Hi All,
I have tried to assign secondary IP address on Cisco ASA's box interface, and find out that this facility is not supported. After trying to find a trick to go around this limitation, I found out that this could be achieved by employing trick that depends on Proxy-ARP facility the following way:
- Define a static ARP table entry with the secondary IP address, which you want to assign to the interface, with MAC address of the Ethernet interface.
- Enable proxy ARP for this entry on the ASA box.
- Add routing entry, on the ASA, to the subnet of the secondary IP address, making the Ethernet interface acting as a gateway for this subnet (you may try remove this step, it might work without it).
Now, you can use this new secondary IP address as a gateway for workstation with IP from the new subnet to go through the ASA box.
Notes:
- you might be able to achieve this approach by implementing the static ARP entry, with same values, on the workstation that requires using the secondary IP address for ASA's Ethernet; leaving the ASA with the mentioned routing table entry only.
- I think that this trick will work on PIX firewall also.
Regards,
Russlan