Adding a secondary IP address on a Cisco ASA Ethernet interface

5-minute read
asa cisco pix

I have been working with various Cisco devices for many years now. Even though I hold a valid CCNP, I didn’t had the chance to work during the past months with Cisco devices as much as I was when I was actively working in the ISP field. Sill, from time to time I take on small consulting Cisco related projects. This post will show how to overcome the frustration on the top line Cisco ASA firewalls not supporting interface ip aliases.

Cisco PIX firewalls have been around for many years and I was aware of the stupid limitation they had about not being able to add ip aliases on their interfaces. Again this was many years ago… Today when I had to configure a small Cisco ASA 5505 device, I didn’t even thought that the fanciest line of Cisco firewalls still has this limitation. You could say that the 5505 is the cheapest models and this is the reason for the limitation. Well, it costs much more than any other similar hardware firewall and honestly every other box I have seen support this (I can’t even call it feature)… I can’t be certain as I don’t have such a device to test out, but from what I can tell, all the ASA product line has the same issue, including the higher level 5550 and 5580.

Now, why would I need this? Maybe I have several network ranges behind the ASA, and for whatever reason I don’t need them in separate vlans (my switches don’t support vlans, I have ips from both ranges configured on some systems, etc.) and I don’t what to pay a lot of money to just enable more vlans on the box, etc.

I will not give a linux system as an example as this is quite obvious to anyone that you can add as many ip aliases you want on one ethernet interface. Still the ASA will not be able to do this. You could try out to use the familiar ios command to add a secondary ip on the interface/vlan, as you might hope it is undocumented feature, but you will see it is just not there…

Let’s see what trick we can use to overcome this stupid limitation: we will be using the Proxy-ARP facility in order to respond for another IP requests on the same ethernet interface, without actually bringing it up. In my example I will be using eth0/1 and the ‘inside’ vlan, vlan1 with an existing ‘main’ ip range configured: 192.168.0.1/24; I will add another ip 192.168.1.1 so hosts from this range will also work behind the ASA:

  1. first find out the mac address of the ethernet interface you will be using.
sh interface Ethernet0/1

this should show you the MAC address of the network interface.

  1. force this arp address on the internal vlan:
interface Vlan1
mac-address 0019.0726.xxxx
nameif inside
  1. now let’s define a static arp entry for the IP we want to use as secondary, using the same mac address as the one from above, and enable proxy ARP on it:
arp inside 192.168.1.1 0019.0726.xxx alias

you can verify this is working properly using the show arp command that should return you the ip and mac address, like this:

sh arp
inside 192.168.1.1 0019.0726.xxx alias
...
  1. at this point any system on the local interface can use the ip as its default gateway and it will work just fine. We just need to ensure that return packets are coming back to the source, and this means we have to add a static route for this network on the inside interface (pointing to the main ip of the interface, let’s say 192.168.0.1 in my case):
route inside 192.168.1.0 255.255.255.0 192.168.0.1 1
  1. also we need to ensure that traffic is allowed between the same interface hosts, and same level of security interfaces:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

and you probably want to be sure that access lists will allow the traffic from/to the newly added network.

That’s it…

The “Cisco way” to achieve this is to use separate vlans for each network range. Let’s try to speculate why doesn’t Cisco want this ‘feature’ in their firewalls? Maybe because on the standard license the box doesn’t support more than 2 full vlans (and 1 DMZ - limited)? and so you can’t do this using vlans even if you wanted… And you have to buy a license upgrade to support more? Or just to trunk them? What do you think? Do you think this is intentional to make peoples buy their higher end ASAs or upgrade to Security Plus license? (about 400-500$ extra)?

Note: the only limitation this method has is that the ‘secondary’ ip will work as expected as a gateway for the systems behind the asa, but will obviously not respond itself to network requests (like ping for ex.). If this is not acceptable, you should then go ahead and use the vlan method.

I hope this post will help other peoples that have the same frustration and will show them how to use any number of secondary ip they want. Even though this post was examplified using one ASA5505 it should work just fine on other ASAs and even on PIXes.

comments powered by Disqus