Faking a secondary IP
(2013-04-30)
Problem
ASA won't let you define a secondary IP on an interface.
Solution
Fake it with arp-proxying.
Find the mac address of the interface you will be using:
sh interface Ethernet0/1
Define a static arp for the new IP with the existing mac address:
arp inside 192.168.1.1 0019.0726.xxx alias
Finally, add a route to the subnet your fake interface belongs to:
route inside 192.168.1.0 255.255.255.0 192.168.0.1 1
You may have to permit traffic between the interfaces:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
You should be able to use that IP as a route destination on systems now, even though you won't be able to ping it.
Update:
If you try this on 8.4(3) or later, it won't work. If you drill down into the logs far enough, you'll find something like this:
Arp packet received from 192.168.6.245 which is in different subnet than the connected interface 192.168.5.1/255.255.255.0
...which I found discussed here:
The ASA's behavior in 8.4(3) was made more strict to no longer allow this behavior. The problem is technically a mis-configuration on the operator's end as they should be routing the traffic to your ASA's outside interface instead of trying to forward the traffic directly and send ARP requests for non-connected subnets.
Thank you, Cisco.