IP Routing with 2 Subnets

Question

We currently have a Cisco ASA on a range with only two usable IP addresses. The Cisco has 217.67.255.31 and the BT NTE box (for the leased line) has 217.67.255.32. (on /32)

Now we want to split this line across two firewalls, so the existing ASA and another ASA 5510, so both firewalls have access to the line . This will be done via a switch - i.e. NTE Box --> Switch --> Link to each firewall. The ISP has sent has two additional IPs but in a totally separate subnet for the new firewall.

217.67.252.182
217.67.252.183

Now the ISP have apparently routed the above range (/31) to 217.67.255.31 which is the interface on the current firewall.

But on the new firewall, we assign one of the above IPs to it's WAN interface, what do we assign as the default gateway for this interface? The IP of the NTE box? How does this work?

Answer 1

You can only put the 217.67.255.31 address on one of your ASAs.

You'll need to set up failover using HSRP/VRRP so that only one of them picks up the IP address at a time - that ASA will become the gateway for your internal network (part of which is 217.67.252.182 and 217.67.252.183).

---

Sounds like what you want is similar to what we have set up at Discourse:

Assigned subnet:  64.71.148.0/29 
upstream gateway: 64.71.148.1 
firewall1:        64.71.148.2 
firewall2:        64.71.148.3 
HA IP:            64.71.148.4

Any further subnet assignments are routed by the ISP to 64.71.148.4.

Answer 2

The interface you have is a /30, period. You can't have an extra interface on that circuit. You CAN have (which they provided you) extra IPs that can be used across that circuit (not sub-IFs, but routable IPs).

If you want a simple setup with 2 different ASA's in place, your ISP will need to expand the actual circuit to a /29 or larger to allow for multiple interfaces on your side.