Solved: install transparent asa into existing network with public ip's - Page 3

Carlomd · ‎11-02-2013

Hi all, I'm trying to find the best approach on getting my ASA to replace our Juniper, we have public ip's from our isp and it's set to nat the gateway and mip the inside ip's to outside public ip's.

I tried hooking up the asa into the leased router, added my inside rules to be accessed outside but not able to get to the web or ping, I read that nat is not needed on the ASA in transparent mode though it's possible, but in my setup with our isp I may need to use nat or could I go away with it, what would be my best option to get this setup, any samples or links would be great.

Thanks,

Carlo

Carlomd · ‎11-07-2013

Hey Julio, everything is good but this crazy project, yes 208.x.x.x is my internal network. And 12.x.x.x is our isp, any ideas what could be causing it to not let traffic through?

Julio Carvajal · ‎11-07-2013

Hello,

Yes,

route outside 0.0.0.0 0.0.0.0 12.x.x.33

Check the outside route (it's going to 12.x.x.33) while the ASA is in the 208 subnet range!

How would it know how to reach 12.x.x.x?

U know what I mean.

The ISP device should have 2 interface, one that connects to the ASA and the other one to the backbone network (Internet Core).

In this case you should configure the DG on the ASA to point to the ISP interface IP address on the 208 subnet.

Check ur private messages

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Carlomd · ‎11-07-2013

I see, but I thought that's what the route command is for, to be able to route to other subnets, our isp router only has 1 cable goin into the ns25's untrust int, then out to trust that's to our internal core sw, like this -

internet >> isp router >> asa >> cisco sw

I'm just putting the asa in place of the juniper, but looks like the juniper works more like a layer3 router. I'm trying to avoid having to redo all our ip's internally, that's why I chose transparent mode, I may need to contact our isp for router info, I'll get this eventually.

Julio Carvajal · ‎11-08-2013

Hello,

The route is used for :

AAA traffic
Syslog
Management access
If the ASA needs to send a packet to a destination that is not on it's same network it will need to send an ICMP packet in order to get the the MAC address table populated (with the Default-Gateway MAC address)

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Carlomd · ‎11-07-2013

I don't know if it helps, but here's my juniper's current route setup, this is our current gateway as well (208.x.x.1/32)

ns25-> get route

IPv4 Dest-Routes for (0 entries)

--------------------------------------------------------------------------------

H: Host C: Connected S: Static A: Auto-Exported

I: Imported R: RIP P: Permanent D: Auto-Discovered

iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1

E2: OSPF external type 2

IPv4 Dest-Routes for (4 entries)

--------------------------------------------------------------------------------

ID IP-Prefix Interface Gateway P Pref Mtr Vsys

--------------------------------------------------------------------------------

* 1 208.x.x.0/24 eth1 0.0.0.0 C 0 0 Root

* 4 12.x.x.34/32 eth3 0.0.0.0 H 0 0 Root

* 3 12.x.x.32/27 eth3 0.0.0.0 C 0 0 Root

* 2 208.x.x.1/32 eth1 0.0.0.0 H 0 0 Root

ns25-> get route source

S: Static P: Permanent

Src-Routes for (1 entries)

--------------------------------------------------------------------------------

ID IP-Prefix Interface Gateway P Pref Mtr Vsys

--------------------------------------------------------------------------------

* 1 208.x.x.0/24 eth3 12.x.x.33 S 20 1 Root

Carlomd · ‎11-07-2013

thanks I'll give it a try