ASA 5505 How to configure outside interface with 2 IP Adresses

Posted on 2015-01-06
Medium Priority
Last Modified: 2015-01-09
Our ISP has given us two ranges of IP addresses. One set is what they term the usable IP's for static/dynamic mapping purposes, and the other is the routing addresses of the ISP. For example, we have a range of X.X.X.73 - X.X.X.78/29. We currently have 4 of these addresses statically mapped to specific inside addresses. However, the route to the ISP is on a completely different subnet (X.X.X.30/30). With our current solution, we have the outside interface setup with the ISP Gateway address of the X.X.X.30/30 and it's route out of X.X.X.29/30. Our useable address of .73/29 is then set as a nat policy doing a source translation that configures a dynamic ip and port. We have various locations that use PIX 501's to VPN into our current solution. The VPN tunnels have to be set with the .30/30 ip address while any ssh configuration for those PIX's requires us to use the .73/29 ip address. I haven't had much experience with the ASA 5505 and am looking for a way to accomplish this, but not sure how to go about it. Just looking for some guidance here. Config-Doc.docx
Question by:rtomasik
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 29

Expert Comment

by:Jan Springer
ID: 40534460
You don't.  When you configure a static IP address the ASA will arp that out if it's in the same subnet and, if not, then that IP will be routed to you.

It just works.

Author Comment

ID: 40535444
I thank you for your response, however that's my problem. I didn't think that I would need to get this detailed, however, let me provide some more information. In the past we had a PIX firewall that we used as our solution and we programmed our outside interface with the first IP address in the range of usable IP's .73/29, However, when we used the route command to route our traffic to the ISP's router address, .29/30, we couldn't get anywhere. We had our ISP techs out here for 2 days and we couldn't get it to work properly. So, this is how the configuration according to them, and what I understood, should have been, nothing additional.


interface outside ip address X.X.X.73
route outside X.X.X.29 1 (the ISP /30 gateway)

Again for 2 days they couldn't get anything to work. After looking at the information provided by the ISP, it looked as if we were missing a hop somewhere, like we needed to bridge the gap so to speak. Finally I independently tried to work things out through a secondary router. We had an 1800 series available so I used that one. The resulting configuration was this:


interface outside ip address X.X.X.74
route outside X.X.X.73 1

1800 series

interface ethernet0/0 ip address X.X.X.73
interface ethernet0/1 ip address X.X.X.30
route outside X.X.X.29 1

Reading all the commands that we had at our disposal at the time, there seemed there was no other way to work around this. This was the only fix that I could come up with.  Not only was it inconvenient, but we also lost an IP address that could have been used to map statically to a device. For our current solution, we have a Palo Alto firewall which allows us to configure the outside interface as the X.X.X.30/30 address and create a static route to the .29/30 address of the ISP's router. All inside traffic can get out to the internet. We then are able to use a policy to translate that interface's IP address to the first IP address in the "usable" range that they gave us. It is important that that interface is seen by the outside as the .73/29 address since that is what our ISP is assigning us. Also, we need this because of our VPN configurations. While our PIX's are configured with the following to create the tunnels,

isakmp key ******** address X.X.X.30 (outside interface of the Palo Alto) netmask X.X.X.X no-xauth

the ssh configuration that we need to use to make them accessible from our corporate network is,

ssh X.X.X.73 X.X.X.X outside (translated ip address in the nat policy)

I did try configuring the ssh command with the /30 subnet address, but it was as if we didn't exist.

The only other additional configuration that the Palo Alto has is under interfaces. We created a loopback interface. This interface has all the usable IP addresses given to us by our ISP configured to it. When they assisted me in setting it up, the addresses were assigned to it with a /32 subnet.

After seeing the configuration that we use with the Palo Alto, it seemed to me that there must be some way to do the same with the ASA 5505. Again, I'm not familiar with this appliance so I'm stumped. Configuration wise it seems similar to the PIX's, but I know that it has so much more functionality.

Thanks again for your reply.
LVL 29

Expert Comment

by:Jan Springer
ID: 40535783
You shouldn't have to put the /29 on the outside interface -- that's for the /30.

What version of software are you running on the PIX?
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Author Comment

ID: 40535844
We're not using a PIX at the corporate office, but we are looking at the ASA 5505 as a possible backup solution. The version of Software is ASA 8.4(2).

So the question still remains how will the outside know where the /29 addresses are located? We had that problem initially when we were programming the Palo Alto. That's why we needed to make the Loopback interface configuration and the NAT Policy for the outside interface.
LVL 29

Accepted Solution

Jan Springer earned 1500 total points
ID: 40535857

Put the /30 on the outside interface and route outside to your gateway.

Your provider should be routing the /29 to your outside IP (that's how the outside will know where they are).

When you configure your static IPs, they become "live", there is nothing special that you do.  

I configure static NAT on all kinds of 5500s and it just works.

And don't even compare Palo Alto the the Cisco.  You are better off with Cisco in my opinion.

Author Comment

ID: 40535875
Ok. I'll have to try. Thanks.
LVL 57

Expert Comment

by:Pete Long
ID: 40539762
Jan is correct, its quite common to have different subnet ranges outside of your firewall, the onus is on the ISP you get those subnets routed to YOU, not on you to route back to them :)
Cisco ASA 5500 - Adding New 'Different Range' Public IP Addresses


Author Comment

ID: 40540014
I appreciate the information. Unfortunately I won't be able to completely test this in the immediate future so I will be closing this question and accepting the solution. It the need arises again I will ask again. Thanks to both.

Author Closing Comment

ID: 40540017
I gave this rating only since I will not be able to test this solution in the immediate future.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question