I have an existing Cisco ASA 5520 configured with a /28 subnet on the outside interface. My hosting provider just provided me with a new non-adjacent /28 subnet which is routed to the outside interface on my ASA.
Here is the current IP configuration
1.1.1.145 --> ISP Gateway
1.1.1.146 --> ISP Reserved
1.1.1.147 --> ISP Reserved
1.1.1.148 --> Primary ASA Outside Int
1.1.1.149 --> Secondary ASA Outside Int
1.1.1.150 - 1.1.1.158 --> Usable IPs
2.2.2.240 - 2.2.2.254 --> New Subnet, Routed to 1.1.1.148
I've tried to create a NAT on the ASA using the 2.2.2.240 IP but that doesn't seem to work. From what I can understand, I may need to add a route on the ASA, but I'm not sure what I should add.
Should it be something like
route Outside 2.2.2.240 255.255.255.240 1.1.1.148 1
If they're routing the subnet to you (to an address on the old subnet owned by the ASA), then all you'll need to do is NAT; your ASA won't "own" one of the addresses for its own interface. The routing of inbound traffic occurs after NAT, and the routing of outbound traffic will be caught by your default route.
Just NAT should work fine, so something's wrong with that part of the config; can you provide that configuration, and maybe also
packet-tracer
output for a simulated connection from outside to an address on the new range?Like Shane said: all you're supposed to do is add a NAT rule that uses one of the new IPs and a matching ACL. It should just work after that.
But I wonder if your provider routes the two blocks differently. The route for 1.1.1.x most likely specifies just the outbound interface, while the route for 2.2.2.x, as you describe, uses a gateway IP (your firewall). If that's the case, you actually have a bit of a difference between the two blocks. Ask your provider about it and tell them to route the 2.2.2.x IPs the same exact way they do 1.1.1.x. It is really unnecessary for them to route to a gateway IP and could break things if you ever decide to change your firewall's external IP address.
If that doesn't help either, then take another, very close look at your NAT and ACLs. And don't forget that you can easily do packet capture with ASDM - that will give you the definitive answer as to whether or not the traffic reaches the firewall.
The problem is that both networks on the outside interface will require a default gateway. If you want to route traffic between these two public networks without involving the firewall, you will have to add explicit routes for each to the other.
What is that 2.2.2 subnet connected to ? It obviously also has an internet connection, since you don't specify that it is routed to the 1.1.1. default gateway.
I would put the 2.2.2.240 subnet in a DMZ and make .241 the firewall interface. Don't worry about applying a standby IP since these are only used for managing the secondary firewall.