ASA 5505 Public IP Address Conundrum - Cisco Gurus Welcome

NetworkNerd

Charter Business just turned up a 50/5 coax circuit for us at one of our sites. Originally we had ordered one public ip address for this location, but we ended up having to order another after the service was turned up to make it easier to allow our video monitoring company to watch the cameras at this location (recently installed as well).

So when I called Charter to get a second public ip address they gave me one no problem. But, it's on a different subnet and has a different gateway than the first public ip we had to start.

We have an ASA 5505 at this location currently, and there should be a way to configure it to use both ip addresses since this is not a dual ISP situation or trying to configure failover, etc. When you have a block of ip addresses it is pretty easy to configure the ASA to use them. I can do that. But it's this public ip on an alternate subnet that is throwing me for a loop.

I should also mention that we are using 10.0.1.0/24 for the LAN at this location and will be using 10.192.0.0/23 for the cameras. There will be no VLANs. The cameras just need to be on a different subnet. The ASA provides DHCP for devices on the 10.0.1.0/24 subnet only. Devices on the 10.192.0.0/23 subnet will have static ip addresses.

ASA 5505 Config

We have one interface tied to a switch port (port 0) for the first public ip and every other switch port on the ASA tied to the LAN ip block we are using at this location. I'd leave port 0 for public ip 1 and port 1 for LAN1 (10.0.1.0/24). Here's what I am thinking for the rest:

• list itemCreate a new interface tied to a 3rd switch port (port 2) that is set with the 2nd public ip I mention above.
• list itemCreate a matching static route for the second public ip.
• list itemCreate one more interface tied to a 4th switch port (port 3) for LAN2 (10.192.0.0/23).
• list itemConfigure all devices on each LAN to use the LAN gateway ip address for their specific segment.

Will what I have mentioned above work? I would then create access rules and NAT rules for the camera traffic using the second public ip. I'd really like to do one-to-one NAT for the second public ip and the NVR at this location since accessing the camera software seems to play better with that than NAT with PAT.

Have I over-complicated it? Any advice is much appreciated. The second ip being on a different subnet is really throwing me for a loop.

Bill Kindle

@NetworkNerd Charter didn't offer to setup an additional IP to move to? one on the same subnet as the newest addition?

NetworkNerd

@Bill-Kindle said:

@NetworkNerd Charter didn't offer to setup an additional IP to move to? one on the same subnet as the newest addition?

They did not. Their immediate fix was to run things with a dual subnet setup as described above. Maybe it's time to push for having both on the same subnet rather than beat my head against the wall with the above.

Bill Kindle

@NetworkNerd said:

@Bill-Kindle said:

@NetworkNerd Charter didn't offer to setup an additional IP to move to? one on the same subnet as the newest addition?

They did not. Their immediate fix was to run things with a dual subnet setup as described above. Maybe it's time to push for having both on the same subnet rather than beat my head against the wall with the above.

That's what I would push for in this situation. Charter has a few service area's here in Ohio and I've dealt with them a few more times that I liked. Worse situation I was in was when they made a network change, never alerted my customer, and took down DNS service entirely for about a week. Their tech kept telling me it was my problem. Never saw OpenDNS fail, except for that one time. I don't recall all the specifics but in short, requests weren't being routed through their network at all. Took a lot of phone time and pulling out ye old Network+ skills to prove a point.

PSX_Defector

I was gonna write up a big thing about this, but there is a easy [moderated] way to handle this.

Put a switch between the modem and the firewall. Hang another firewall off the switch using the "new" IP. Since you don't plan on the two networks communicating, no point in making things convoluted in your config. That would be easy as hell.

And if you want to be able to talk to ether network locally, just jumper a cable between them and use some quick static routes to frame traffic.

No muss, no fuss.

Dashrender

Your layout is exactly what I would expect it to be.

If you have SmartNet, The Cisco TAC will even make the changes for you.

thanksajdotcom

@PSX_Defector said:

I was gonna write up a big thing about this, but there is a easy [moderated] way to handle this.

Put a switch between the modem and the firewall. Hang another firewall off the switch using the "new" IP. Since you don't plan on the two networks communicating, no point in making things convoluted in your config. That would be easy as hell.

And if you want to be able to talk to ether network locally, just jumper a cable between them and use some quick static routes to frame traffic.

No muss, no fuss.

That makes sense.

scottalanmiller

@PSX_Defector said:

I was gonna write up a big thing about this, but there is a easy [moderated] way to handle this.

Put a switch between the modem and the firewall. Hang another firewall off the switch using the "new" IP. Since you don't plan on the two networks communicating, no point in making things convoluted in your config. That would be easy as hell.

And if you want to be able to talk to ether network locally, just jumper a cable between them and use some quick static routes to frame traffic.

No muss, no fuss.

True, good, easy option.

NetworkNerd

Thanks to all who responded here. We're going to roll with PSX's idea.

I will also tell you I posted this somewhere else and did not receive as many responses as I did here.

JaredBusch

@NetworkNerd said:

Thanks to all who responded here. We're going to roll with PSX's idea.

I will also tell you I posted this somewhere else and did not receive as many responses as I did here.

What other device you going to use? If you buy the right thing you can shitcan the entire ASA

Bill Kindle

@NetworkNerd said:

Thanks to all who responded here. We're going to roll with PSX's idea.

I will also tell you I posted this somewhere else and did not receive as many responses as I did here.

I've done something similar in my environment and it works like a charm. I had to do it with an existing L2 switch, using port isolation for an internal Checkpoint Firewall and a special router for my VoIP service. 0 problems.

NetworkNerd

@JaredBusch said:

@NetworkNerd said:

Thanks to all who responded here. We're going to roll with PSX's idea.

I will also tell you I posted this somewhere else and did not receive as many responses as I did here.

What other device you going to use? If you buy the right thing you can shitcan the entire ASA

I already had a Cisco RV180 lying around and used it for the camera traffic. The only thing I do not have setup right now is static routes.