Thank you Rahul. My apologies

Mlachake · ‎02-14-2017

I need ideas on how to accomplish the above scenario. I have the ISR 2911 connected to the ISP router. The ASA firewall would sit between my LAN and 2911. My questions are:

1. Is this the best way to connect the two devices in order for the ASA just to do its firewall job

2. If so, does anyone have a document to guide me in the configuration of both units

3. Any other suggestions would be appreciated.

Thank you.

Sam.

Rahul Govindan · ‎02-14-2017

There is nothing wrong in the way it is set up right now. But you really would have to see what the roles of the devices are. If the router is not providing any dynamic routing functionality, that role an be easily taken over by the ASA with static routes. Also, NAT is also a consideration when it comes to gateway devices and you probably have it set to be done on the router. This functionality too can be ported over to the ASA if the router is just acting as a Hop between you and the ISP. Security rules are also easier to create on the ASA than the router, so if it were possible, I would try to remove that router in between and move it over to the ASA.

Mlachake · ‎02-14-2017

Rahul,

Thank you for your response. Let me clarify a few things so that you can get a good picture of what I need. First, this is a new circuit coming into our premises that will require a firewall to monitor traffic and mitigate any threats. The ISR 2911 will provide routing functionality.

The ISR 2911 Outside interface will be connected to the ISP router. The ASA Inside or/outside Interface (presumably) will be connected to the LAN of the ISR2911. Either the ASA will be set to transparent mode to avoid double NAT, while it provides firewall functionalities between the LAN and WAN. (This is where I need a little help if anyone has implemented this kind of scenario).

I hope I have a clarified a little bit so that you can get a better perspective of the project.

If the above scenario seems Ok (as this is my first time implementing this kind of setup), do you any one out there have step by step documentation for configuring this kind of setup.

Thank you.

Sam.

Rahul Govindan · ‎02-15-2017

Having the router as the gateway and ASA as a transparent device definitely would work here. But majority of the deployments are with the ASA as a routed device, hence I am unable to find an example to suit your requirement.

Is your router doing BGP with your ISP or just having a static route to the ISP device? If it not used for BGP, the router can be replaced with the ASA. If you want to keep the router, you can have the ASA without any NAT in routed mode so that the LAN network only gets translated on the router (no need for double NAT).

Mlachake · ‎02-22-2017

Thank you Rahul. My apologies for the late response. My router currently is not doing BGP with ISP. I have a static route to the ISP.

There is something I missed on the second part of your answer: "you can have the ASA without any NAT in routed mode". Does this mean Transparent mode? Or does it mean routed mode without NAT.

Can you offer some insight so that I can better understand the configuration you have in mind.

Thank you.

Sam.

Rahul Govindan · ‎02-23-2017

Just routed mode without NAT. So it will look like this:

Users----{inside}ASA{outside}====Router====ISP

The router is really a redundant hop and the ISP can directly connect to the Firewall. But if you want to keep the router, you can have the ASA sitting right behind it as a routed hop.

How to configure Cisco ASA 5508 for firewalling behind an ISR2911.