vlan and dot1q the interface.
0
 

Author Comment

by:snowdog_2112
ID: 39922108
They are in the SAME subnet as mentioned in OP.  Thanks for quick response though.

Both devices have IP's in 192.168.1.0/24.

The old device is gone and won't be replaced, so I need the ASA to "own" 2 IP's on the same subnet - if only for a short while (months, perhaps).
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 39922464
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:snowdog_2112
ID: 39924382
Nope.

Again - the secondary IP is on the SAME SUBNET as the primary.  I can't route from one to the other, and even if I wanted to, I can't VLAN it, since both IP's are in the middle of the same /24.

I have a hunch that it is somehow related to NAT - the devices pointing to 192.168.1.10 (the old IP, which has an arp alias on the ASA) are not being NAT'd or unNAT'd properly.
0
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 500 total points
ID: 39935301
The ASA can only have on IP address on the inside interface.

Maybe you can use other solutions like a layer 3 switch or second (cheap) router.
0
 

Author Closing Comment

by:snowdog_2112
ID: 39940750
Love Cisco...

HATE Cisco!

The ASA is "not a router", so for small businesses who might possibly need some routing features, you need an ASA for $500 and another "real router" for another $500-1000.

Or...a $200 Netgear.

At least on an ASA you can type exec commands in conf mode without "do <command>", unlike Cisco routers.

Fair trade-off....maybe.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now