Adding an extra IP net to an external interface

Ok, my knowledge to Cisco is not that deep, so excuse me if my question is to simple...

I need to add an extra set of IP addresses on a Cisco ASA 5520 ver. 7.0 (2)

I guees I do this

configure interface GigabitEthernet0/0 ip add secondary exit write

And then of coarse add the needed NAT and rules for these addresses.


Do I need to add any routes beside the one allready configures for the existing address?

It seems that I cant do this through ADSM - will this mean that the next time I use ADSM and save changes, then the changes done on the CLI will be gone? Or will the ADSL not tamper with things it can't see on the CLI?

Regards, Lars

Reply to
Lars Bonnesen
Loading thread data ...

"Lars Bonnesen" skrev i en meddelelse news:468103bc$0$73339$

Now I am actually just thinking of another way of doing it through ADSM. Will this be at better way:

If I add an interface and configure it to the same hardware port (in this case the GigabitEthernet0/0) then I imagine that both IP address ranges will be available on the same physical port, right?

Isn't this approach "better" than the one I just described in the original post?

Can you please guide me in which approach in which case?

Thanks in advance.

Regards, Lars

Reply to
Lars Bonnesen

Why do you need an extra set of IP addresses on the interface? Is it necessary that the ASA be pingable at the new IP range? Is it necessary that the ASA be able to terminate VPN tunnels at the new IP range? Is it necessary that the ASA be remotely managable at the new IP range?

If the answers to the above are "No, we just need an extra IP range that the ASA will pass traffic *through* for (with or without NAT'ing it), without it being necessary to be able to access the ASA *itself* at that range", then the solution becomes quite different. For traffic *through* the ASA:

- add appropriate entries to the outside interface ACL

- add appropriate NAT entries

- add appropriate static entries

- ensure that your WAN router -routes- the new IP range to the regular ASA outside interface address

- do NOT make any attempt to configure the interface to list the new IP range.

The ASA (and PIX) can handle an indefinite number of IP address ranges for traffic *through* the device, as long as the traffic is routed to the main interface IP (well, proxy ARP -might- work, but it's never a good idea to rely on it.) But if you need the ASA (or PIX) to be -itself- reachable through multiple address ranges, then you run into configuration difficulties.

Reply to
Walter Roberson

This is exactly the case. Thanks for clarifying

This part is done by our ISP and should allready have been done by now.

What will be the outcome of this then?

I don't - thank again.

Regards, Lars.

Reply to
Lars Bonnesen

"Walter Roberson" skrev i en meddelelse news:bu8gi.63655$NV3.25875@pd7urf2no...

And it is working now... thank.

Regards, Lars.

Reply to
Lars Bonnesen Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.