Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2903
Views
0
Helpful
11
Replies

replace 1811 router with ASA 5505

Go to solution
lcaruso
Level 6
Level 6

‎01-29-2011 07:23 PM - edited ‎03-11-2019 12:41 PM

Hi,

Please see the attachments.

I'm trying to come up with the config that would allow me to replace an 1811 router with a ASA 5505.The ASA has a Security Plus license. 

While there are many unfortunate features of the current network design that could be vastly improved, I'm currently constrained to simply replacing the 1811 with the 5505.

The first issue is the 1811 has an ip local pool that hands out dhcp addresses to clients behind the 851 router over a site-to-site vpn. This is an issue because when try to define the dhcpd server and use interface outside, it complains that cannot be done with this error message

dhcpd address 172.x.x.1-172.x.x.32 outside

Address range subnet 172.x.x.1 or 172.x.x.32 is not the same as outside interface subnet 68.x.x.18

How do I work around this and create the same functionality?

Labels:
Preview file
1093 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to lcaruso

‎01-29-2011 08:05 PM

Hi

Unfortunately the DHCP capacity of the ASA firewall is very limited. It is intended for SOHO. As you can see on the document below, the ASA cannot handle Addresses to host that are not directly connected to it.

"DHCP clients must be directly connected to the interface on which the server is enabled."

The ASA firewall does support DHCP relay (Helper address) However, it does have some limitations. I suggest you to please read the following document.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/dhcp.html#wp1059065

Hope it helps

Mike


Mike

View solution in original post

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to lcaruso

‎01-29-2011 08:08 PM

Hi,

According to this document:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/dhcp.html

DHCP clients must be directly connected to the interface on which the server is enabled.
I believe this is why the ASA complains about the pool not being on the same range as the outside IP.

The ASA has a DHCP relay functionality that I believe could be used for ''ip-helper'' (explained on the above link as well).

Hope it helps.

Federico.

View solution in original post

0 Helpful
11 Replies 11

Go to solution
lcaruso
Level 6
Level 6

‎01-29-2011 07:31 PM

here's the sanitized config of the 1811. I appreciate your input. Please let me know what other issues you notice with this conversion.

79543-1811-config.txt.zip
0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to lcaruso

‎01-29-2011 07:39 PM

Another issue I have is there is a helper-address on the 1811 vlan1 interface.

I understand the ASA 5505 series cannot provide helper addresses. How do I deal with this?

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to lcaruso

‎01-29-2011 08:05 PM

Hi

Unfortunately the DHCP capacity of the ASA firewall is very limited. It is intended for SOHO. As you can see on the document below, the ASA cannot handle Addresses to host that are not directly connected to it.

"DHCP clients must be directly connected to the interface on which the server is enabled."

The ASA firewall does support DHCP relay (Helper address) However, it does have some limitations. I suggest you to please read the following document.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/dhcp.html#wp1059065

Hope it helps

Mike


Mike
0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to Maykol Rojas

‎01-29-2011 08:16 PM

so the solution is to use another ASA 5505 where the 851 router sits. Would you agree?

0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to Maykol Rojas

‎01-30-2011 06:06 AM

Thanks for the link and your discussion. 

Unfortunately the DHCP capacity of the ASA firewall is very limited. It is intended for SOHO.

I assume you mean the ASA 5505 offers these limitations instead of the ASA platform in general. Would a 5510 have the capability to hand out addresses to a subnet not directly connected?

This site does not have more than 100 users which fits the SOHO criteria.

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to lcaruso

‎01-29-2011 08:08 PM

Hi,

According to this document:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/dhcp.html

DHCP clients must be directly connected to the interface on which the server is enabled.
I believe this is why the ASA complains about the pool not being on the same range as the outside IP.

The ASA has a DHCP relay functionality that I believe could be used for ''ip-helper'' (explained on the above link as well).

Hope it helps.

Federico.

0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to Federico Coto Fajardo

‎01-29-2011 08:17 PM

Thanks for all of your great posts which are very timely as well.

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to lcaruso

‎01-29-2011 08:23 PM

You're very welcome :-)

I guess it depends what was the motivation behind the idea of replacing the 1811 witht the ASA 5505.

As it was mentioned, the ASA lacks the ability to deliver DHCP to non-directly connected users, so you might want to stick with the 1811.

But, staying with the 1811 is an option for you? Do you need any features particulary to the 5505?

Federico.

0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to Federico Coto Fajardo

‎01-30-2011 06:23 AM 

Do you need any features particulary to the 5505?

The site has been unmanaged for a couple of years and has security issues. It has become a target for hackers and internally it is unknown what security issues may exist. Need to intervene with a manageable firewall to easily see what is getting in/out, save and review logs, create and manage policies, provide alerts, defeat denial of service attacks, shun attackers, etc.

The 1811 only has two static routes and runs no routing protocols. I know the IOS Firewall is effective, but not as manageable in my estimation.

0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to Federico Coto Fajardo

‎01-30-2011 08:55 AM

Remote access vpn with anyconnect was another requirement

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to lcaruso

‎01-30-2011 09:24 AM

I would not argue with you about moving to a 5505 but for you to know the ZWF (Zone-based Firewall) that can be configured on the router along with security measures can make the router really secure.

Also, the remote AnyConnect can be configured on the router as well.


Federico.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card