Secondary Block of IP Addresses for ASA - additional config needed? 1

[Richy321]

Hi,

I would really appreciate some help in regards to some configuration for an ASA5520.

I have a working ASA5520, the outside interface has an IP address range attached, of which statics, NAT, etc. works without issue.

I have recently purchased a secondary block of IP addresses from the same ISP, who have said they are routing them to my ASA correctly.

I have configured the following for one of the new addresses (not network address but available IP address) :

- static statement natting from outside to DMZ interface
- access-list for above static allowing HTTPS inbound from outside

Looking on the ASDM this rule has no hits, I have tried various sessions to test from outside of the firewall. Also syslogging doesn't show any attempted connection drops.

Is there anything else I am missing? I thought maybe a route on the ASA? Some sort of ARP statement, I vaguely remember this on CheckPoint Windows NT4 firewalls... I have tried various Google searches, but they all end up talking about secondary interface IP addresses and limitations on the ASA, I don't think this is what I am after.

Any help will be appreciated!

Kind regards,
Rich.

Rich.
CCNA - preparing for SNPA exam

 

[unclerico]

yeah, you need to configure static arp entries for each additional ip address. it's a pain in the ass

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Richy321]

Hi,

thanks for your response! You have helped me out in the past. Appreciated as always

Now you have confirmed I need to enter some static ARP commands I can dig out the manual and find out what they are.

All the best,
Rich

Rich.
CCNA Certified

 

[Richy321]

Hi,

following on - would the MAC address I need to use be that of the ASA? For example each IP address I have (6 in total) all link back to the firewalls outside interface MAC?

Regards,
Rich

Rich.
CCNA Certified

 

[unclerico]

For example each IP address I have (6 in total) all link back to the firewalls outside interface MAC?

that is correct. good luck and be sure to post back with any issues.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[brianinms]

Hum, I have never had to add static arp entries on an ASA and I currently have a client with a 5540 and 4 discontiguous network blocks.

 

[Richy321]

Hi all, thanks for your replies.

I have been looking at the arp table on the ASA - it seems to assign random MAC addresses to IP addresses within the same range as the outside interface...

I have set the secondary block of addresses (all 6) with the same MAC address as the outside interfaces physical MAC.

The default route is an external router provided by the ISP, would the ASA see this and not translate as the connection isn't going through the router...? I am going to test this next...

Regards

Rich.
CCNA Certified

 

[Richy321]

All - just to update. It turned out the ISP was routing the new block of addresses incorrectly.

The addresses now NAT via the ASA without any additional configuration required.

Thanks for your help all.

Rich.
CCNA Certified