Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   Adding an extra IP net to an external interface (http://www.velocityreviews.com/forums/t517755-adding-an-extra-ip-net-to-an-external-interface.html)

Lars Bonnesen 06-26-2007 12:16 PM

Adding an extra IP net to an external interface
 
Ok, my knowledge to Cisco is not that deep, so excuse me if my question is
to simple...

I need to add an extra set of IP addresses on a Cisco ASA 5520 ver. 7.0 (2)

I guees I do this

configure interface GigabitEthernet0/0
ip add xxx.aaa.bbb.ccc.ddd 255.255.255.240 secondary
exit
write

And then of coarse add the needed NAT and rules for these addresses.

Correct?

Do I need to add any routes beside the one allready configures for the
existing address?

It seems that I cant do this through ADSM - will this mean that the next
time I use ADSM and save changes, then the changes done on the CLI will be
gone? Or will the ADSL not tamper with things it can't see on the CLI?

Regards, Lars



Lars Bonnesen 06-26-2007 12:26 PM

Re: Adding an extra IP net to an external interface
 

"Lars Bonnesen" <none@none.זרו> skrev i en meddelelse
news:468103bc$0$73339$edfadb0f@dread11.news.tele.d k...
> Ok, my knowledge to Cisco is not that deep, so excuse me if my question is
> to simple...


Now I am actually just thinking of another way of doing it through ADSM.
Will this be at better way:

If I add an interface and configure it to the same hardware port (in this
case the GigabitEthernet0/0) then I imagine that both IP address ranges will
be available on the same physical port, right?

Isn't this approach "better" than the one I just described in the original
post?

Can you please guide me in which approach in which case?

Thanks in advance.

Regards, Lars



Walter Roberson 06-26-2007 01:26 PM

Re: Adding an extra IP net to an external interface
 
In article <468103bc$0$73339$edfadb0f@dread11.news.tele.dk> ,
Lars Bonnesen <none@none.זרו> wrote:

>I need to add an extra set of IP addresses on a Cisco ASA 5520 ver. 7.0 (2)


>I guees I do this


>configure interface GigabitEthernet0/0
>ip add xxx.aaa.bbb.ccc.ddd 255.255.255.240 secondary
>exit


Why do you need an extra set of IP addresses on the interface?
Is it necessary that the ASA be pingable at the new IP range?
Is it necessary that the ASA be able to terminate VPN tunnels
at the new IP range?
Is it necessary that the ASA be remotely managable at the new
IP range?

If the answers to the above are "No, we just need an extra IP
range that the ASA will pass traffic *through* for (with or without
NAT'ing it), without it being necessary to be able to access
the ASA *itself* at that range", then the solution becomes quite
different. For traffic *through* the ASA:

- add appropriate entries to the outside interface ACL
- add appropriate NAT entries
- add appropriate static entries
- ensure that your WAN router -routes- the new IP range to the
regular ASA outside interface address
- do NOT make any attempt to configure the interface to list the
new IP range.

The ASA (and PIX) can handle an indefinite number of IP address
ranges for traffic *through* the device, as long as the traffic
is routed to the main interface IP (well, proxy ARP -might- work, but
it's never a good idea to rely on it.) But if you need the ASA (or PIX)
to be -itself- reachable through multiple address ranges, then you
run into configuration difficulties.

Lars Bonnesen 06-26-2007 04:29 PM

Re: Adding an extra IP net to an external interface
 

"Walter Roberson" <roberson@hushmail.com> wrote in message
news:bu8gi.63655$NV3.25875@pd7urf2no...

> If the answers to the above are "No, we just need an extra IP
> range that the ASA will pass traffic *through* for (with or without
> NAT'ing it), without it being necessary to be able to access
> the ASA *itself* at that range", then the solution becomes quite
> different


This is exactly the case. Thanks for clarifying

> - ensure that your WAN router -routes- the new IP range to the
> regular ASA outside interface address


This part is done by our ISP and should allready have been done by now.

> - do NOT make any attempt to configure the interface to list the
> new IP range.


What will be the outcome of this then?

> The ASA (and PIX) can handle an indefinite number of IP address
> ranges for traffic *through* the device, as long as the traffic
> is routed to the main interface IP (well, proxy ARP -might- work, but
> it's never a good idea to rely on it.) But if you need the ASA (or PIX)
> to be -itself- reachable through multiple address ranges, then you
> run into configuration difficulties.


I don't - thank again.

Regards, Lars.



Lars Bonnesen 06-27-2007 06:57 AM

Re: Adding an extra IP net to an external interface
 

"Walter Roberson" <roberson@hushmail.com> skrev i en meddelelse
news:bu8gi.63655$NV3.25875@pd7urf2no...

> - add appropriate entries to the outside interface ACL
> - add appropriate NAT entries
> - add appropriate static entries
> - ensure that your WAN router -routes- the new IP range to the
> regular ASA outside interface address
> - do NOT make any attempt to configure the interface to list the
> new IP range.


And it is working now... thank.

Regards, Lars.




All times are GMT. The time now is 07:28 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.