Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
862
Views
0
Helpful
3
Replies

Edge Router connection for Outside Interface of ASA 5520

johnlee43
Level 1
Level 1

‎05-02-2013 08:48 AM - edited ‎03-11-2019 06:37 PM

Hi,

We have ASA 5520 firewall.

For broadband Internet access, we have T1 Router(edge router provided by ISP) which provides public IP's 198.24.210.224/29.

We have usable public IP's 198.24.210.226 - 198.24.210.230 with default gateway 198.24.210.225.

We assigned 198.24.210.230 255.255.255.0 to the outside interface.

If we connect the ASA 5520 outside interface directly to T1 router, can all packets with destination addresses 198.24.210.224/29 reach the outside interface without using other device like another router or switches?

I just assume that only packets with destination address 198.24.210.230(outside interface ip) can reach the outside interface from the edge router.

Is it wrong assumption?  If it is correct, then is there any way to route all packets with destination address 198.24.210.224/29 to the outside interface?

Thank you for helping.

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎05-02-2013 08:55 AM

Hi,

If what you are saying is that you have a ISP router facing your ASA "outside" interface and that ISP Router interface that is facing your ASA holds the network 198.24.210.224/29 then there should be no problem

Is will route that whole network in their ISP Core and advertise it so traffic destined to any of those IP addresses from that netwokr 198.24.210.224/29 will reach the ISP Router/ASA wether you are using the single IP address in question or not.

I guess we were already discussing this same thing on another topic.

Are you still having problems with reaching other IP addresses from the subnet? I would ask the ISP to confirm the configuration on their side and confirm that they can see the ARP for the public IP address that is not working.

- Jouni

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎05-02-2013 08:58 AM

Also,

To confirm your ASA configurations we would really have to see the configurations.

- Jouni

0 Helpful

sokakkar
Cisco Employee
Cisco Employee

‎05-02-2013 11:25 AM

Hi John,

Now, lets consider the packet flow here. ISP gets a packet for an IP in range provided to you say198.24.210.230 (outside interface ip), it will send arp broadcast on segment b/w ISP router and ASA (considering it is the first packet and ISP has no arp entries for this subnet). Since IP is assigned on outside of ASA, ASA will respond to arp broadcast and ISP will be able to pass the frame to ASA.

However, if packet comes for another IP in ranage which is not assigned anywhere (not on ASA outside or any other device in segment), no one will respond for arp broadcast and hence packet would be dropped as layer 2 lookup will fail.

Now, if you have NAT configured on ASA and you use these IP's in range as mapped IP's on outside, ASA will do proxy arp for those IP's and in that way all traffic would be routed to ASA outside. Normally, you would use static NAT for inbound traffic to your internal machines/servers or dynamic PAT to allow internet access to internal users.

HTH.

-

Sourav

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card