Comments on: Adding a secondary IP address on a Cisco ASA Ethernet interface http://www.ducea.com/2008/05/31/adding-a-secondary-ip-address-on-a-cisco-asa-ethernet-interface/ The Journal Of A Linux Sysadmin Thu, 09 Feb 2012 03:50:59 +0000 hourly 1 http://wordpress.org/?v=3.3 By: Bretthttp://www.ducea.com/2008/05/31/adding-a-secondary-ip-address-on-a-cisco-asa-ethernet-interface/comment-page-2/#comment-193910 Brett Tue, 07 Feb 2012 07:11:15 +0000 http://www.ducea.com/?p=241#comment-193910 This solution worked great but we've run into an odd issue. Communication between systems on both subnets is perfect with one exception. Devices on the new subnet cannot communicate with an Exchange Server on the main subnet (no ping reply). I suspect this has something do with this server having NAT configured on the ASA with an outside IP address... This solution worked great but we’ve run into an odd issue. Communication between systems on both subnets is perfect with one exception. Devices on the new subnet cannot communicate with an Exchange Server on the main subnet (no ping reply). I suspect this has something do with this server having NAT configured on the ASA with an outside IP address…

]]> By: Mikehttp://www.ducea.com/2008/05/31/adding-a-secondary-ip-address-on-a-cisco-asa-ethernet-interface/comment-page-2/#comment-193657 Mike Thu, 03 Nov 2011 18:26:57 +0000 http://www.ducea.com/?p=241#comment-193657 I ran into this same issue, but we had already bought the license upgrade. So I created a second interface called inside2. But I plugged both interfaces into the same switch without any vlans configured on the switch. The ASA at the second interface on vlan12 but the switch removed all the tags. This didn't work at first until I noticed the sh int inside and sh int inside2 both reported the same MAC address. I changed the MAC address on inside2. No it works perfectly. And works with my vpn tunnels. I ran into this same issue, but we had already bought the license upgrade. So I created a second interface called inside2. But I plugged both interfaces into the same switch without any vlans configured on the switch. The ASA at the second interface on vlan12 but the switch removed all the tags. This didn’t work at first until I noticed the sh int inside and sh int inside2 both reported the same MAC address. I changed the MAC address on inside2. No it works perfectly. And works with my vpn tunnels.

]]> By: - Marius -http://www.ducea.com/2008/05/31/adding-a-secondary-ip-address-on-a-cisco-asa-ethernet-interface/comment-page-2/#comment-193604 - Marius - Tue, 11 Oct 2011 01:29:54 +0000 http://www.ducea.com/?p=241#comment-193604 @Patrick: the "Cisco way" is to use VLANs for each network range. (regardless on your license type you are not able to have aliases on the interfaces). Or use another Cisco router to do the intervlan routing (any basic IOS router will have the ability to have interface aliases). hth. @Patrick: the “Cisco way” is to use VLANs for each network range. (regardless on your license type you are not able to have aliases on the interfaces). Or use another Cisco router to do the intervlan routing (any basic IOS router will have the ability to have interface aliases). hth.

]]> By: Patrickhttp://www.ducea.com/2008/05/31/adding-a-secondary-ip-address-on-a-cisco-asa-ethernet-interface/comment-page-2/#comment-193603 Patrick Mon, 10 Oct 2011 05:22:54 +0000 http://www.ducea.com/?p=241#comment-193603 Hi Marius,You say the “Cisco way” to achieve this is to use separate vlans for each network range. I have the Security Plus license as I had to have an unlimited DMZ. How can you achieve this the “Cisco way”? Thank you for your help. Hi Marius,

You say the “Cisco way” to achieve this is to use separate vlans for each network range.
I have the Security Plus license as I had to have an unlimited DMZ.
How can you achieve this the “Cisco way”?
Thank you for your help.

]]> By: Dratashttp://www.ducea.com/2008/05/31/adding-a-secondary-ip-address-on-a-cisco-asa-ethernet-interface/comment-page-2/#comment-193591 Dratas Mon, 03 Oct 2011 12:29:20 +0000 http://www.ducea.com/?p=241#comment-193591 This workaround is not working on ASA 5510 8.0(4)... This workaround is not working on ASA 5510 8.0(4)…

]]> By: tmghttp://www.ducea.com/2008/05/31/adding-a-secondary-ip-address-on-a-cisco-asa-ethernet-interface/comment-page-2/#comment-193443 tmg Thu, 08 Sep 2011 09:03:07 +0000 http://www.ducea.com/?p=241#comment-193443 very useful thanks! very useful thanks!

]]> By: itguyhttp://www.ducea.com/2008/05/31/adding-a-secondary-ip-address-on-a-cisco-asa-ethernet-interface/comment-page-2/#comment-192869 itguy Wed, 11 May 2011 23:16:03 +0000 http://www.ducea.com/?p=241#comment-192869 Hey Mod, Where have u been. I have been waiting for your reply for nearly a month. Hey Mod,
Where have u been. I have been waiting for your reply for nearly a month.

]]> By: scopedialhttp://www.ducea.com/2008/05/31/adding-a-secondary-ip-address-on-a-cisco-asa-ethernet-interface/comment-page-2/#comment-192800 scopedial Wed, 27 Apr 2011 18:20:57 +0000 http://www.ducea.com/?p=241#comment-192800 awesome! I had to fiddle with sub-interfaces but it is working now! (PIX 515 with 8.0(4))The following is from Cisco Support..."In Cisco IOS you can configure router interfaces with one or more secondary IP addresses ("ip address .... secondary"). The PIX however is a security device and will not let you configure multiple IP addresses on an interface. So configuring a PIX interface with a secondary IP address is not possible. An additional IP would need to be configured on a new interface." awesome!
I had to fiddle with sub-interfaces but it is working now!
(PIX 515 with 8.0(4))

The following is from Cisco Support…

“In Cisco IOS you can configure router interfaces with one or more secondary IP addresses (“ip address …. secondary”). The PIX however is a security device and will not let you configure multiple IP addresses on an interface. So configuring a PIX interface with a secondary IP address is not possible. An additional IP would need to be configured on a new interface.”

]]> By: carlivarhttp://www.ducea.com/2008/05/31/adding-a-secondary-ip-address-on-a-cisco-asa-ethernet-interface/comment-page-2/#comment-192792 carlivar Tue, 26 Apr 2011 22:40:45 +0000 http://www.ducea.com/?p=241#comment-192792 I hate the ASA. What a piece of crap. Ironically I discovered this lack of functionality as part of a project to migrate to real firewalls: Juniper SRX. I hate the ASA. What a piece of crap. Ironically I discovered this lack of functionality as part of a project to migrate to real firewalls: Juniper SRX.

]]> By: itguyhttp://www.ducea.com/2008/05/31/adding-a-secondary-ip-address-on-a-cisco-asa-ethernet-interface/comment-page-2/#comment-192708 itguy Fri, 15 Apr 2011 09:41:28 +0000 http://www.ducea.com/?p=241#comment-192708 Hi thank for the wonderful info. I have a small scenario im trying in my pc. I have an asa 5505 with inside interface 192.168.1.0/24 and outside 192.168.0.0/24 The inside interface pc's are assigned dhcp ip addresses from the asa. On one of the inside pc's i have a vmware workstation in the network 10.10.10.0/24 i have done everything u mentioned here but the vmware workstation does not connect to the internet. ASA Version 8.2(1) ! hostname ciscoasa enable password encrypted passwd encrypted names ! interface Vlan1 mac-address xxxx.xxxx.xxxx nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 192.168.0.10 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 speed auto duplex auto ! interface Ethernet0/3 ! interface Ethernet0/4 speed auto duplex auto ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive same-security-traffic permit inter-interface same-security-traffic permit intra-interface access-list access_inbound extended permit tcp any host 192.168.1.0 eq www access-list access_inbound extended permit tcp any host 10.10.10.0 eq www pager lines 24 logging enable logging timestamp logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 icmp deny any outside asdm history enable arp inside 10.10.10.10 503d.e553.8cdb alias arp timeout 14400 global (outside) 1 interface nat (inside) 1 10.10.10.0 255.255.255.0 nat (inside) 1 192.168.1.0 255.255.255.0 nat (inside) 1 0.0.0.0 0.0.0.0 access-group access_inbound in interface outside route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 route inside 10.10.10.0 255.255.255.0 192.168.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 console timeout 0 management-access inside dhcpd auto_config outside ! dhcpd address 192.168.1.5-192.168.1.36 inside dhcpd enable inside !threat-detection basic-threat threat-detection scanning-threat shun duration 899 threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 webvpn ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum: : endAny suggestion how i can make it work Hi thank for the wonderful info. I have a small scenario im trying in my pc.
I have an asa 5505 with inside interface 192.168.1.0/24 and outside 192.168.0.0/24
The inside interface pc’s are assigned dhcp ip addresses from the asa. On one of the inside pc’s i have a vmware workstation in the network 10.10.10.0/24
i have done everything u mentioned here but the vmware workstation does not connect to the internet.
ASA Version 8.2(1)
!
hostname ciscoasa
enable password encrypted
passwd encrypted
names
!
interface Vlan1
mac-address xxxx.xxxx.xxxx
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.10 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
speed auto
duplex auto
!
interface Ethernet0/3
!
interface Ethernet0/4
speed auto
duplex auto
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list access_inbound extended permit tcp any host 192.168.1.0 eq www
access-list access_inbound extended permit tcp any host 10.10.10.0 eq www
pager lines 24
logging enable
logging timestamp
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm history enable
arp inside 10.10.10.10 503d.e553.8cdb alias
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.10.10.0 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group access_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
route inside 10.10.10.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection scanning-threat shun duration 899
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:
: end

Any suggestion how i can make it work

]]>