Loading ...Adding a secondary IP address on a Cisco ASA Ethernet interface
I have been working with various Cisco devices for many years now. Even though I hold a valid CCNP, I didn’t had the chance to work during the past months with Cisco devices as much as I was when I was actively working in the ISP field. Sill, from time to time I take on small consulting Cisco related projects. This post will show how to overcome the frustration on the top line Cisco ASA firewalls not supporting interface ip aliases.
Cisco PIX firewalls have been around for many years and I was aware of the stupid limitation they had about not being able to add ip aliases on their interfaces. Again this was many years ago… Today when I had to configure a small Cisco ASA 5505 device, I didn’t even thought that the fanciest line of Cisco firewalls still has this limitation. You could say that the 5505 is the cheapest models and this is the reason for the limitation. Well, it costs much more than any other similar hardware firewall and honestly every other box I have seen support this (I can’t even call it feature)… I can’t be certain as I don’t have such a device to test out, but from what I can tell, all the ASA product line has the same issue, including the higher level 5550 and 5580.
Now, why would I need this? Maybe I have several network ranges behind the ASA, and for whatever reason I don’t need them in separate vlans (my switches don’t support vlans, I have ips from both ranges configured on some systems, etc.) and I don’t what to pay a lot of money to just enable more vlans on the box, etc.
I will not give a linux system as an example as this is quite obvious to anyone that you can add as many ip aliases you want on one ethernet interface. Still the ASA will not be able to do this. You could try out to use the familiar ios command to add a secondary ip on the interface/vlan, as you might hope it is undocumented feature, but you will see it is just not there…
Let’s see what trick we can use to overcome this stupid limitation: we will be using the Proxy-ARP facility in order to respond for another IP requests on the same ethernet interface, without actually bringing it up. In my example I will be using eth0/1 and the ‘inside’ vlan, vlan1 with an existing ‘main’ ip range configured: 192.168.0.1/24; I will add another ip 192.168.1.1 so hosts from this range will also work behind the ASA:
- first find out the mac address of the ethernet interface you will be using.
sh interface Ethernet0/1
this should show you the MAC address of the network interface. - force this arp address on the internal vlan:
interface Vlan1
mac-address 0019.0726.xxxx
nameif inside - now let’s define a static arp entry for the IP we want to use as secondary, using the same mac address as the one from above, and enable proxy ARP on it:
arp inside 192.168.1.1 0019.0726.xxx alias
you can verify this is working properly using the show arp command that should return you the ip and mac address, like this:
sh arp
inside 192.168.1.1 0019.0726.xxx alias
... - at this point any system on the local interface can use the ip as its default gateway and it will work just fine. We just need to ensure that return packets are coming back to the source, and this means we have to add a static route for this network on the inside interface (pointing to the main ip of the interface, let’s say 192.168.0.1 in my case):
route inside 192.168.1.0 255.255.255.0 192.168.0.1 1 - also we need to ensure that traffic is allowed between the same interface hosts, and same level of security interfaces:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
and you probably want to be sure that access lists will allow the traffic from/to the newly added network.
That’s it…
The “Cisco way” to achieve this is to use separate vlans for each network range. Let’s try to speculate why doesn’t Cisco want this ‘feature’ in their firewalls? Maybe because on the standard license the box doesn’t support more than 2 full vlans (and 1 DMZ – limited)? and so you can’t do this using vlans even if you wanted… And you have to buy a license upgrade to support more? Or just to trunk them? What do you think? Do you think this is intentional to make peoples buy their higher end ASAs or upgrade to Security Plus license? (about 400-500$ extra)?
Note: the only limitation this method has is that the ‘secondary’ ip will work as expected as a gateway for the systems behind the asa, but will obviously not respond itself to network requests (like ping for ex.). If this is not acceptable, you should then go ahead and use the vlan method.
I hope this post will help other peoples that have the same frustration and will show them how to use any number of secondary ip they want. Even though this post was examplified using one ASA5505 it should work just fine on other ASAs and even on PIXes.
25th June 2008, 19:08
On a cisco router, an old one 2600 we can easily add secondary IP on an interface
ip address 192.1.1.1 255.255.255.0 secondary.
25th June 2008, 19:46
nik: that is true, and as I explained many other devices support this basic ‘feature’. Still, try to do this on a Cisco ASA/PIX and let me know if you found a different solution than the one I presented
26th June 2008, 19:46
There is an alternate method that I use with the 5505, doesnt require adding a gateway address or anything to the ASA. For this to work of course the default gateway device of the ASA must be a router, or L3 switch where you can add a secondary IP. On the ASA create a 1:1 static map of the new IP to the IP you wish to map to, add the appropriate ACL, and you’re all set. If needed for NAT, you can specify it using global (outside) 1 “ip address or range or ACL” Works like a charm without needed vlans, or secondary addresses on the ASA itself, it also saves on one IP since it isnt needed.
21st July 2008, 18:20
Thanks Marius!
I’m on the same problem due to this “limitation”. Just trying to migrate from one old platform that supports aliases to two brand new Cisco ASA Firewalls.
I’ll try this trick veeery sooooon!
27th August 2008, 06:01
hi, thanks for this great information
15th December 2008, 10:17
i was wondering and tested in a cisco 1800 series router and it didn’t work
15th December 2008, 10:29
@zach: this is not needed on cisco routers; you can just setup a secondary ip address if you use a router, like this:
ip address 192.168.0.253 255.255.255.0 secondaryin interface configuration mode.
20th February 2009, 18:42
We just picked up a secondary block of public IP’s and I’m trying to get them working on our ASA5510. Will these tricks work on the outside interface as well? Cisco is telling me it can’t be done but I have other techs saying it is possible, they just don’t know how on an ASA.
20th February 2009, 19:15
@James: I don’t see any reason why this would not work. Actually when I needed this it was used for both internal and external interfaces. As long as all ‘external’ routing (meaning other devices besides the asa) have the proper routing this should work just fine.
3rd March 2009, 13:49
I’m at the moment configuring an ASA 5505 and am quite grateful I managed to find this post, though I have a little trouble getting the last step done – adding the route provides me with an error that the route already exists. Any tips? :s
3rd March 2009, 16:03
@Peter: this means the route already exists; why is that? you are the only one that can see that
are you configuring an overlapping network range? Check the routing table and see what interface has the route configured already. Please double check that the ips allocations are correct and this should not happen. hth.
29th April 2009, 10:56
Hi
one question: i can use the command “ip address … secondary” for insert more ip pubblic?
29th April 2009, 11:04
@carmine: sure you can, but not on the ASA that unfortunately is missing this ‘great’ feature. Still all Cisco routers (and practically any other vendor devices) have this facility.
29th April 2009, 11:20
i hope help me,
i must buy new cisco with this feature:
1) exporting Netflow for diagnostic network
2) one inside interface
3) one dmz interface
4) two outside interface (example A e B)
the outside B must be configured with 8 public ip, which model cisco i can buy?
29th April 2009, 11:32
@carmine: I don’t think they support Netflow in *any* ASA version. Still, if you want an ASA, probably the 5510 is the one you should be looking, for your interface requirements. Check with your local Cisco reseller for more details
29th April 2009, 12:13
it is not important asa model, i have ask you advice on the another model cisco with feature listed above.
the cisco asa 5580 support Netflow, but i have not find nothing information if is possible configured more ip public (same subnet) on the single outside interface.
thanks
29th April 2009, 12:26
@carmine: none of the ASA support interface aliases (internal or external); as described in this post you can trick it by using the above method. you said you want 2 outside interfaces, one inside, and one dmz so my suggestion for 5510. You can use vlans to separate the network traffic on the same interface, but not aliases. This is just not available on any ASA.
1st May 2009, 15:35
this worked great. although i have no idea what step 2 is for. I do not configure VLANs on my firewall, i simply add the VLAN attribute to a particular interface.
also, i had to add static routes on my router so that remote networks know how to reach the new network behind the firewall. the routes point to the outside interface of the firewall
5th May 2009, 02:45
I assume this is just for having DIFFERENT subnets on an interface, right??
I’m having a trouble with a 5505 right now that is ALMOST explained by this… I have a /29 subnet from Comcast, with their commercial cable plan.. So, my gateway is .78, and I have .73 through .77…. I assign the outside interface the address of .73, and then just setup my NAT rules for .74-77, right?? Well, when I do this, my inbound NAT rules are ignored. Matter of fact, in the syslog, I dont even see that the packets are getting there to be accepted or rejected..
There’s nothing more I need to do on an ASA to get it to respond on more than one address in the same subnet is there?? I’m thinking there’s something funky w/ Comcast that they want to see a different MAC for each address or something..
Thanks for a great site..
5th May 2009, 03:42
Ugh.. Just figured this out.. SOMEHOW, my PROXYARP setting got turned off globally.. DUH.. Oh well, maybe someone else will learn from this mistake and posting!!
-Steve
12th May 2009, 16:32
We’ll probably be using this technique to migrate IP spaces at my company. This will allow us to do the migration bit-by-bit, rather than having to re-ip dozens of devices all at once.
14th August 2009, 12:39
Hi, I requested additional public IP addresses from my ISP and they have given me a second subnet. I now have the original /30 subnet which supports the ASA “outside” interface and the ISP router interface and a new /29 subnet, giving me an additional 5 useable addresses (the first address being allocated as a secondary IP on the ISP router). I have setup nat and acls to allow inbound connections to a server usig one of the new addresses but this does not work (presumably because the public nat address is in a different subnet to the outside interface). I could re-address the outside interface and only use the larger subnet but there are existing statics and many vpn connections already configured on the original subnet address. Do you think I can use this static arp method? What about IP routing?
14th August 2009, 15:20
@Dave: if you use the static arp method there is no routing involved. The ips need to be on the same segment in order for this to work. From what I understand from your setup it might be a better idea to use nat if that is only what you need. hth.
20th October 2009, 08:00
Great Post !
Ever tried this on a FWSM ?
13th November 2009, 21:38
Bravo Marius!
Thank you for this workaround. We are replacing an old Cisco Pix 515E with an ASA 5520 in a mid/large office. We have a few devices that are manually configured to point to the old PIX. By using your “static arp alias” workaround, our new ASA can route traffic pointed at our old internal IP gateway as well as the new IP address assigned to the ASA.
Thanks again.
16th August 2010, 21:10
Does this work the same if I want to use the secondary address as part of an IPSEC tunnel?
16th August 2010, 21:15
@Mark: I doubt that will work.
27th August 2010, 09:07
article very good
15th September 2010, 03:07
[...] al blog di Marius Ducea per la [...]
21st September 2010, 07:30
nice article,
i am thinking of going ASA and i will need to add a seconday subnet on the outside interface of an ASA
i then need to do some static NATting with the secondary subnet, do you think that will work? will it let you add NAT rules against the aliases?
thanks
21st September 2010, 09:48
@Nick: I think that should work fine. With the ASA, there doesn’t seem to be any distinction between the inside and outside interfaces per-se.. It all depends on what commands are applied to what interfaces, so I can’t imagine you’d have any trouble with the multiple addresses being on the outside instead of on the inside.
The one thing I can think of is that you might have trouble if one or both of your outside addresses are inside of someone else’s NAT. I say that because you’re only going to have one default gateway, so for example if your outside IP addresses are “1.2.3.4″ and “10.10.10.10″, and your default gateway is set to “1.2.3.1″, and obviously 10.x is behind someone else’s NAT, a packet received on the “10.10.10.10″ network from a remote subnet is going to have it’s response routed back through the “1.2.3.1″ address via the default gateway, which would break the OTHER nat translation by bypassing it. Any NAT inside YOUR asa would be fine.
I hope this makes sense.
There is also a mode, which I haven’t used, which lets the ASA act as multiple separate firewalls in one piece of hardware. if this doesn’t work directly, you might want to look into that – If the two outside addresses are configured in different virtual firewalls, then presumably they could have different default gateways, but I haven’t used that feature, so I cant say..
Good luck!
Steve
22nd September 2010, 03:24
Thanks steve, good point about double NATting,
very helpfull
;o)
1st October 2010, 11:41
We have an ASA5510 – Can you explain what is meant by an IP Alias. Also will this work for configuring a VLAN? I need to setup a site to site VPN IPSEC tunnel that will connect using a VLAN on each end.
Since we are a small company with only one subnet, I’m trying to create a subinterface on e0/1 and I thought I could just use an IP address from within my current subnet but I get an overlapping subnet error message when I do this. I’m not sure what IP addres I can use for the subinterface then. Will this trick solve this issue and how would I configure it using a private subnet 10.x.x.x?
18th November 2010, 14:01
We do not have any VLAN interfaces; what is the point of step 2? All our our connections use g0/0 subinterfaces i.e. .101, .102, .103 ,etc. Thanks
25th November 2010, 12:55
Would this be possible with a separate physical interface than the primary LAN? For example I have a wireless acces point I would like in a separate LAN on the Poe interface. Still in vlan 1.
6th December 2010, 06:21
We also found that if you static NAT, the entry goes right into the ARP table. We found that placing the NAT’d IP in a static ARP table did more harm than good.
14th April 2011, 13:59
Thank you very much for that trick! You made my day. I have to map 2 ‘global’ (as they – cisco – call it, that’s to say a publicly routable) IP adresses on the same subnet to the outside interface.
Why ?
- I want to use the Phone Proxy feature of the ASA
- It does require a unique adress and you can NOT use the address already assigned on any of the ASA interface
- I cannot use a third VLAN (I already use 2, inside and outside) because the 3rd address is on the same subnet as the one already assigned to the outside interface
- I could have used the “multiple context mode” which lets you divide the ASA into multiple virtual ASAs but … I CANNOT, because the ASA 5505 doesn’t support it (buy a 5510 …)
For all these reasons I thank you very much for this wonderful trick (although maybe well know for others) but I didn’t know much about proxy-arp untill today and I think I’ll maybe reuse it in the future
A french guy (scuse me for poor english)
14th April 2011, 14:54
@Matthieu: I’m happy this old post is still useful and helped you.
15th April 2011, 02:41
Hi thank for the wonderful info. I have a small scenario im trying in my pc.
I have an asa 5505 with inside interface 192.168.1.0/24 and outside 192.168.0.0/24
The inside interface pc’s are assigned dhcp ip addresses from the asa. On one of the inside pc’s i have a vmware workstation in the network 10.10.10.0/24
i have done everything u mentioned here but the vmware workstation does not connect to the internet.
ASA Version 8.2(1)
!
hostname ciscoasa
enable password encrypted
passwd encrypted
names
!
interface Vlan1
mac-address xxxx.xxxx.xxxx
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.10 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
speed auto
duplex auto
!
interface Ethernet0/3
!
interface Ethernet0/4
speed auto
duplex auto
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list access_inbound extended permit tcp any host 192.168.1.0 eq www
access-list access_inbound extended permit tcp any host 10.10.10.0 eq www
pager lines 24
logging enable
logging timestamp
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm history enable
arp inside 10.10.10.10 503d.e553.8cdb alias
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.10.10.0 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group access_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
route inside 10.10.10.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection scanning-threat shun duration 899
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:
: end
Any suggestion how i can make it work
26th April 2011, 15:40
I hate the ASA. What a piece of crap. Ironically I discovered this lack of functionality as part of a project to migrate to real firewalls: Juniper SRX.
27th April 2011, 11:20
awesome!
I had to fiddle with sub-interfaces but it is working now!
(PIX 515 with 8.0(4))
The following is from Cisco Support…
“In Cisco IOS you can configure router interfaces with one or more secondary IP addresses (“ip address …. secondary”). The PIX however is a security device and will not let you configure multiple IP addresses on an interface. So configuring a PIX interface with a secondary IP address is not possible. An additional IP would need to be configured on a new interface.”
11th May 2011, 16:16
Hey Mod,
Where have u been. I have been waiting for your reply for nearly a month.
8th September 2011, 02:03
very useful thanks!
3rd October 2011, 05:29
This workaround is not working on ASA 5510 8.0(4)…
9th October 2011, 22:22
Hi Marius,
You say the “Cisco way” to achieve this is to use separate vlans for each network range.
I have the Security Plus license as I had to have an unlimited DMZ.
How can you achieve this the “Cisco way”?
Thank you for your help.
10th October 2011, 18:29
@Patrick: the “Cisco way” is to use VLANs for each network range. (regardless on your license type you are not able to have aliases on the interfaces). Or use another Cisco router to do the intervlan routing (any basic IOS router will have the ability to have interface aliases). hth.
3rd November 2011, 11:26
I ran into this same issue, but we had already bought the license upgrade. So I created a second interface called inside2. But I plugged both interfaces into the same switch without any vlans configured on the switch. The ASA at the second interface on vlan12 but the switch removed all the tags. This didn’t work at first until I noticed the sh int inside and sh int inside2 both reported the same MAC address. I changed the MAC address on inside2. No it works perfectly. And works with my vpn tunnels.