Comments on: Adding a secondary IP address on a Cisco ASA Ethernet interface http://www.ducea.com/2008/05/31/adding-a-secondary-ip-address-on-a-cisco-asa-ethernet-interface/ The Journal Of A Linux Sysadmin Sat, 20 Mar 2010 12:30:06 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: X-Rayhttp://www.ducea.com/2008/05/31/adding-a-secondary-ip-address-on-a-cisco-asa-ethernet-interface/comment-page-1/#comment-181275 X-Ray Fri, 13 Nov 2009 21:38:47 +0000 http://www.ducea.com/?p=241#comment-181275 Bravo Marius!Thank you for this workaround. We are replacing an old Cisco Pix 515E with an ASA 5520 in a mid/large office. We have a few devices that are manually configured to point to the old PIX. By using your "static arp alias" workaround, our new ASA can route traffic pointed at our old internal IP gateway as well as the new IP address assigned to the ASA.Thanks again. Bravo Marius!

Thank you for this workaround. We are replacing an old Cisco Pix 515E with an ASA 5520 in a mid/large office. We have a few devices that are manually configured to point to the old PIX. By using your “static arp alias” workaround, our new ASA can route traffic pointed at our old internal IP gateway as well as the new IP address assigned to the ASA.

Thanks again.

]]> By: jimmyhttp://www.ducea.com/2008/05/31/adding-a-secondary-ip-address-on-a-cisco-asa-ethernet-interface/comment-page-1/#comment-181200 jimmy Tue, 20 Oct 2009 08:00:50 +0000 http://www.ducea.com/?p=241#comment-181200 Great Post ! Ever tried this on a FWSM ? Great Post !
Ever tried this on a FWSM ?

]]> By: - Marius -http://www.ducea.com/2008/05/31/adding-a-secondary-ip-address-on-a-cisco-asa-ethernet-interface/comment-page-1/#comment-180767 - Marius - Fri, 14 Aug 2009 15:20:06 +0000 http://www.ducea.com/?p=241#comment-180767 @Dave: if you use the static arp method there is no routing involved. The ips need to be on the same segment in order for this to work. From what I understand from your setup it might be a better idea to use nat if that is only what you need. hth. @Dave: if you use the static arp method there is no routing involved. The ips need to be on the same segment in order for this to work. From what I understand from your setup it might be a better idea to use nat if that is only what you need. hth.

]]> By: Davehttp://www.ducea.com/2008/05/31/adding-a-secondary-ip-address-on-a-cisco-asa-ethernet-interface/comment-page-1/#comment-180765 Dave Fri, 14 Aug 2009 12:39:48 +0000 http://www.ducea.com/?p=241#comment-180765 Hi, I requested additional public IP addresses from my ISP and they have given me a second subnet. I now have the original /30 subnet which supports the ASA "outside" interface and the ISP router interface and a new /29 subnet, giving me an additional 5 useable addresses (the first address being allocated as a secondary IP on the ISP router). I have setup nat and acls to allow inbound connections to a server usig one of the new addresses but this does not work (presumably because the public nat address is in a different subnet to the outside interface). I could re-address the outside interface and only use the larger subnet but there are existing statics and many vpn connections already configured on the original subnet address. Do you think I can use this static arp method? What about IP routing? Hi, I requested additional public IP addresses from my ISP and they have given me a second subnet. I now have the original /30 subnet which supports the ASA “outside” interface and the ISP router interface and a new /29 subnet, giving me an additional 5 useable addresses (the first address being allocated as a secondary IP on the ISP router). I have setup nat and acls to allow inbound connections to a server usig one of the new addresses but this does not work (presumably because the public nat address is in a different subnet to the outside interface). I could re-address the outside interface and only use the larger subnet but there are existing statics and many vpn connections already configured on the original subnet address. Do you think I can use this static arp method? What about IP routing?

]]> By: Andrewhttp://www.ducea.com/2008/05/31/adding-a-secondary-ip-address-on-a-cisco-asa-ethernet-interface/comment-page-1/#comment-180331 Andrew Tue, 12 May 2009 16:32:22 +0000 http://www.ducea.com/?p=241#comment-180331 We'll probably be using this technique to migrate IP spaces at my company. This will allow us to do the migration bit-by-bit, rather than having to re-ip dozens of devices all at once. We’ll probably be using this technique to migrate IP spaces at my company. This will allow us to do the migration bit-by-bit, rather than having to re-ip dozens of devices all at once.

]]> By: Stevehttp://www.ducea.com/2008/05/31/adding-a-secondary-ip-address-on-a-cisco-asa-ethernet-interface/comment-page-1/#comment-180305 Steve Tue, 05 May 2009 03:42:34 +0000 http://www.ducea.com/?p=241#comment-180305 Ugh.. Just figured this out.. SOMEHOW, my PROXYARP setting got turned off globally.. DUH.. Oh well, maybe someone else will learn from this mistake and posting!!-Steve Ugh.. Just figured this out.. SOMEHOW, my PROXYARP setting got turned off globally.. DUH.. Oh well, maybe someone else will learn from this mistake and posting!!

-Steve

]]> By: Stevehttp://www.ducea.com/2008/05/31/adding-a-secondary-ip-address-on-a-cisco-asa-ethernet-interface/comment-page-1/#comment-180304 Steve Tue, 05 May 2009 02:45:10 +0000 http://www.ducea.com/?p=241#comment-180304 I assume this is just for having DIFFERENT subnets on an interface, right??I'm having a trouble with a 5505 right now that is ALMOST explained by this... I have a /29 subnet from Comcast, with their commercial cable plan.. So, my gateway is .78, and I have .73 through .77.... I assign the outside interface the address of .73, and then just setup my NAT rules for .74-77, right?? Well, when I do this, my inbound NAT rules are ignored. Matter of fact, in the syslog, I dont even see that the packets are getting there to be accepted or rejected..There's nothing more I need to do on an ASA to get it to respond on more than one address in the same subnet is there?? I'm thinking there's something funky w/ Comcast that they want to see a different MAC for each address or something..Thanks for a great site.. I assume this is just for having DIFFERENT subnets on an interface, right??

I’m having a trouble with a 5505 right now that is ALMOST explained by this… I have a /29 subnet from Comcast, with their commercial cable plan.. So, my gateway is .78, and I have .73 through .77…. I assign the outside interface the address of .73, and then just setup my NAT rules for .74-77, right?? Well, when I do this, my inbound NAT rules are ignored. Matter of fact, in the syslog, I dont even see that the packets are getting there to be accepted or rejected..

There’s nothing more I need to do on an ASA to get it to respond on more than one address in the same subnet is there?? I’m thinking there’s something funky w/ Comcast that they want to see a different MAC for each address or something..

Thanks for a great site..

]]> By: Neal Ghttp://www.ducea.com/2008/05/31/adding-a-secondary-ip-address-on-a-cisco-asa-ethernet-interface/comment-page-1/#comment-180278 Neal G Fri, 01 May 2009 15:35:30 +0000 http://www.ducea.com/?p=241#comment-180278 this worked great. although i have no idea what step 2 is for. I do not configure VLANs on my firewall, i simply add the VLAN attribute to a particular interface.also, i had to add static routes on my router so that remote networks know how to reach the new network behind the firewall. the routes point to the outside interface of the firewall this worked great. although i have no idea what step 2 is for. I do not configure VLANs on my firewall, i simply add the VLAN attribute to a particular interface.

also, i had to add static routes on my router so that remote networks know how to reach the new network behind the firewall. the routes point to the outside interface of the firewall

]]> By: - Marius -http://www.ducea.com/2008/05/31/adding-a-secondary-ip-address-on-a-cisco-asa-ethernet-interface/comment-page-1/#comment-180255 - Marius - Wed, 29 Apr 2009 12:26:55 +0000 http://www.ducea.com/?p=241#comment-180255 @carmine: none of the ASA support interface aliases (internal or external); as described in this post you can trick it by using the above method. you said you want 2 outside interfaces, one inside, and one dmz so my suggestion for 5510. You can use vlans to separate the network traffic on the same interface, but not aliases. This is just not available on any ASA. @carmine: none of the ASA support interface aliases (internal or external); as described in this post you can trick it by using the above method. you said you want 2 outside interfaces, one inside, and one dmz so my suggestion for 5510. You can use vlans to separate the network traffic on the same interface, but not aliases. This is just not available on any ASA.

]]> By: carminehttp://www.ducea.com/2008/05/31/adding-a-secondary-ip-address-on-a-cisco-asa-ethernet-interface/comment-page-1/#comment-180254 carmine Wed, 29 Apr 2009 12:13:30 +0000 http://www.ducea.com/?p=241#comment-180254 it is not important asa model, i have ask you advice on the another model cisco with feature listed above. the cisco asa 5580 support Netflow, but i have not find nothing information if is possible configured more ip public (same subnet) on the single outside interface.thanks :-) it is not important asa model, i have ask you advice on the another model cisco with feature listed above.
the cisco asa 5580 support Netflow, but i have not find nothing information if is possible configured more ip public (same subnet) on the single outside interface.

thanks :-)

]]>