cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
905
Views
0
Helpful
1
Replies

ISR 3845 w/two BGP ISPs on outside, private address on inside?

accudataa
Level 1
Level 1

After recently moving all our server infrastructure offsite, our firewall needs in our corporate office have been simplified: establish VPN tunnels to our datacenters, block all public incoming traffic, selectively block outgoing public traffic.  Since this seemed like overkill for the ASA5520 pair we had, and we needed a new router anyway, on Cisco's advice we opted for a 3845 with the SEC/K9 package and sent the 5520s to the new offiste datacenter.

The VPN tunnels are now of ciritcal importance, as all corporate-office access to the servers is via VPN.  We've added a second ISP at the corporate office, and coordinated BGP peering between the two.  The primary ISP gave us a public class C block and both providers advertise our ASN.  No problem there.

Right now, we're using a borrowed ASA 5510 behind the 3845 to act as a firewall and VPN endpoint.  The 5510 has a private address on the inside port, and one address from our class C block on the outside port, and uses the 3845 as the default gateway.  Again, a pretty standard configuration.  Our desired configuration is to eliminate the 5510 and have the 3845 provide firewalling and NAT for our private internal address space.  Our core switch will connect to the inside port of the 3845, which will then apply address translation and traffic rules.

Because of the peered ISPs and BGP, our public class C subnet can't be on any of the physical ports.  It would seem that the public class C needs to be on some kind of virtual interface, so that it's routable via both ISPs, and we can directly connect private-subnet hosts to the inside port.

I'm having no success finding any kind of sample case for this configuration.  I'm pretty proficient with the ASAs, but am pretty creaky with the ISRs, so I need something as the basis for an initial setup.

If there's a better sub-forum in which to post this question, please let me know.  I posed here because it seemed that establishing the security config would be harder than the routing config.

1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

accudataa wrote:

After recently moving all our server infrastructure offsite, our firewall needs in our corporate office have been simplified: establish VPN tunnels to our datacenters, block all public incoming traffic, selectively block outgoing public traffic.  Since this seemed like overkill for the ASA5520 pair we had, and we needed a new router anyway, on Cisco's advice we opted for a 3845 with the SEC/K9 package and sent the 5520s to the new offiste datacenter.

The VPN tunnels are now of ciritcal importance, as all corporate-office access to the servers is via VPN.  We've added a second ISP at the corporate office, and coordinated BGP peering between the two.  The primary ISP gave us a public class C block and both providers advertise our ASN.  No problem there.

Right now, we're using a borrowed ASA 5510 behind the 3845 to act as a firewall and VPN endpoint.  The 5510 has a private address on the inside port, and one address from our class C block on the outside port, and uses the 3845 as the default gateway.  Again, a pretty standard configuration.  Our desired configuration is to eliminate the 5510 and have the 3845 provide firewalling and NAT for our private internal address space.  Our core switch will connect to the inside port of the 3845, which will then apply address translation and traffic rules.

Because of the peered ISPs and BGP, our public class C subnet can't be on any of the physical ports.  It would seem that the public class C needs to be on some kind of virtual interface, so that it's routable via both ISPs, and we can directly connect private-subnet hosts to the inside port.

I'm having no success finding any kind of sample case for this configuration.  I'm pretty proficient with the ASAs, but am pretty creaky with the ISRs, so I need something as the basis for an initial setup.

If there's a better sub-forum in which to post this question, please let me know.  I posed here because it seemed that establishing the security config would be harder than the routing config.

If these are site-to-site VPN tunnels then you can create a loopback interface on your 3845 giving it one of the class C public addresses  and terminate the VPNs to that interface -

IPSEC  - loopback interface

As for the NAT, you can use another of the class C addresses in your NAT pool config. For NAT the actual address you use does not need to be allocated to any interface as long as both ISPs route traffic for that IP to your 3845.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: