Wednesday, October 10, 2012

Multiple Subnets on the Outside Interface of a Cisco ASA

Recently I had a customer provide a Cisco 2821 router along with a Cisco ASA 5520 to setup at a DR site.  The router was provided in case the ISP provided a small subnet for connecting the router to the ISP's equipment (usually a /29 or /30), and also gave another subnet that would provide the functional IP space for the customer's equipment (something like a /24).

This network in blue has been a reoccurring pattern over the last few years and I want to put forward the simple premise: Use the ASA by itself instead of putting a slow router in front of it.  Let me be clear there are perfect reasons to have a router in front, such as if you are running BGP to route the subnet you have, or to have another layer of control.  My point here is don't put a slow router in front of a faster firewall and don't start asking your boss to buy an expensive fast router just to add another hop...

In this case, the Cisco 2821 was created to route T1 and E1s in my opinion and when you look on their site you find that the performance fits that assumption.  A 2821's recommended performance level is 4 T1s. which in my world means about 6Mbps.  The ASA 5520's backplane is good for up to 450Mbps at best.

Cisco 2800 Series Routers Page
Cisco ASA 5500 Series Page

These days having at least a 10Mbps link to the Internet is really commonplace and therefore this old habit needs to change.  In order to skip the setup in blue and use the design in green you will need to take advantage of the proxy arp function of the ASA to 'advertise' the subnet to the ISP's router.  Fortunately this is simple to accomplish by creating a NAT for the extra subnet. You do not need an external interface in that subnet with the ASA.

Double check that proxy arp has not been disabled with: (It is enabled by default)

#show run all
no sysopt noproxyarp outside   <---  notice the no noproxyarp means it is enabled....

And setup a static as below.  If I had the example setup that you see in green I could create a static to point the additional public subnet address of to the inside address of  Of course you would need an ACL entry to complete the access. In this example I forward http traffic along to the made up inside host of

asa(conf)#static (inside,outside)
asa(conf)#access-list outside_access_in extended permit tcp any host eq 80

I hope this helps.

No comments:

Post a Comment