cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
489
Views
0
Helpful
2
Replies

ASA 5510 network topology

gentianhila
Beginner
Beginner

Hello,

We are planning of buying a ASA 5510 with AIP and CSC modules. Currently we are using a 2610 router with a T1 connection and ISDN backup in case T1 goes down.

The router has 2 Ethernet ports.

We do have a group of public IP addresses for our servers. My question is:

How do I connect ASA 5510 to the router ? I do not want to get rid of the router as we do have not only a T1 but also the ISDN.

Is it possible to keep the router or ASA does not need a router at all ?

If so, how can I keep the ISDN still in place ?

We are going to use VPN, DMZ, Anti-X capabilities of ASA.

I looked up some documentation and some configuration examples of ASA 5500 but I found nowhere a situation like mine.

Please, help me. I would really appreciate if you could give me direction to some documentation that answers my question.

Thank you

2 Replies 2

jackko
Rising star
Rising star

private net <--> asa <--> 2610 <--> t1

private net <--> asa <--> 2610 <--> isdn backup

asa doesn't cope with any interface except ethernet, so a router is required usually.

with the posted scenario, the asa would have the 2610 as the defualt gateway.

nat needs to be configured on 2610 as the subnet between asa and 2610 would be private.

e.g.

192.168.1.0 <--> asa <--> 192.168.100.0 <--> 2610 <--> internet

in order to deploy the asa as a vpn determination point, static port forwarding needs to be configured on 2610 as well. the protocols/ports are udp 500, and udp 4500.

finally, please be reminded that only one module is supported on asa. the reason being asa has one and only one slot for module.

Thanks for the answer. We might stick with CSC-SSM only. That would be fine for us.

So the NAT for the DMZ is going to happen at the router you are suggesting ?

Or what I have to do is NAT from router to ASA for all the traffic and then in ASA do the NAT for the DMZ ?

Where are the public IP NATed at 2610 or ASA ? We got a bunch of public IP.

I thought that the interface between ASA and 2610 would belong to the public IP range and all I needed at the router was simply routing from internet to our public IP subnet.

I hope you understand my question.

From what I read at the ASA Getting Started Guide, it looks like DMZ is done at ASA.

I am sorry that it is a little confusing to me but I haven't been able to find suitable scenarios out-there for my case.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: