The ranting of an IT Professional

Dec 16 2009   2:17PM GMT

Adding a secondary address to an interface on a Cisco ASA

Jason Tramer Jason Tramer Profile: Jason Tramer

Unlike in a Cisco router where you can used the secondary command to add a secondary address to an interface, the Cisco ASA does not support this. Here is a workaround however.

1. First find out the mac address of the ethernet interface you will be using:
sh interface Ethernet0/1
This should show you the MAC address of the network interface.

2. Force this arp address onto whichever Vlan you are using:
interface Vlan1
mac-address 0019.0726.xxxx
nameif inside

3. Now define a static arp entry for the IP you want to use as a secondary address. Use the same mac address as the one from above, and enable proxy ARP on it:
arp inside alias
You can verify this is working properly using the show arp command that should return you the ip and    mac address, like this:
sh arp
inside alias
4. At this point any system on the local interface can use the ip as its default gateway and it will work just fine. You need to ensure that return packets are coming back to the source, and this means you have to add a static route for this network on the inside interface (pointing to the primary ip of the interface, let’s say for the sake of argument):
route inside 1

5. Also we need to ensure that traffic is allowed between the same interface hosts, and same level of security interfaces:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
and you probably want to be sure that access lists will allow the traffic from/to the newly added network.


 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: