The ranting of an IT Professional

Dec 16 2009   2:17PM GMT

Adding a secondary address to an interface on a Cisco ASA



Posted by: Jason Tramer
Tags:
address
arp
ASA
Cisco
interface
IP
route
secondary
static

Unlike in a Cisco router where you can used the secondary command to add a secondary address to an interface, the Cisco ASA does not support this. Here is a workaround however.

1. First find out the mac address of the ethernet interface you will be using:
sh interface Ethernet0/1
This should show you the MAC address of the network interface.

2. Force this arp address onto whichever Vlan you are using:
interface Vlan1
mac-address 0019.0726.xxxx
nameif inside

3. Now define a static arp entry for the IP you want to use as a secondary address. Use the same mac address as the one from above, and enable proxy ARP on it:
arp inside 192.168.1.1 0019.0726.xxx alias
You can verify this is working properly using the show arp command that should return you the ip and    mac address, like this:
sh arp
inside 192.168.1.1 0019.0726.xxx alias
4. At this point any system on the local interface can use the ip as its default gateway and it will work just fine. You need to ensure that return packets are coming back to the source, and this means you have to add a static route for this network on the inside interface (pointing to the primary ip of the interface, let’s say 192.168.1.1 for the sake of argument):
route inside 192.168.1.0 255.255.255.0 192.168.0.1 1

5. Also we need to ensure that traffic is allowed between the same interface hosts, and same level of security interfaces:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
and you probably want to be sure that access lists will allow the traffic from/to the newly added network.

Enjoy

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: