For When You Can't Have The Real Thing
[ start | index | login ]
start > Cisco > ASA > Faking a secondary IP

Faking a secondary IP

Created by dave. Last edited by dave, 10 years and 144 days ago. Viewed 10,471 times. #3
[diff] [history] [edit] [rdf]
labels
attachments
(2013-04-30)

Problem

ASA won't let you define a secondary IP on an interface.

Solution

Fake it with arp-proxying.

Find the mac address of the interface you will be using:

sh interface Ethernet0/1

Define a static arp for the new IP with the existing mac address:

arp inside 192.168.1.1 0019.0726.xxx alias

Finally, add a route to the subnet your fake interface belongs to:

route inside 192.168.1.0 255.255.255.0 192.168.0.1 1

You may have to permit traffic between the interfaces:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

You should be able to use that IP as a route destination on systems now, even though you won't be able to ping it.

Update:

If you try this on 8.4(3) or later, it won't work. If you drill down into the logs far enough, you'll find something like this:

Arp packet received from 192.168.6.245 which is in different subnet than the connected interface 192.168.5.1/255.255.255.0
...which I found discussed >>here:
The ASA's behavior in 8.4(3) was made more strict to no longer allow this behavior. The problem is technically a mis-configuration on the operator's end as they should be routing the traffic to your ASA's outside interface instead of trying to forward the traffic directly and send ARP requests for non-connected subnets.
Thank you, Cisco.
no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt