https://community.cisco.com/t5/network-security/replace-1811-router-with-asa-5505/m-p/1581305#M568461 <HTML><HEAD></HEAD><BODY><P>here's the sanitized config of the 1811. I appreciate your input. Please let me know what other issues you notice with this conversion. </P></BODY></HTML> Sun, 30 Jan 2011 03:31:58 GMT lcaruso 2011-01-30T03:31:58Z https://community.cisco.com/t5/network-security/replace-1811-router-with-asa-5505/m-p/1581304#M568460 <P></P><P><SPAN>Hi, </SPAN></P><P><SPAN> </SPAN></P><P><SPAN>Please see the attachments. </SPAN></P><P><SPAN> </SPAN></P><P><SPAN>I'm trying to come up with the config that would allow me to replace an 1811 router with a ASA 5505.The ASA has a Security Plus license.&nbsp; </SPAN></P><P></P><P><SPAN>While there are many unfortunate features of the current network design that could be vastly improved, I'm currently constrained to simply replacing the 1811 with the 5505. </SPAN></P><P><SPAN> </SPAN></P><P><SPAN>The first issue is the 1811 has an ip local pool that hands out dhcp addresses to clients behind the 851 router over a site-to-site vpn. This is an issue because when try to define the dhcpd server and use interface outside, it complains that cannot be done with this error message</SPAN></P><P><SPAN> </SPAN></P><P><SPAN>dhcpd address 172.x.x.1-172.x.x.32 outside</SPAN></P><P><SPAN>Address range subnet 172.x.x.1 or 172.x.x.32 is not the same as outside interface subnet 68.x.x.18</SPAN></P><P><SPAN> </SPAN></P><P><SPAN>How do I work around this and create the same functionality?</SPAN></P><P><SPAN> </SPAN></P><P></P> Mon, 11 Mar 2019 19:41:56 GMT https://community.cisco.com/t5/network-security/replace-1811-router-with-asa-5505/m-p/1581304#M568460 lcaruso 2019-03-11T19:41:56Z https://community.cisco.com/t5/network-security/replace-1811-router-with-asa-5505/m-p/1581305#M568461 <HTML><HEAD></HEAD><BODY><P>here's the sanitized config of the 1811. I appreciate your input. Please let me know what other issues you notice with this conversion. </P></BODY></HTML> Sun, 30 Jan 2011 03:31:58 GMT https://community.cisco.com/t5/network-security/replace-1811-router-with-asa-5505/m-p/1581305#M568461 lcaruso 2011-01-30T03:31:58Z https://community.cisco.com/t5/network-security/replace-1811-router-with-asa-5505/m-p/1581306#M568462 <HTML><HEAD></HEAD><BODY><P>Another issue I have is there is a helper-address on the 1811 vlan1 interface.</P><P>I understand the ASA 5505 series cannot provide helper addresses. How do I deal with this? </P></BODY></HTML> Sun, 30 Jan 2011 03:39:02 GMT https://community.cisco.com/t5/network-security/replace-1811-router-with-asa-5505/m-p/1581306#M568462 lcaruso 2011-01-30T03:39:02Z https://community.cisco.com/t5/network-security/replace-1811-router-with-asa-5505/m-p/1581307#M568463 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>Unfortunately the DHCP capacity of the ASA firewall is very limited. It is intended for SOHO. As you can see on the document below, the ASA cannot handle Addresses to host that are not directly connected to it.</P><P></P><P><SPAN class="content">"DHCP clients must be directly connected to the interface on which the server is enabled." </SPAN></P><P></P><P>The ASA firewall does support DHCP relay (Helper address) However, it does have some limitations. I suggest you to please read the following document.</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/dhcp.html#wp1059065">http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/dhcp.html#wp1059065</A></P><P></P><P>Hope it helps</P><P></P><P>Mike</P><P></P><P><SPAN class="content"><BR /></SPAN></P></BODY></HTML> Sun, 30 Jan 2011 04:05:04 GMT https://community.cisco.com/t5/network-security/replace-1811-router-with-asa-5505/m-p/1581307#M568463 Maykol Rojas 2011-01-30T04:05:04Z https://community.cisco.com/t5/network-security/replace-1811-router-with-asa-5505/m-p/1581308#M568464 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>According to this document: <BR /><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/dhcp.html">http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/dhcp.html</A></P><P></P><P>DHCP clients must be directly connected to the interface on which the server is enabled. <BR />I believe this is why the ASA complains about the pool not being on the same range as the outside IP.</P><P></P><P>The ASA has a DHCP relay functionality that I believe could be used for ''ip-helper'' (explained on the above link as well).</P><P></P><P>Hope it helps.</P><P></P><P>Federico.</P></BODY></HTML> Sun, 30 Jan 2011 04:08:39 GMT https://community.cisco.com/t5/network-security/replace-1811-router-with-asa-5505/m-p/1581308#M568464 Federico Coto Fajardo 2011-01-30T04:08:39Z https://community.cisco.com/t5/network-security/replace-1811-router-with-asa-5505/m-p/1581309#M568465 <HTML><HEAD></HEAD><BODY><P>so the solution is to use another ASA 5505 where the 851 router sits. Would you agree?</P></BODY></HTML> Sun, 30 Jan 2011 04:16:00 GMT https://community.cisco.com/t5/network-security/replace-1811-router-with-asa-5505/m-p/1581309#M568465 lcaruso 2011-01-30T04:16:00Z https://community.cisco.com/t5/network-security/replace-1811-router-with-asa-5505/m-p/1581310#M568466 <HTML><HEAD></HEAD><BODY><P>Thanks for all of your great posts which are very timely as well.</P></BODY></HTML> Sun, 30 Jan 2011 04:17:32 GMT https://community.cisco.com/t5/network-security/replace-1811-router-with-asa-5505/m-p/1581310#M568466 lcaruso 2011-01-30T04:17:32Z https://community.cisco.com/t5/network-security/replace-1811-router-with-asa-5505/m-p/1581311#M568467 <HTML><HEAD></HEAD><BODY><P>You're very welcome <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>I guess it depends what was the motivation behind the idea of replacing the 1811 witht the ASA 5505.</P><P></P><P>As it was mentioned, the ASA lacks the ability to deliver DHCP to non-directly connected users, so you might want to stick with the 1811.</P><P>But, staying with the 1811 is an option for you? Do you need any features particulary to the 5505?</P><P></P><P>Federico.</P></BODY></HTML> Sun, 30 Jan 2011 04:23:18 GMT https://community.cisco.com/t5/network-security/replace-1811-router-with-asa-5505/m-p/1581311#M568467 Federico Coto Fajardo 2011-01-30T04:23:18Z https://community.cisco.com/t5/network-security/replace-1811-router-with-asa-5505/m-p/1581312#M568468 <HTML><HEAD></HEAD><BODY><P>Thanks for the link and your discussion. </P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">Unfortunately the DHCP capacity of the ASA firewall is very limited. It is intended for SOHO.</PRE><P></P><P>I assume you mean the ASA 5505 offers these limitations instead of the ASA platform in general. Would a 5510 have the capability to hand out addresses to a subnet not directly connected?</P><P></P><P>This site does not have more than 100 users which fits the SOHO criteria. </P></BODY></HTML> Sun, 30 Jan 2011 14:06:26 GMT https://community.cisco.com/t5/network-security/replace-1811-router-with-asa-5505/m-p/1581312#M568468 lcaruso 2011-01-30T14:06:26Z https://community.cisco.com/t5/network-security/replace-1811-router-with-asa-5505/m-p/1581313#M568469 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">Do you need any features particulary to the 5505?</PRE><P></P><P>The site has been unmanaged for a couple of years and has security issues. It has become a target for hackers and internally it is unknown what security issues may exist. Need to intervene with a manageable firewall to easily see what is getting in/out, save and review logs, create and manage policies, provide alerts, defeat denial of service attacks, shun attackers, etc.</P><P></P><P>The 1811 only has two static routes and runs no routing protocols. I know the IOS Firewall is effective, but not as manageable in my estimation. </P></BODY></HTML> Sun, 30 Jan 2011 14:23:04 GMT https://community.cisco.com/t5/network-security/replace-1811-router-with-asa-5505/m-p/1581313#M568469 lcaruso 2011-01-30T14:23:04Z https://community.cisco.com/t5/network-security/replace-1811-router-with-asa-5505/m-p/1581314#M568470 <HTML><HEAD></HEAD><BODY><P>Remote access vpn with anyconnect was another requirement</P></BODY></HTML> Sun, 30 Jan 2011 16:55:22 GMT https://community.cisco.com/t5/network-security/replace-1811-router-with-asa-5505/m-p/1581314#M568470 lcaruso 2011-01-30T16:55:22Z https://community.cisco.com/t5/network-security/replace-1811-router-with-asa-5505/m-p/1581315#M568471 <HTML><HEAD></HEAD><BODY><P>I would not argue with you about moving to a 5505 but for you to know the ZWF (Zone-based Firewall) that can be configured on the router along with security measures can make the router really secure.</P><P></P><P>Also, the remote AnyConnect can be configured on the router as well.</P><P><BR />Federico.</P></BODY></HTML> Sun, 30 Jan 2011 17:24:26 GMT https://community.cisco.com/t5/network-security/replace-1811-router-with-asa-5505/m-p/1581315#M568471 Federico Coto Fajardo 2011-01-30T17:24:26Z