07-23-2010 01:06 PM - edited 03-11-2019 11:15 AM
I am looking at deploying my new ASA 5510 in the following manner:
ADSL & Cable Connections <---> Cisco 2811 Router in Bridge mode <-->NAT <---> ASA 5510 in Routing mode <----> Core Switch
*(Site2Site VPN will be running on ASA)
My questions are thus:
1) Since I have two public (static) IPs from the DSL & Cable connections, should I have two router interfaces connected to two interfaces on the ASA, or can I just have one interface connecting the router and ASA, binding both public IPs onto one ASA interface?
2) Do you see any pitfalls in doing it this way (router in bridge mode) vs just doing a double NAT (NAT traffic at the router, and then again at the ASA)
Thanks!
-Josh
07-23-2010 01:31 PM
You should be able to bind two IP addresses to one interface on the ASA.
Like say you had two servers on the core switch and you wanted to use two different external IP addresses. You can do something like below where 1.1.1.1 belongs to one ISP and 2.2.2.2 belongs to another ISP
static (inside,outside) 2.2.2.2 192.168.1.5
static (inside,outside) 1.1.1.1 192.168.1.6
You just need to make sure that you have a route back from the router for the networks pointing to the ASA.
As for pitfalls, double nat may make things confusing but is viable.
Hopefully this makes sense/helps, please tell me if I am not understanding your question.
07-23-2010 01:42 PM
Yes, that makes sense.
As a follow-up question, since the router is bridging the connection, I will need to configure the ASA interface with ppp, etc, for the public IPs--But can I do that with the Interface having two public IPs bound to it?
Thanks!
-Josh
07-23-2010 01:59 PM
Both ISPs require PPPoE to get access to your public IP addresses?
The way I was describing before you would have one public IP address allocated to the physical interface, and then basically the ASA would proxy for the secondary IP address and foward it back to whatever device needed it.
So here was my scenario
router|1.1.1.2 ---- 1.1.1.1| ASA
Then the ASA would have a static for the other ip address so you could host different items like another webserver.
So on the router you would put something like
ip route 2.2.2.2 255.255.255.255 1.1.1.1
And on the ASA you would have
static (inside,outside) 2.2.2.2 192.168.5.5
But if both ISPs require that you do PPPoE to get the IP address, then we will need to think of another way as the ASA will only allow you to get one address from PPPoE.
Is there no way the other ISP could just route the IP back to you without having to do PPPoE?
07-26-2010 06:19 AM
Only one of the ISPs require PPPoE.
So I could either set it up like you had, or I could run two cables to two nics on the ASA:
ISP#1 <> Router(Int1) <> NAT <--> ASA (Int1)
ISP#2 <> Router(Int2) <> NAT <--> ASA (Int2) (VPN runs over this connection)
Would this have any benefit over your previous proposed solution?
Thanks!
-Josh
07-26-2010 07:50 AM
Ahh since I know that you are using this second link for a VPN, I would say running the two connections directly to the ASA should be fine.
The problem usually with this scenario is that the ASA won't load balance between two ISPs, but since we know the destination for the VPN traffic, we can setup static routes to send it across a secondary internet connection.
So in short, I believe just connecting both ISPs as you have described, directly to the ASA, should be the easiest way. Here is my usual configuration for splitting off the VPN traffic.
Scenario:
E1 is for all traffic but VPN
E2 is VPN only
Default gateway for E1 is 77.0.0.1
Default gateway for E2 is 88.0.0.1
VPN peer is 65.0.0.1 255.255.255.255
VPN lan peers are at 10.0.0.0 255.0.0.0
config:
//default route out E1
route E1 0.0.0.0 0.0.0.0 77.0.0.1
//VPN connections through E2
route E2 65.0.0.1 255.255.255.255 88.0.0.1
route E2 10.0.0.0 255.0.0.0 88.0.0.1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide