Hello Jonathan: You can have multiple subnets defined on the statics from the outside with no problem, routed as you described. Such as:
static (inside,outside) 5.1.1.1 192.168.0.1 static (inside,outside) 6.2.2.2 192.168.0.2 If you have multiple inside subnets they would have to be on their own VLAN's, provided you have a license that allows that configuration. I think you need Security Plus for more than two VLAN's (i.e. inside and outside). With that configuration you would have something like: interface vlan 1 ip address 192.168.0.1 255.255.255.0 nameif inside interface vlan 2 ip address 1.2.3.4 255.255.255.0 nameif outside interface vlan 3 ip address 192.168.1.1 255.255.255.0 nameif dmz Then you can add statics for the 192.168.1.0/24 subnet as well. You *can't* have two different attached subnets on the same VLAN interface, such as: interface vlan 1 ip address 192.168.0.1 255.255.255.0 ip address 192.168.1.1 255.255.255.0 secondary nameif inside Regards, Mike > -----Original Message----- > From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- > boun...@puck.nether.net] On Behalf Of Jonathan Brashear > Sent: Wednesday, March 04, 2009 1:55 PM > To: cisco-nsp@puck.nether.net > Subject: [c-nsp] ASA 5505 multiple netblock functionality > > Apologies if this has been addressed previously, I looked through the last 12 > months of c-nsp threads and didn't see this mentioned. > > There is some debate going on in my department over a particular > implementation and the 5505's capability to handle multiple netblocks. A quick > primer on the situation: > > Firewall IP: 1.2.3.4(publicly routable, but changing for cust privacy) > Customer netblock: 5.6.7.0/26(it's publicly routable as well, I'm changing for > sake of cust privacy) > Customer NAT: 192.168.0.0/24 > > > The /26 is statically routed to 1.2.3.4 from the router level, and the > customer wants to run NAT for their internal devices(db servers, etc.). Our > implementations guy states that the 5505 can't handle assigning 3+ netblocks > because they can't run multiple contexts. My experience with the ASA firewalls > is limited so I very well may be wrong, but I believe the 5505s should be able > to handle multiple netblocks on the internal side of the firewall using > something such as sub-interfaces or similar. Can anyone help explain why this > is or isn't feasible? > > They don't need to be on the same physical interface necessarily, we can run > them to separate physical interfaces because this customer is hairpinned > behind a switch(and the servers are connected to said switch instead of the > firewall directly) so port density isn't a big issue(to a point). > > We can assign a netblock to each internal port on the firewall if need be - > which seems to be the best solution from what I'm uncovering - and that works > as a reasonable alternative. It doesn't scale very well obviously, but I don't > think this customer is going to chew through netblocks at a rate where this > will be an issue. > > Network Engineer, JNCIS-M > > 214-981-1954 (office) > > 214-642-4075 (cell) > > jbrash...@hq.speakeasy.net > http://www.speakeasy.net > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/
PGP.sig
Description: PGP signature
_______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/