cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2430
Views
20
Helpful
7
Replies

Connect the ASA inside and outside interfaces to the core switch and route internet traffic through the ASA

fimonteiro
Level 1
Level 1

Hello everyone,

 

I need expert help to connect the ASA inside and outside interfaces to the core switch and route internet traffic through the ASA.

There are several reasons why we need this setup. some of them are: Cisco ASA configured in transparent mode cannot see traffic between our router and the ISP router when we are using PPPoE; We don't have two public IP address to use on routed mode; we have GRE/IPSec tunnels ending on the dialer PPPoE interface; etc.

 

So the big question is. Can we have the ASA inside and outside interfaces connected to the core switch using VSI´s and route internet traffic only through the ASA that way?

 

Enclosed a diagram for a better understanding.

 

Thank you.

4 Accepted Solutions

Accepted Solutions

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

Do you mean SVIs as in logical Layer3 interfaces?

If so, then what you are describing is a firewall on a stick and would be considered a normal method of deployment.

 

cheers,

Seb.

View solution in original post

You will need to create a new VRF on the router to provide seprate routing tables for VLAN900 and VLAN901. Something like:

!
ip vrf OUTSIDE
!
int dialer0
  ip vrf forwarding OUTSIDE
  ...
!
int vlan900
  ip vrf forwarding OUTSIDE
  ...
!
ip route vrf OUTSIDE <internal_subnet_summary> <netmask> <firewall_VLAN900_IP>
ip route 0.0.0.0 0.0.0.0 <firewall_VLAN9001_IP>
!

You will need to adjust your existing default route on the router to ensure it applies to the OUTSIDE VRF.

Now when internet traffic arrives on the dialer0 interface it will be presented with two routes: either the default back out to the internet, or towards your internal network via VLAN900 . In this design traffic moving between VLAN900 and 901 has to go via the firewall.

 

cheers,

Seb.

 

View solution in original post

My fault reading your diagram. try:

ip route vrf OUTSIDE <internal_subnet_summary> <netmask> 10.0.0.6

cheers,

Seb.

View solution in original post

Hello again,

Yes the route directing traffic from the OUTSIDE VRF into the default 'inside' VRF via the firewall should use a summary address which covers your entire 'inside' range. If you only have that one subnet, then yes, the route you have specified is correct.

 

cheers,

Seb.

View solution in original post

7 Replies 7

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

Do you mean SVIs as in logical Layer3 interfaces?

If so, then what you are describing is a firewall on a stick and would be considered a normal method of deployment.

 

cheers,

Seb.

Hello Seb. Thank you for replying.

 

Yes, I mean logical Layer3 vlan interfaces.

But in this particular case I don't believe the firewall can be deployed "on a stick" method because we have the router on a stick already.

Did you had the chance to look at the diagram I attached to the post?

I don't have interfaces available on the router to connect the firewall, I need the router as it is because it is using GRE/IPSec.

So how can I configure the router to forward internet traffic to the firewall and them to go out its internet PPPoE dialer interface?

My big problem is the return traffic from the firewall. How do I avoid a loop and how to I make sure return traffic from the internet is forward back to the firewall and them to the end point?

 

Thank you.

 

 

 

You will need to create a new VRF on the router to provide seprate routing tables for VLAN900 and VLAN901. Something like:

!
ip vrf OUTSIDE
!
int dialer0
  ip vrf forwarding OUTSIDE
  ...
!
int vlan900
  ip vrf forwarding OUTSIDE
  ...
!
ip route vrf OUTSIDE <internal_subnet_summary> <netmask> <firewall_VLAN900_IP>
ip route 0.0.0.0 0.0.0.0 <firewall_VLAN9001_IP>
!

You will need to adjust your existing default route on the router to ensure it applies to the OUTSIDE VRF.

Now when internet traffic arrives on the dialer0 interface it will be presented with two routes: either the default back out to the internet, or towards your internal network via VLAN900 . In this design traffic moving between VLAN900 and 901 has to go via the firewall.

 

cheers,

Seb.

 

I'm still a little bit lost with the config.

Imagine we have the INSIDE firewall interface on switch VLAN900 terminating on the VSI gi0/0.900 with 10.0.0.0/30.

And the OUTSIDE firewall interface on switch VLAN901 terminating on the VSI gi0/0.901 with 10.0.0.4/30.

 

What is missing in this config?

 

!
ip vrf OUTSIDE
!
int dialer0
description INTERNET
ip vrf forwarding OUTSIDE
...
!
int gi0/0.900
description FIREWALL INSIDE INTERFACE 10.0.0.2
ip address 10.0.0.1 255.255.255.252
!
int gi0/0.901
description FIREWALL OUTSIDE INTERFACE 10.0.0.6
ip vrf forwarding OUTSIDE
ip address 10.0.0.5 255.255.255.252
!
ip route vrf OUTSIDE <internal_subnet_summary> <netmask> 10.0.0.2
ip route 0.0.0.0 0.0.0.0 10.0.0.2
!

My fault reading your diagram. try:

ip route vrf OUTSIDE <internal_subnet_summary> <netmask> 10.0.0.6

cheers,

Seb.

What exactly I need to add on "<internal_subnet_summary> <netmask>"?

Is it the internal workstations source network?

 

Is this config ok them?

 

!
ip vrf OUTSIDE
!
int dialer0
description INTERNET
ip vrf forwarding OUTSIDE
ip nat outside
...
!
int gi0/0.100
description WORKSTATIONS SUBNET
ip address 172.1.0.1 255.255.255.0
ip nat inside
!
int gi0/0.900
description FIREWALL INSIDE INTERFACE 10.0.0.2
ip address 10.0.0.1 255.255.255.252
!
int gi0/0.901
description FIREWALL OUTSIDE INTERFACE 10.0.0.6
ip vrf forwarding OUTSIDE
ip address 10.0.0.5 255.255.255.252
!
ip route vrf OUTSIDE 172.1.0.0 255.255.255.0 10.0.0.6
ip route 0.0.0.0 0.0.0.0 10.0.0.2
!

 

 

Hello again,

Yes the route directing traffic from the OUTSIDE VRF into the default 'inside' VRF via the firewall should use a summary address which covers your entire 'inside' range. If you only have that one subnet, then yes, the route you have specified is correct.

 

cheers,

Seb.

Review Cisco Networking for a $25 gift card