Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
736
Views
3
Helpful
6
Replies

ISP->Router->ASA Conceptual Questions

Go to solution
gmayers
Level 1
Level 1

‎11-28-2007 01:43 PM - edited ‎03-03-2019 07:43 PM

Hi,

Wasn't too sure where to post this, but I guess it is a WAN/Routing question so hopefully this forum is ok.

I would like someone to explain the configuration concepts of the following scenario if possible...

I currently have an 1841 router with load balanced ADSL lines. I am doing all the NATs and ACLs on this router. I have allocated a NAT pool of my public addreses and just do the mapping and ACL as required.

I would now like to add an ASA 5505 so that I can provide IPSEC VPN access. As the ASA is a firewall as well, I thought it might be an idea to configure it to do the ACL rather than the 1841.

The questions I have are:

I am guessing I would need to get rid of the NATs on the 1841 and reconfigure them on the ASA. Do I then just assign one public IP to the 1841 FE0/0 and then a 2nd public IP on the outside ASA interface? I can then just do all the NATs on the ASA with a NAT pool on it?

Will the 1841 just act as a true router, basically forwarding all packets received to the ASA, or should I double up and do some ACL checks on it as well?

Any assistance is greatly appreciated - I hope I have explained myself correctly ;)

Thanks,

Graham

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to gmayers

‎11-29-2007 10:39 AM

In Diagram you have good logical physical layaout., this scenario is completely feasable , you would let all traffic inbound from the router beside implementing basic ACL filtering at your edge, the 1841 router can do the basic filtering listed in bellow link, but I do not believe it will be overkill as you are just leting through traffic, for example IPsec encryption l2l vpn or IPsec for that matter is handled and processed by firewall.. but you could start gathering some baisc information from the 1841 for its performance to stablish a baseline prior to network changes, take notes of 1841 cpu utilization as well as all of its interfaces, this way you can have a feeling of your current edge performance to compare with after the changes.

Filtering at the edge Transit ACLs

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

AS far as accessing host from public to DMZ should not be a problem as long there is a static NAT in asa firewall with acls allowing traffic e.g. static (dmz,oustide) tcp interface 80 localIP_ip 80 netmask 255.255.255.255 for http etc.. fruthermore you could do port forwarding using the ASA outside interface IP address and forward tcp ports to different local destination IPs..

Overall I think you have the design well, if in future you consider implementing redundant ISP for back solution using ASA there is a good link you can reference bellow for future reference.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Just in case you were not aware, when buying ASA you will need security plus license to have DMZ support.

ASA comparison

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

HTH

Jorge

Jorge Rodriguez

View solution in original post

6 Replies 6

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10

‎11-28-2007 03:29 PM

Graham, if you want to use the ASA5505 this will become your security perimeter and it make logical sence to have the firewall conduct all those tasks pertains to access list global and static NATs in addition to what you ultimately want to implement ipsec VPN remote access etc.. The ASA5505 will have one outside interface one inside in addition to DMZ support when applying proper license..

ALL translation global public IP addresses pools static NATs will be handle by ASA.. your 1841 router will just become another hop behind ASA-firewall your network but free of any of these ACL duties etc.

no public IPs on the 1841 once ASA is installed, public IP will be configured on ASA outside interface.

Another design would be to place your 1841 router in front of the firewall and provide another layer of security , this is not required but of course it will require some good configurations but will add a bit of more complexity to the design .

HTH

Jorge

Jorge Rodriguez
0 Helpful

Go to solution
gmayers
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎11-29-2007 05:27 AM

Hi Jorge, thanks for responding.

My first thought was to put the 1841 in front of the ASA as the DSL lines terminate on that device. I agree with you that the ASA should handle all the security duties.

So then, if the ASA is behind the 1841, surely the 1841 would have to have a public address assigned to the FE0/0 port so that it could communicate to the ASA on the ASA's outside port?

I will draw it out and attach the image in a bit so that you can see what I mean.

Regards,

Graham

0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to gmayers

‎11-29-2007 05:40 AM

Hi Graham, not nessesarily the the FE of 1841 have public IP but would be nice to have it then you would need two public Ips one for asa-outside and one for 1841 FE, but say you only have one Pub-IP the interface facing ISP then I would expect for example 1841 FE be your nat inside interface while 1841 interface facing ISP be the nat outside interface, ASA outside interface would be in the VLAN as FE interface, but on 1841.. but this is just a quick layout, you would have to worry about other acls on 1841 for example allowing IPsec ports inbound etc.. if I have some spare time today tomorrow I will come up with a generic script for 1841 scenario or direct you to some usefull links for edge router facing ISPs.

Rgds

Jorge

Jorge Rodriguez
0 Helpful

Go to solution
gmayers
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎11-29-2007 06:18 AM

Hi Jorge,

I have attached the diagram of how I envisaged it to be. Hopefully this will make sense.

The ADSL lines terminate directly on the 1841, so only one ethernet port is used and is basically the outside interface.

Regards,

Graham

Preview file
83 KB
0 Helpful

Go to solution
Wilson Samuel
Level 7
Level 7
In response to gmayers

‎11-29-2007 06:47 AM

Hi Graham,

Its always advisable to use the Router as the WAN termination equipement of CPE and then use the Firewalls just behind the Router.

However this approach is more resource hungry i.e. IP Address as if you have any DMZ that needs to be publicly accessible, then one must have public IPs upto the Outside and DMZ Zones of the FW.

Alternatively you may use an IOS which has the feature of IOS FW also, however that would mean compromise on the Perimeter Security and Quality (i.e. Router may become over burdened).

Look forward how you are going to implement it.

Kind Regards,

Wilson Samuel

0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to gmayers

‎11-29-2007 10:39 AM

In Diagram you have good logical physical layaout., this scenario is completely feasable , you would let all traffic inbound from the router beside implementing basic ACL filtering at your edge, the 1841 router can do the basic filtering listed in bellow link, but I do not believe it will be overkill as you are just leting through traffic, for example IPsec encryption l2l vpn or IPsec for that matter is handled and processed by firewall.. but you could start gathering some baisc information from the 1841 for its performance to stablish a baseline prior to network changes, take notes of 1841 cpu utilization as well as all of its interfaces, this way you can have a feeling of your current edge performance to compare with after the changes.

Filtering at the edge Transit ACLs

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

AS far as accessing host from public to DMZ should not be a problem as long there is a static NAT in asa firewall with acls allowing traffic e.g. static (dmz,oustide) tcp interface 80 localIP_ip 80 netmask 255.255.255.255 for http etc.. fruthermore you could do port forwarding using the ASA outside interface IP address and forward tcp ports to different local destination IPs..

Overall I think you have the design well, if in future you consider implementing redundant ISP for back solution using ASA there is a good link you can reference bellow for future reference.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Just in case you were not aware, when buying ASA you will need security plus license to have DMZ support.

ASA comparison

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

HTH

Jorge

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card