Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1066
Views
4
Helpful
3
Replies

Where to put ASA 5505 in my net topology

esantiago151
Level 1
Level 1

‎08-10-2017 09:29 PM - edited ‎03-12-2019 02:48 AM

Hi everyone, I'm planning to integrate an ASA 5505 with Security licence to my home network.

My topology

I have 2 switches 2960, from the core switch I got 3 Vlans to a MikroTik Router. This router handle DHCP, QOS, InterVlan, Nat and a few stuff.

Because I want to learn a little of Asa I'm planning to integrated in my topology. I don't know what are the disavantages  to put it between the router and the broadband modem.

Some one who can give me light.

Labels:
0 Helpful
3 Replies 3

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎08-10-2017 10:52 PM

Hi,

You can put the ASA in between the router and the broadband modem.

It would get the internet access on the outside interface and since the router is giving IP addresses through DHCP , the clients on the inside would be able to get them.

It is always better to put the ASA in the perimeter.

Regards,

Aditya

Please rate helpful and mark correct answers

esantiago151
Level 1
Level 1
In response to Aditya Ganjoo

‎08-11-2017 04:31 PM

Hi Aditya,

Thanks for your feedback, I have issues with the implementation. I want to make the Nat on the Asa, however when the packet pass from to Asa through  to the ISP router it doesn't make the translation. 

Things tested:

-Hosts can reach the MLS1, ASA using ICMP.

-Default routes configured.

- Ping between MLS1 and ASA success.

This is the config of the ASA

:
ASA Version 8.4(2)
!
hostname ciscoasa
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.252
!
interface Vlan2
nameif outside
security-level 0
ip address 20.1.1.1 255.255.255.252
!
object network Nat
subnet 0.0.0.0 0.0.0.0
!
route inside 192.168.10.0 255.255.255.0 10.1.1.2 1
route inside 192.168.20.0 255.255.255.0 10.1.1.2 1
route outside 0.0.0.0 0.0.0.0 20.1.1.2 1
!
!
!
object network Nat
nat (any,outside) dynamic interface

Also this is the topology made on Packet tracer. 

Thanks in advance

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to esantiago151

‎08-11-2017 11:38 PM

Hi,

Please share the packet tracer output of the concerned traffic.

Also allow icmp inspection using the command fixup protocol icmp.

Please share the output of sh nat and sh xlate.

Regards,

Aditya

Please rate helpful and mark correct answers

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card