Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
463
Views
0
Helpful
3
Replies

ASA to Router Config

gregory.payne
Level 1
Level 1

‎11-03-2016 09:56 AM - edited ‎03-12-2019 01:29 AM

Hello all,

I have a question and I am hoping you can answer it for me.

I have a situation where I am going to have a isr 1941 connected to an ASA 5508.

The public IP for the outside interface of the router and the ASA need to be on the same /29. This will mean my connection will have to pass through my inside interface of the Router. 

I know it can be done, I just cant find the right article to show me examples.

Also I need a good article that can show me how to pass traffic from the ASA to the Router if my router will be at the border and the ASA is behind it.

Labels:
0 Helpful
3 Replies 3

Pulkit Saxena
Cisco Employee
Cisco Employee

‎11-03-2016 05:41 PM

Hi Gregory,

Could you please explain your query in little more detail. For now, I understand that the router's outside interface will be connected to the ASA, which makes ASA the border device, however you are saying the opposite.

If possible, just make a rough topology and confirm your exact query. 

To be honest, it does not look to be a big task, as all we need to do is to apply interface level configuration on ASA and apply some access rules to allow the traffic.

-

Pulkit

0 Helpful

gregory.payne
Level 1
Level 1
In response to Pulkit Saxena

‎11-04-2016 02:57 AM

Yes it is the opposite. The current environment does not have a router. It is just the firewall. We will be putting a Router at the Border to do DMVPN. We currently have a meshed topology through Site to site VPNs on the ASA. While doing this transition we need to keep that ASA VPN connection up from all the remote sites which means I have to have a public IP on both the outside interface of the Routers as well as the ASA. I do not have 2 seperate blocks of public IPs just a single /29. I need to place the 2 outside interfaces on the same subnet and pass the traffic through the inside interface of the router.

Internet----Router-----Firewall

0 Helpful

mrrlg
Level 1
Level 1
In response to gregory.payne

‎11-04-2016 12:16 PM

If you have an open ip from your ISP provider and your current meshed topology is internet facing,apply an open public ip address to the router and place it in parallel to the ASA. Then you can drop a tunnel on the ASA and bring it up through the router.

Another alternative is to attach the "outside" interface of the router to the ASA and apply a static nat using an open public ip address to leverage the protection the firewall brings.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card