ASA 5510 - Configure 2 Outside Interfaces

[RMurr34]

Good afternoon,

I'm wondering if this is possible and if so where can I find the steps to configure it.

I have an ASA 5510 configured with Eth0/0 as my outside interface (209.xxx.67.xxx). Eth0/1 is configured as my inside interface (192.168.48.1)

I have Eth0/2 and Eth0/3 open.

I ran out of IP addresses from my original 209.xxx.67.xxx block and had to get a new block (209.xxx.72.xxx). Is it possible to configure Eth0/2 as an additional outside interface and Eth0/3 an inside interface? Or do I need another ASA/PIX? I have another ASA configure where I have two inside interfaces and it works well. Just wondering/hoping if I can add another outside interface to save some money.

As always, thanks for any help/input you can provide.

 

[unclerico]

Are both ranges provided by the same ISP??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[RMurr34]

yes they are unclerico

 

[unclerico]

as long as your isp has the routing setup properly, you simply use your second range as if it is part of the primary range. for example, 209.201.67/29 is your primary range, 209.205.72/29 is your secondary:

static (inside,outside) 209.201.67.5 192.168.10.5
static (inside,outside) 209.205.72.1 192.168.10.1

does this make sense??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[RMurr34]

I have some additional info. It doesn't look like they ran a new cable. Here's what they said:

"There's no new network cable. The ip is routed to the existing network interface."

Is this what you're refering to?

Thanks unclerico.

 

[unclerico]

yep. they set it up so that in order to reach your second range of ip's, traffic must route through your current CPE device.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[RMurr34]

First of all, thanks for the quick replies unclerico. Here's my current config. So I need to add a new static map with the new IP address? My existing domain is 192.168.48.x and I want the new one to be 192.168.50.x. So my static map should be 209.xxx.72.z (where z is what?).

Thanks!


ASA Version 7.0(7)
!
hostname MYHOSTNAME
domain-name MY-DOMAN
enable password XXXXXXXXX encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 209.XXX.67.XXX 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.48.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd XXXXXXXXXXX encrypted
ftp mode passive
access-list 101 extended permit ip 192.168.48.0 255.255.255.0 10.100.10.0 255.255.255.0
access-list 102 extended permit tcp any host 209.XXX.67.XXX eq 22222
access-list 102 extended permit tcp any host 209.XXX.67.XXX eq 3389
access-list 102 extended permit tcp any host 209.XXX.67.XXX eq 3389
access-list 102 extended permit tcp any host 209.XXX.67.XXX eq 3389
access-list 102 extended permit tcp any host 209.XXX.67.XXX eq 3389
access-list 102 extended permit tcp any host 209.XXX.67.XXX eq ftp
access-list 102 extended permit tcp any host 209.XXX.67.XXX eq 3389
access-list vpn_split_tunnel standard permit 192.168.48.0 255.255.255.0
pager lines 24
logging enable
mtu outside 1500
mtu inside 1500
ip local pool MYvpnpool 10.100.10.1-10.100.10.254
no failover
icmp deny any outside
icmp permit 192.168.48.0 255.255.255.0 inside
icmp permit 10.100.10.0 255.255.255.0 inside
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 1 10.100.10.0 255.255.255.0
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 209.XXX.67.XXX 192.168.48.252 netmask 255.255.255.255
static (inside,outside) 209.XXX.67.XXX 192.168.48.7 netmask 255.255.255.255
static (inside,outside) 209.XXX.67.XXX 192.168.48.210 netmask 255.255.255.255
static (inside,outside) 209.XXX.67.XXX 192.168.48.212 netmask 255.255.255.255
static (inside,outside) 209.XXX.67.XXX 192.168.48.211 netmask 255.255.255.255
static (inside,outside) 209.XXX.67.XXX 192.168.48.3 netmask 255.255.255.255
access-group 102 in interface outside
route outside 0.0.0.0 0.0.0.0 209.XXX.67.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server vpn protocol radius
aaa-server vpn host 192.168.48.2
key XXXXXXX
group-policy MY-DOMAIN internal
group-policy MY-DOMAIN attributes
wins-server value 192.168.48.2
dns-server value 192.168.48.2
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_split_tunnel
default-domain value MY-DOMAIN.COM
secure-unit-authentication disable
nem enable
webvpn
username vpnuser password xxxxxxxxxxxxxxxx encrypted
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 10 set reverse-route
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 43200
isakmp nat-traversal 20
tunnel-group MYvpngroup type ipsec-ra
tunnel-group MYvpngroup general-attributes
address-pool MYvpnpool
authentication-server-group vpn
default-group-policy MY-DOMAIN
tunnel-group plethvpngroup ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.48.0 255.255.255.0 inside
ssh timeout 10
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
!
service-policy global_policy global

 

[unclerico]

z would be any one of your usable public ip addresses

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)