ASA 5505 How to configure outside interface with 2 IP Adresses

Our ISP has given us two ranges of IP addresses. One set is what they term the usable IP's for static/dynamic mapping purposes, and the other is the routing addresses of the ISP. For example, we have a range of X.X.X.73 - X.X.X.78/29. We currently have 4 of these addresses statically mapped to specific inside addresses. However, the route to the ISP is on a completely different subnet (X.X.X.30/30). With our current solution, we have the outside interface setup with the ISP Gateway address of the X.X.X.30/30 and it's route out of X.X.X.29/30. Our useable address of .73/29 is then set as a nat policy doing a source translation that configures a dynamic ip and port. We have various locations that use PIX 501's to VPN into our current solution. The VPN tunnels have to be set with the .30/30 ip address while any ssh configuration for those PIX's requires us to use the .73/29 ip address. I haven't had much experience with the ASA 5505 and am looking for a way to accomplish this, but not sure how to go about it. Just looking for some guidance here. Config-Doc.docx
rtomasikSystems AdministratorAsked:
Who is Participating?
Jan SpringerConnect With a Mentor Commented:

Put the /30 on the outside interface and route outside to your gateway.

Your provider should be routing the /29 to your outside IP (that's how the outside will know where they are).

When you configure your static IPs, they become "live", there is nothing special that you do.  

I configure static NAT on all kinds of 5500s and it just works.

And don't even compare Palo Alto the the Cisco.  You are better off with Cisco in my opinion.
Jan SpringerCommented:
You don't.  When you configure a static IP address the ASA will arp that out if it's in the same subnet and, if not, then that IP will be routed to you.

It just works.
rtomasikSystems AdministratorAuthor Commented:
I thank you for your response, however that's my problem. I didn't think that I would need to get this detailed, however, let me provide some more information. In the past we had a PIX firewall that we used as our solution and we programmed our outside interface with the first IP address in the range of usable IP's .73/29, However, when we used the route command to route our traffic to the ISP's router address, .29/30, we couldn't get anywhere. We had our ISP techs out here for 2 days and we couldn't get it to work properly. So, this is how the configuration according to them, and what I understood, should have been, nothing additional.


interface outside ip address X.X.X.73
route outside X.X.X.29 1 (the ISP /30 gateway)

Again for 2 days they couldn't get anything to work. After looking at the information provided by the ISP, it looked as if we were missing a hop somewhere, like we needed to bridge the gap so to speak. Finally I independently tried to work things out through a secondary router. We had an 1800 series available so I used that one. The resulting configuration was this:


interface outside ip address X.X.X.74
route outside X.X.X.73 1

1800 series

interface ethernet0/0 ip address X.X.X.73
interface ethernet0/1 ip address X.X.X.30
route outside X.X.X.29 1

Reading all the commands that we had at our disposal at the time, there seemed there was no other way to work around this. This was the only fix that I could come up with.  Not only was it inconvenient, but we also lost an IP address that could have been used to map statically to a device. For our current solution, we have a Palo Alto firewall which allows us to configure the outside interface as the X.X.X.30/30 address and create a static route to the .29/30 address of the ISP's router. All inside traffic can get out to the internet. We then are able to use a policy to translate that interface's IP address to the first IP address in the "usable" range that they gave us. It is important that that interface is seen by the outside as the .73/29 address since that is what our ISP is assigning us. Also, we need this because of our VPN configurations. While our PIX's are configured with the following to create the tunnels,

isakmp key ******** address X.X.X.30 (outside interface of the Palo Alto) netmask X.X.X.X no-xauth

the ssh configuration that we need to use to make them accessible from our corporate network is,

ssh X.X.X.73 X.X.X.X outside (translated ip address in the nat policy)

I did try configuring the ssh command with the /30 subnet address, but it was as if we didn't exist.

The only other additional configuration that the Palo Alto has is under interfaces. We created a loopback interface. This interface has all the usable IP addresses given to us by our ISP configured to it. When they assisted me in setting it up, the addresses were assigned to it with a /32 subnet.

After seeing the configuration that we use with the Palo Alto, it seemed to me that there must be some way to do the same with the ASA 5505. Again, I'm not familiar with this appliance so I'm stumped. Configuration wise it seems similar to the PIX's, but I know that it has so much more functionality.

Thanks again for your reply.
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

Jan SpringerCommented:
You shouldn't have to put the /29 on the outside interface -- that's for the /30.

What version of software are you running on the PIX?
rtomasikSystems AdministratorAuthor Commented:
We're not using a PIX at the corporate office, but we are looking at the ASA 5505 as a possible backup solution. The version of Software is ASA 8.4(2).

So the question still remains how will the outside know where the /29 addresses are located? We had that problem initially when we were programming the Palo Alto. That's why we needed to make the Loopback interface configuration and the NAT Policy for the outside interface.
rtomasikSystems AdministratorAuthor Commented:
Ok. I'll have to try. Thanks.
Pete LongTechnical ConsultantCommented:
Jan is correct, its quite common to have different subnet ranges outside of your firewall, the onus is on the ISP you get those subnets routed to YOU, not on you to route back to them :)
Cisco ASA 5500 - Adding New 'Different Range' Public IP Addresses

rtomasikSystems AdministratorAuthor Commented:
I appreciate the information. Unfortunately I won't be able to completely test this in the immediate future so I will be closing this question and accepting the solution. It the need arises again I will ask again. Thanks to both.
rtomasikSystems AdministratorAuthor Commented:
I gave this rating only since I will not be able to test this solution in the immediate future.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.