dear the previous network was ( isp-router-sw-sw) and im attaching the configurations

the router is the core of my network topology which i configured everything on it (check attached) 

now i have new asa ftd and im putting the fw behind the isp so the topology will be as below:

( isp-ASA FW -router 2911-sw-sw )

so my question is it fine if i put the asa firewall between the isp and 2911 router ??

so ill do the below on :

Configure on ASA

- NAT

- Default route pointing to the ISP

- static routes pointing to the Router to know the internal networks

- ACLs

- Configure the public IP under the interface facing to the ISP and set up the nameif and security levels on the specific interfaces. For the OUTSIDE interface it should have a security level of zero, and 100 for the INTERNAL interface.

Configure on the Router

- Default route pointing to the Firewall

- Create the networks for the users 

- If you are going to use Router-in-a-stick scheme, create the sub-interfaces from the physical interface connected to the Switch. 

so whats your opinion on that ?

i already had the ikev2 site to site configurations on router already , but im going to add the new asa in my topology so ill add it between isp and current router ISR2911 so i need to remove some configurations from router like vpn/acl/nat and configure them on asa 

so if on asa ifc is not supporting the secondary ip so can i make the below but before just let me know if the place of the asa is fine   (isp-asa-2911router-sw1-sw2) ?

ISP ROUTER(10.43.1xx.11)-------ASAoutside (10.43.1xx.12) +ASAinside (10.246.14.208)-------ISR2911 (10.246.14.207 secondary & 154.2X6.18X.12X public ip for vpn tunnel

NOTE: router config attached incase if u need to have a look

So I can building up the tunnel but the public ip address will be configured on the router ifc which facing the inside asa ifc

hello 

can i keep it like this for now ? is it fine if it will be like this  ( ISP-ASA-ROUTER-SW1-SW2)

NOTE: ROUTER is handling everything for now until i add the asa after couple of days

ialready attached the config to have a look

amr alrazzaz

As other responses have pointed out there is very little of the interface config from your router that can be directly transferred to the ASA. What you need to do is to examine the functionality of the router interface and figure out how that functionality would be implemented on the ASA.

Perhaps a starting point would be to evaluate the functions performed by the router (not necessarily just the outside interface) and determine what functions would remain on the router and what functions would move to the ASA.

- if there are several switches it suggests that the router is performing inter vlan routing. Is that the case? Should the inter vlan routing remain on the router or would you want to move it to the ASA?

- is the router perhaps acting as a DHCP server for the subnets of the vlans in your network? If so would this remain on the router or would you want to move it to the ASA?

- does the router enforce any security policies for the vlans of the network? If so would these remain on the router or would them move to the ASA?

- the crypto map on the router interface indicates that some type of VPN is operating. Is this a site to site VPN or is it a Remote Access VPN? Which ever type it is likely that you will want to move the VPN function from the router to the ASA.

- the ip nat outside indicates that the router is performing address translation for the networks on the inside. Probably you will want to move this function to the ASA.

- the router outside interface is configured to connect to a trunk and to process a vlan sending tagged Ethernet frames. You would want to configure the ASA interface for that function.

- it is not clear why the router has a primary and a secondary IP address. The ASA does not support secondary addressing. You need to clarify what functions the router is doing with both addresses and determine how they can be moved to the ASA. One of those addresses is used for a transit link for routing between the ISP and the router. This would be the address moved to the ASA interface. What is the other address used for? You would need to clarify this and then to find a way to implement that function on the ASA.

- there is an access list applied as a traffic filter on the router interface. We do not know what is in that access list. The ASA has a default security policy for its outside interface and this policy might already accomplish what the router acl does. If not you need to incorporate some of the router acl logic to the security policy of the ASA.

Let me make a general statement to make it more clear. i have an existing network (that works ok) which has a 2911 router and 2 layer 2 switches. i have obtained an ASA/FTD (which provides a much more effective firewall for your network) which you want to implement. I am assuming that i want to leave most of the internal networking as it is and to focus on what is needed to deploy the ASA. 

ill attach the config of the router which handling everything such as (intervlan around 12 vlan sub interfaces/acl/nat/vpn ikev2 site to site/CME telephony services configurations/ ip helper address (dhcp) on each sub-interface /and others ) 

check attached router config and nw design after adding fw ( hope place of asa is fine)!!??

so is it okay to put the fw between isp and router 2911 ( isp-asa-router-sw1-sw2)

also if its like this so i have to transfer the nat /acl/vpn  configurations from router to asa (am i correct ?)

also if the asa ifc not accept secondary ip address so can i make it like this on below:

ISP ROUTER(10.43.1xx.11)-------ASAoutside (10.43.1xx.12) +ASAinside (10.246.14.208)-------ISR2911 (10.246.14.207 secondary & 154.2X6.18X.12X public ip for vpn tunnel

BW IS 15 MB SDSL

and my question is the ASA will face the isp router instead of the ISR2911 office router 

so i have shared the config on router wan ifc which connecting to isp and i need to know how to make the same on the ASA outside ifc which will face the isp directly connected  

this is the current configuration of wan ifc of router :

interface GigabitEthernet0/1.224
description connected to PRIMARY_ISP_ETISALAT
encapsulation dot1Q 224
ip address 10.4x.1xx.12 255.255.255.248 secondary (isp interface have 10.4x.1xx.12 255.255.255.248) ---how to add secondary ip on same asa outside ifc if possibel?)
ip address 154.2x6.1x9.1x9 255.255.255.240    (this is public ip using for vpn tunnel)
ip tcp adjust-mss 1300  (how to configure this on asa)

amr alrazzaz

Thanks for the additional information, and especially for the router config. You have asked several times if it makes sense to have the new topology placing the new ASA between the router and the ISP so that it becomes ISP - ASA - router - switch - switch. Given what you have told us (and especially considering the inter vlan routing and the telephony services) I would say it is very appropriate to place the new ASA between the ISP and the router.

Richard Burts 

thanks for your confirmation to keep the ASA place same as i said , now regarding my questionof how to configure the ASA outside IFC which directly connected to ISP router instead of 2911ISR router as below :

interface GigabitEthernet0/1.224
description connected to PRIMARY_ISP_ETISALAT
encapsulation dot1Q 224
ip address 10.4x.1xx.12 255.255.255.248 secondary (isp interface have 10.4x.1xx.12 255.255.255.248) ---how to add secondary ip on same asa outside ifc if possibel?)
ip address 154.2x6.1x9.1x9 255.255.255.240    (this is public ip using for vpn tunnel)
ip access-group BLOCK_SSH in
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1300  (how to configure this on asa)
crypto map CMAP-NLAMS02E

note: purpose of secondary  ip1(0.4x.1xx.12) for routing connectivity between isp router and my router because the isp ifc assigned with 10.4x.1xx.11 and for the primary ip is a public ip 154.2x6.1x9.1x9 using for vpn tunnel site to site 

so my question is ( if the outside asa ifc not accepting 2 ip address so can i do the below and maybe it will work ?not sure!! :

ISP ROUTER(10.43.1xx.11)-------ASAoutside (10.43.1xx.12) +ASAinside (10.246.14.208)-------ISR2911 (10.246.14.207 secondary & 154.2X6.18X.12X public ip for vpn tunnel   (so the tunnel can be work!) please check  attached pic for better understanding

so the 2911 router ifc configuration will be as below :

interface GigabitEthernet0/1.224
description connected to PRIMARY_ISP_ETISALAT
no encapsulation dot1Q 224
ip address 10.246.14.207 255.255.255.0 secondary 
ip address 154.2x6.1x9.1x9 255.255.255.240    (keep this is public ip using for vpn tunnel)
no ip access-group BLOCK_SSH in
ip flow ingress
ip flow egress
no ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1300  (how to configure this on asa) ( this line dont know how to configure on asa ifc)
no crypto map CMAP-NLAMS02E

and for the ASA outside IFC which facing to isp router instead of 2911 will be as below :

interface GigabitEthernet1/1
nameif outside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.4x.1xx.12 255.255.255.248
ipv6 address autoconfig
ipv6 enable

interface GigabitEthernet1/2
nameif inside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.246.14.208 255.255.255.0

amr alrazzaz

To make sure that I am correctly understanding the situation: the private IP is used for the transit link between ASA and ISP (traffic from inside is forwarded over the transit link to get to the ISP and to the Internet) and the Public IP is used for the VPN?

In this case it would seem to make sense to leave the Public IP on the router - and to keep the VPN on the router. You are suggesting to have the router interface with a private IP to communicate with the ASA and the Public IP as secondary. I am not sure that this would work well. The ASA side has a single IP while the router has 2 IP. How would the ASA know that the Public IP (for VPN) was on the connected interface? I would suggest putting the Public IP on a different router interface (perhaps even a loopback interface) and configuring a route on the ASA to reach the Public IP using the router private IP as the next hop.

Richard Burts

1- i cant leave the public ip address on router2911 by creating loopback interface and assign the public ip address on it

2- i cant leave vpn config on router2911 as im using demo license and im already having license on ASA so i will configure ikev2 vpn tunnel on it

3- i have to configure static route on ASA pointing to the public network id using next hop ip address on the interface of the router 2911 which facing the inside asa ifc 

please check below config for both router and asa and check if the vpn will work or not ?

ROUTER 2911:
-------------------

interface GigabitEthernet0/1
description connected to ASAiNSIDEiNTERFACE
ip address 10.246.14.207 255.255.255.0

interface loopback 0
description VPN_PUBLIC_IP
ip address 15x.2xx.1xx.129 255.255.255.240
ip tcp adjust-mss 1300

ip route 0.0.0.0 0.0.0.0 10.246.14.208

--------------------------
ASA:
-------------------------
interface GigabitEthernet1/1
nameif outside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.4x.1xx.12 255.255.255.248
ipv6 address autoconfig
ipv6 enable
!
interface GigabitEthernet1/2
nameif inside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.246.14.208 255.255.255.0

route outside 0.0.0.0 0.0.0.0 10.4x.1xx.11 1  (next hope ip address on isp router)
route inside 10.246.0.0 255.255.240.0 10.246.14.207 1  (local network id)
route inside 15x.2xx.1xx.128 255.255.255.240 10.246.14.207 1  (public network id from isp)