Loading ...
Adding a secondary IP address on a Cisco ASA Ethernet interface
I have been working with various Cisco devices for many years now. Even though I hold a valid CCNP, I didn’t had the chance to work during the past months with Cisco devices as much as I was when I was actively working in the ISP field. Sill, from time to time I take on small consulting Cisco related projects. This post will show how to overcome the frustration on the top line Cisco ASA firewalls not supporting interface ip aliases.
Cisco PIX firewalls have been around for many years and I was aware of the stupid limitation they had about not being able to add ip aliases on their interfaces. Again this was many years ago… Today when I had to configure a small Cisco ASA 5505 device, I didn’t even thought that the fanciest line of Cisco firewalls still has this limitation. You could say that the 5505 is the cheapest models and this is the reason for the limitation. Well, it costs much more than any other similar hardware firewall and honestly every other box I have seen support this (I can’t even call it feature)… I can’t be certain as I don’t have such a device to test out, but from what I can tell, all the ASA product line has the same issue, including the higher level 5550 and 5580.
Now, why would I need this? Maybe I have several network ranges behind the ASA, and for whatever reason I don’t need them in separate vlans (my switches don’t support vlans, I have ips from both ranges configured on some systems, etc.) and I don’t what to pay a lot of money to just enable more vlans on the box, etc.
I will not give a linux system as an example as this is quite obvious to anyone that you can add as many ip aliases you want on one ethernet interface. Still the ASA will not be able to do this. You could try out to use the familiar ios command to add a secondary ip on the interface/vlan, as you might hope it is undocumented feature, but you will see it is just not there…
Let’s see what trick we can use to overcome this stupid limitation: we will be using the Proxy-ARP facility in order to respond for another IP requests on the same ethernet interface, without actually bringing it up. In my example I will be using eth0/1 and the ‘inside’ vlan, vlan1 with an existing ‘main’ ip range configured: 192.168.0.1/24; I will add another ip 192.168.1.1 so hosts from this range will also work behind the ASA:
- first find out the mac address of the ethernet interface you will be using.
sh interface Ethernet0/1
this should show you the MAC address of the network interface. - force this arp address on the internal vlan:
interface Vlan1
mac-address 0019.0726.xxxx
nameif inside - now let’s define a static arp entry for the IP we want to use as secondary, using the same mac address as the one from above, and enable proxy ARP on it:
arp inside 192.168.1.1 0019.0726.xxx alias
you can verify this is working properly using the show arp command that should return you the ip and mac address, like this:
sh arp
inside 192.168.1.1 0019.0726.xxx alias
... - at this point any system on the local interface can use the ip as its default gateway and it will work just fine. We just need to ensure that return packets are coming back to the source, and this means we have to add a static route for this network on the inside interface (pointing to the main ip of the interface, let’s say 192.168.0.1 in my case):
route inside 192.168.1.0 255.255.255.0 192.168.0.1 1 - also we need to ensure that traffic is allowed between the same interface hosts, and same level of security interfaces:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
and you probably want to be sure that access lists will allow the traffic from/to the newly added network.
That’s it…
The “Cisco way” to achieve this is to use separate vlans for each network range. Let’s try to speculate why doesn’t Cisco want this ‘feature’ in their firewalls? Maybe because on the standard license the box doesn’t support more than 2 full vlans (and 1 DMZ – limited)? and so you can’t do this using vlans even if you wanted… And you have to buy a license upgrade to support more? Or just to trunk them? What do you think? Do you think this is intentional to make peoples buy their higher end ASAs or upgrade to Security Plus license? (about 400-500$ extra)?
Note: the only limitation this method has is that the ‘secondary’ ip will work as expected as a gateway for the systems behind the asa, but will obviously not respond itself to network requests (like ping for ex.). If this is not acceptable, you should then go ahead and use the vlan method.
I hope this post will help other peoples that have the same frustration and will show them how to use any number of secondary ip they want. Even though this post was examplified using one ASA5505 it should work just fine on other ASAs and even on PIXes.
25th June 2008, 19:08
On a cisco router, an old one 2600 we can easily add secondary IP on an interface
ip address 192.1.1.1 255.255.255.0 secondary.
25th June 2008, 19:46
nik: that is true, and as I explained many other devices support this basic ‘feature’. Still, try to do this on a Cisco ASA/PIX and let me know if you found a different solution than the one I presented
26th June 2008, 19:46
There is an alternate method that I use with the 5505, doesnt require adding a gateway address or anything to the ASA. For this to work of course the default gateway device of the ASA must be a router, or L3 switch where you can add a secondary IP. On the ASA create a 1:1 static map of the new IP to the IP you wish to map to, add the appropriate ACL, and you’re all set. If needed for NAT, you can specify it using global (outside) 1 “ip address or range or ACL” Works like a charm without needed vlans, or secondary addresses on the ASA itself, it also saves on one IP since it isnt needed.
21st July 2008, 18:20
Thanks Marius!
I’m on the same problem due to this “limitation”. Just trying to migrate from one old platform that supports aliases to two brand new Cisco ASA Firewalls.
I’ll try this trick veeery sooooon!
27th August 2008, 06:01
hi, thanks for this great information
15th December 2008, 10:17
i was wondering and tested in a cisco 1800 series router and it didn’t work
15th December 2008, 10:29
@zach: this is not needed on cisco routers; you can just setup a secondary ip address if you use a router, like this:
ip address 192.168.0.253 255.255.255.0 secondaryin interface configuration mode.
20th February 2009, 18:42
We just picked up a secondary block of public IP’s and I’m trying to get them working on our ASA5510. Will these tricks work on the outside interface as well? Cisco is telling me it can’t be done but I have other techs saying it is possible, they just don’t know how on an ASA.
20th February 2009, 19:15
@James: I don’t see any reason why this would not work. Actually when I needed this it was used for both internal and external interfaces. As long as all ‘external’ routing (meaning other devices besides the asa) have the proper routing this should work just fine.
3rd March 2009, 13:49
I’m at the moment configuring an ASA 5505 and am quite grateful I managed to find this post, though I have a little trouble getting the last step done – adding the route provides me with an error that the route already exists. Any tips? :s
3rd March 2009, 16:03
@Peter: this means the route already exists; why is that? you are the only one that can see that
are you configuring an overlapping network range? Check the routing table and see what interface has the route configured already. Please double check that the ips allocations are correct and this should not happen. hth.
29th April 2009, 10:56
Hi
one question: i can use the command “ip address … secondary” for insert more ip pubblic?
29th April 2009, 11:04
@carmine: sure you can, but not on the ASA that unfortunately is missing this ‘great’ feature. Still all Cisco routers (and practically any other vendor devices) have this facility.
29th April 2009, 11:20
i hope help me,
i must buy new cisco with this feature:
1) exporting Netflow for diagnostic network
2) one inside interface
3) one dmz interface
4) two outside interface (example A e B)
the outside B must be configured with 8 public ip, which model cisco i can buy?
29th April 2009, 11:32
@carmine: I don’t think they support Netflow in *any* ASA version. Still, if you want an ASA, probably the 5510 is the one you should be looking, for your interface requirements. Check with your local Cisco reseller for more details
29th April 2009, 12:13
it is not important asa model, i have ask you advice on the another model cisco with feature listed above.
the cisco asa 5580 support Netflow, but i have not find nothing information if is possible configured more ip public (same subnet) on the single outside interface.
thanks
29th April 2009, 12:26
@carmine: none of the ASA support interface aliases (internal or external); as described in this post you can trick it by using the above method. you said you want 2 outside interfaces, one inside, and one dmz so my suggestion for 5510. You can use vlans to separate the network traffic on the same interface, but not aliases. This is just not available on any ASA.
1st May 2009, 15:35
this worked great. although i have no idea what step 2 is for. I do not configure VLANs on my firewall, i simply add the VLAN attribute to a particular interface.
also, i had to add static routes on my router so that remote networks know how to reach the new network behind the firewall. the routes point to the outside interface of the firewall
5th May 2009, 02:45
I assume this is just for having DIFFERENT subnets on an interface, right??
I’m having a trouble with a 5505 right now that is ALMOST explained by this… I have a /29 subnet from Comcast, with their commercial cable plan.. So, my gateway is .78, and I have .73 through .77…. I assign the outside interface the address of .73, and then just setup my NAT rules for .74-77, right?? Well, when I do this, my inbound NAT rules are ignored. Matter of fact, in the syslog, I dont even see that the packets are getting there to be accepted or rejected..
There’s nothing more I need to do on an ASA to get it to respond on more than one address in the same subnet is there?? I’m thinking there’s something funky w/ Comcast that they want to see a different MAC for each address or something..
Thanks for a great site..
5th May 2009, 03:42
Ugh.. Just figured this out.. SOMEHOW, my PROXYARP setting got turned off globally.. DUH.. Oh well, maybe someone else will learn from this mistake and posting!!
-Steve
12th May 2009, 16:32
We’ll probably be using this technique to migrate IP spaces at my company. This will allow us to do the migration bit-by-bit, rather than having to re-ip dozens of devices all at once.
14th August 2009, 12:39
Hi, I requested additional public IP addresses from my ISP and they have given me a second subnet. I now have the original /30 subnet which supports the ASA “outside” interface and the ISP router interface and a new /29 subnet, giving me an additional 5 useable addresses (the first address being allocated as a secondary IP on the ISP router). I have setup nat and acls to allow inbound connections to a server usig one of the new addresses but this does not work (presumably because the public nat address is in a different subnet to the outside interface). I could re-address the outside interface and only use the larger subnet but there are existing statics and many vpn connections already configured on the original subnet address. Do you think I can use this static arp method? What about IP routing?
14th August 2009, 15:20
@Dave: if you use the static arp method there is no routing involved. The ips need to be on the same segment in order for this to work. From what I understand from your setup it might be a better idea to use nat if that is only what you need. hth.
20th October 2009, 08:00
Great Post !
Ever tried this on a FWSM ?
13th November 2009, 21:38
Bravo Marius!
Thank you for this workaround. We are replacing an old Cisco Pix 515E with an ASA 5520 in a mid/large office. We have a few devices that are manually configured to point to the old PIX. By using your “static arp alias” workaround, our new ASA can route traffic pointed at our old internal IP gateway as well as the new IP address assigned to the ASA.
Thanks again.