[c-nsp] ASA 5505 multiple netblock functionality

Michael K. Smith - Adhost mksmith at adhost.com
Wed Mar 4 18:49:38 EST 2009


Hello Jonathan:

You can have multiple subnets defined on the statics from the outside with no problem, routed as you described.  Such as:

static (inside,outside) 5.1.1.1 192.168.0.1
static (inside,outside) 6.2.2.2 192.168.0.2

If you have multiple inside subnets they would have to be on their own VLAN's, provided you have a license that allows that configuration.  I think you need Security Plus for more than two VLAN's (i.e. inside and outside).  With that configuration you would have something like:

interface vlan 1
ip address 192.168.0.1 255.255.255.0
nameif inside

interface vlan 2
ip address 1.2.3.4 255.255.255.0
nameif outside

interface vlan 3
ip address 192.168.1.1 255.255.255.0
nameif dmz

Then you can add statics for the 192.168.1.0/24 subnet as well.  You *can't* have two different attached subnets on the same VLAN interface, such as:

interface vlan 1
ip address 192.168.0.1 255.255.255.0
ip address 192.168.1.1 255.255.255.0 secondary
nameif inside

Regards,

Mike

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Jonathan Brashear
> Sent: Wednesday, March 04, 2009 1:55 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ASA 5505 multiple netblock functionality
> 
> Apologies if this has been addressed previously, I looked through the last 12
> months of c-nsp threads and didn't see this mentioned.
> 
> There is some debate going on in my department over a particular
> implementation and the 5505's capability to handle multiple netblocks. A quick
> primer on the situation:
> 
> Firewall IP: 1.2.3.4(publicly routable, but changing for cust privacy)
> Customer netblock: 5.6.7.0/26(it's publicly routable as well, I'm changing for
> sake of cust privacy)
> Customer NAT: 192.168.0.0/24
> 
> 
> The /26 is statically routed to 1.2.3.4 from the router level, and the
> customer wants to run NAT for their internal devices(db servers, etc.). Our
> implementations guy states that the 5505 can't handle assigning 3+ netblocks
> because they can't run multiple contexts. My experience with the ASA firewalls
> is limited so I very well may be wrong, but I believe the 5505s should be able
> to handle multiple netblocks on the internal side of the firewall using
> something such as sub-interfaces or similar. Can anyone help explain why this
> is or isn't feasible?
> 
> They don't need to be on the same physical interface necessarily, we can run
> them to separate physical interfaces because this customer is hairpinned
> behind a switch(and the servers are connected to said switch instead of the
> firewall directly) so port density isn't a big issue(to a point).
> 
> We can assign a netblock to each internal port on the firewall if need be -
> which seems to be the best solution from what I'm uncovering - and that works
> as a reasonable alternative. It doesn't scale very well obviously, but I don't
> think this customer is going to chew through netblocks at a rate where this
> will be an issue.
> 
> Network Engineer, JNCIS-M
> > 214-981-1954 (office)
> > 214-642-4075 (cell)
> > jbrashear at hq.speakeasy.net
> http://www.speakeasy.net
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 474 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090304/e3054e5d/attachment.bin>


More information about the cisco-nsp mailing list