Adding an extra IP net to an external interface

Discussion in 'Cisco' started by Lars Bonnesen, Jun 26, 2007.

  1. Ok, my knowledge to Cisco is not that deep, so excuse me if my question is
    to simple...

    I need to add an extra set of IP addresses on a Cisco ASA 5520 ver. 7.0 (2)

    I guees I do this

    configure interface GigabitEthernet0/0
    ip add xxx.aaa.bbb.ccc.ddd 255.255.255.240 secondary
    exit
    write

    And then of coarse add the needed NAT and rules for these addresses.

    Correct?

    Do I need to add any routes beside the one allready configures for the
    existing address?

    It seems that I cant do this through ADSM - will this mean that the next
    time I use ADSM and save changes, then the changes done on the CLI will be
    gone? Or will the ADSL not tamper with things it can't see on the CLI?

    Regards, Lars
     
    Lars Bonnesen, Jun 26, 2007
    #1
    1. Advertising

  2. "Lars Bonnesen" <none@none.æøå> skrev i en meddelelse
    news:468103bc$0$73339$...
    > Ok, my knowledge to Cisco is not that deep, so excuse me if my question is
    > to simple...


    Now I am actually just thinking of another way of doing it through ADSM.
    Will this be at better way:

    If I add an interface and configure it to the same hardware port (in this
    case the GigabitEthernet0/0) then I imagine that both IP address ranges will
    be available on the same physical port, right?

    Isn't this approach "better" than the one I just described in the original
    post?

    Can you please guide me in which approach in which case?

    Thanks in advance.

    Regards, Lars
     
    Lars Bonnesen, Jun 26, 2007
    #2
    1. Advertising

  3. In article <468103bc$0$73339$>,
    Lars Bonnesen <none@none.æøå> wrote:

    >I need to add an extra set of IP addresses on a Cisco ASA 5520 ver. 7.0 (2)


    >I guees I do this


    >configure interface GigabitEthernet0/0
    >ip add xxx.aaa.bbb.ccc.ddd 255.255.255.240 secondary
    >exit


    Why do you need an extra set of IP addresses on the interface?
    Is it necessary that the ASA be pingable at the new IP range?
    Is it necessary that the ASA be able to terminate VPN tunnels
    at the new IP range?
    Is it necessary that the ASA be remotely managable at the new
    IP range?

    If the answers to the above are "No, we just need an extra IP
    range that the ASA will pass traffic *through* for (with or without
    NAT'ing it), without it being necessary to be able to access
    the ASA *itself* at that range", then the solution becomes quite
    different. For traffic *through* the ASA:

    - add appropriate entries to the outside interface ACL
    - add appropriate NAT entries
    - add appropriate static entries
    - ensure that your WAN router -routes- the new IP range to the
    regular ASA outside interface address
    - do NOT make any attempt to configure the interface to list the
    new IP range.

    The ASA (and PIX) can handle an indefinite number of IP address
    ranges for traffic *through* the device, as long as the traffic
    is routed to the main interface IP (well, proxy ARP -might- work, but
    it's never a good idea to rely on it.) But if you need the ASA (or PIX)
    to be -itself- reachable through multiple address ranges, then you
    run into configuration difficulties.
     
    Walter Roberson, Jun 26, 2007
    #3
  4. "Walter Roberson" <> wrote in message
    news:bu8gi.63655$NV3.25875@pd7urf2no...

    > If the answers to the above are "No, we just need an extra IP
    > range that the ASA will pass traffic *through* for (with or without
    > NAT'ing it), without it being necessary to be able to access
    > the ASA *itself* at that range", then the solution becomes quite
    > different


    This is exactly the case. Thanks for clarifying

    > - ensure that your WAN router -routes- the new IP range to the
    > regular ASA outside interface address


    This part is done by our ISP and should allready have been done by now.

    > - do NOT make any attempt to configure the interface to list the
    > new IP range.


    What will be the outcome of this then?

    > The ASA (and PIX) can handle an indefinite number of IP address
    > ranges for traffic *through* the device, as long as the traffic
    > is routed to the main interface IP (well, proxy ARP -might- work, but
    > it's never a good idea to rely on it.) But if you need the ASA (or PIX)
    > to be -itself- reachable through multiple address ranges, then you
    > run into configuration difficulties.


    I don't - thank again.

    Regards, Lars.
     
    Lars Bonnesen, Jun 26, 2007
    #4
  5. "Walter Roberson" <> skrev i en meddelelse
    news:bu8gi.63655$NV3.25875@pd7urf2no...

    > - add appropriate entries to the outside interface ACL
    > - add appropriate NAT entries
    > - add appropriate static entries
    > - ensure that your WAN router -routes- the new IP range to the
    > regular ASA outside interface address
    > - do NOT make any attempt to configure the interface to list the
    > new IP range.


    And it is working now... thank.

    Regards, Lars.
     
    Lars Bonnesen, Jun 27, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Smith
    Replies:
    3
    Views:
    2,004
  2. The Techie
    Replies:
    4
    Views:
    594
    The Techie
    Apr 20, 2006
  3. John M

    Adding an extra drive

    John M, Dec 19, 2004, in forum: Computer Support
    Replies:
    6
    Views:
    551
    John M
    Dec 20, 2004
  4. texan....usenet@texas...removethisbit.usacom..

    Adding extra SDram

    texan....usenet@texas...removethisbit.usacom.., Dec 24, 2007, in forum: NZ Computing
    Replies:
    7
    Views:
    337
    Bugalugs
    Jan 8, 2008
  5. Hp

    adding extra hard drives question

    Hp, Apr 18, 2008, in forum: Computer Support
    Replies:
    4
    Views:
    503
    dadiOH
    Apr 19, 2008
Loading...

Share This Page