I am looking at deploying my new ASA 5510 in the following manner:
ADSL & Cable Connections <---> Cisco 2811 Router in Bridge mode <-->NAT <---> ASA 5510 in Routing mode <----> Core Switch
*(Site2Site VPN will be running on ASA)
My questions are thus:
1) Since I have two public (static) IPs from the DSL & Cable connections, should I have two router interfaces connected to two interfaces on the ASA, or can I just have one interface connecting the router and ASA, binding both public IPs onto one ASA interface?
2) Do you see any pitfalls in doing it this way (router in bridge mode) vs just doing a double NAT (NAT traffic at the router, and then again at the ASA)
You should be able to bind two IP addresses to one interface on the ASA.
Like say you had two servers on the core switch and you wanted to use two different external IP addresses. You can do something like below where 220.127.116.11 belongs to one ISP and 18.104.22.168 belongs to another ISP
static (inside,outside) 22.214.171.124 192.168.1.5
static (inside,outside) 126.96.36.199 192.168.1.6
You just need to make sure that you have a route back from the router for the networks pointing to the ASA.
As for pitfalls, double nat may make things confusing but is viable.
Hopefully this makes sense/helps, please tell me if I am not understanding your question.
Yes, that makes sense.
As a follow-up question, since the router is bridging the connection, I will need to configure the ASA interface with ppp, etc, for the public IPs--But can I do that with the Interface having two public IPs bound to it?
Both ISPs require PPPoE to get access to your public IP addresses?
The way I was describing before you would have one public IP address allocated to the physical interface, and then basically the ASA would proxy for the secondary IP address and foward it back to whatever device needed it.
So here was my scenario
router|188.8.131.52 ---- 184.108.40.206| ASA
Then the ASA would have a static for the other ip address so you could host different items like another webserver.
So on the router you would put something like
ip route 220.127.116.11 255.255.255.255 18.104.22.168
And on the ASA you would have
static (inside,outside) 22.214.171.124 192.168.5.5
But if both ISPs require that you do PPPoE to get the IP address, then we will need to think of another way as the ASA will only allow you to get one address from PPPoE.
Is there no way the other ISP could just route the IP back to you without having to do PPPoE?
Only one of the ISPs require PPPoE.
So I could either set it up like you had, or I could run two cables to two nics on the ASA:
> Router(Int1) <> NAT <--> ASA (Int1)
> Router(Int2) <> NAT <--> ASA (Int2) (VPN runs over this connection)
Would this have any benefit over your previous proposed solution?
Ahh since I know that you are using this second link for a VPN, I would say running the two connections directly to the ASA should be fine.
The problem usually with this scenario is that the ASA won't load balance between two ISPs, but since we know the destination for the VPN traffic, we can setup static routes to send it across a secondary internet connection.
So in short, I believe just connecting both ISPs as you have described, directly to the ASA, should be the easiest way. Here is my usual configuration for splitting off the VPN traffic.
E1 is for all traffic but VPN
E2 is VPN only
Default gateway for E1 is 126.96.36.199
Default gateway for E2 is 188.8.131.52
VPN peer is 184.108.40.206 255.255.255.255
VPN lan peers are at 10.0.0.0 255.0.0.0
//default route out E1
route E1 0.0.0.0 0.0.0.0 220.127.116.11
//VPN connections through E2
route E2 18.104.22.168 255.255.255.255 22.214.171.124
route E2 10.0.0.0 255.0.0.0 126.96.36.199