i were bought firewall already and according to my current nw diagram now i need to add this FW to my network and need to configure it 

my router 2911 is currently manage every thing according to the attached config file 

so my question where to add in my network ? is it ( isp---FW---ROUTER----SWITCH )?

also what kind of configurations that i have now on router should be removed and what should be keep and what should be added ?

also in FW what kind of configurations should i add according to the config file i have on router ?

in firewall i need (site to site vpn which is currently configured on router - NAT - ACLs - default route - static route - dhcp relay agent ) and what else ?

all these according to what i attached which i currently have it now !!!

ill use FDM because it will be managed locally for now ?? 

also as u said i should remove all what u have mentioned from router and reconfigured on ASA ? so i need to know how to configure these via GUI because this is 1st time to manage firewall ... if u have link of how to configure what u mentioned on ASA would be appreciated >>>

also ASA will be between ISP and router ?? if im correct ?

Correct, FDM is free, you don't have to pay any extra to manage your firewall. However, FMC is not, you need to purchase the licenses which I believe it is not cheap.

You might find some posts on my blog useful, although the majority are more FMC focused, but take a look please:

https://bluenetsec.com/blog/

Yes, the firewall will be at the edge of your network, facing to the ISP externally and to the 2911 internally. Here is the Cisco configuration guide for FDM, give it a try, and if you want some help with some specific task let us know:

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/fdm/fptd-fdm-config-guide-660/fptd-fdm-s2svpn.html

here is my reply please check thanks

- I note that you have configured both enable secret and enable password. If enable secret is configured then enable password is ignored and has no effect. I suggest that you remove enable password from the configuration. 

Yes ill remove it thanks

- I note some configuration for vpdn but do not see where it is used. I do not see where the introduction of ASA/FTD would impact this and wonder if you might want to remove it.

Actually I don’t know why its added by it self , I just forget to ask about it !!! so shall I remove it and this will not impact the vpn settings?

- there are several configuration entries on the router for crypto parameters. If you are going to move the VPN from router to ASA (as I suggest) these should be removed from the router and configured on the ASA.

Yes ill move it for sure because I have license for ASA and for router im just using  demo license to run vpn site to site so all remove all vpn and configure it on ASA

- on the router there is a crypto map configured and applied on the outside interface. This should be moved to the ASA.

Ill remove anything related to vpn

- there are multiple subinterfaces on the router for the various vlans. For the most part they should remain, but the ip nat inside should be removed from them (assuming that you will move address translation to the ASA.)

So I should removed from each sub interface ? and then added on

- the config has a subinterface configured for the primary ISP (G 0/1.328) and there are several aspects of this to consider

* this subinterface has a public IP configured. This address should probably move to the ASA.

Ill move it to ASA but how to configure secondary and primary (public ip) on asa interface that connected to ISP

* this interface has a secondary address configured. I am not clear what is the function of this secondary address and not sure what should be done with it. Perhaps it becomes the primary address for the interface?

Secondary ip for connectivity to ISP router which is same range (172.19.138.xx),I do not know why the isp company give ip to add on my interface and another one for public ip ,So u se one for connectivity and another one for public ip for vpn purpose,Now how can I can on ASA 2 ip address on same interface? is it possible ?

* if the primary IP address (the public IP) is moved to the ASA then a different private IP should be configured for this interface. This address should be in the same subnet as the IP address configured on the ASA inside interface. Perhaps it would use the 172.19.138 subnet?

This range 172.19.138.xx is from isp they provided to my to add it on my interface so I can reach their router

Now i have private range 10.246.0.0/20 I used like 12 subnetworks for local vlan (internal) , I still have more networks within range so can I use on for this purpose between router and ASA ?

* this interface is configured with access-group to apply an access list to filter traffic, especially to deny SSH access. You might keep this access list, but this filtering should now be done on the ASA. I would also note that this access list is fairly complicated with entries for each of the interface addresses on the router. It would have been much more simple to have configured a standard access list permitting the subnets allowed to SSH and applied it using access-class on the vty ports. 

So this access list should be more simple and added on ASA and removed from router ? if im right understanding u please can u simplify it for me as u said so it would be helped to configure on on ASA ?

* this interface is configured for address translation and with the crypto map for the site to site VPN. Both of these should be moved to the ASA.

So this should me moved on the ASA interface which directly connected to ISP ? and removed from router and also remove the nat outside from there?

For the asa nat inside and outside (that can be configured on ASA using GUI) ?

- the config shows that G 0/2 is for a secondary ISP. It is currently shut down and not operational. It is not clear whether there are plans to activate this, and if so, what changes it might require on the ASA.

Yes this is un used and ill removed ( is it okay and will not effect on the configurations?)

- the nat pool and the nat translation should be removed from the router and configured on the ASA.

Can u just show it to me from the config file and paste it here to removed it from router directly ( just tell me which lines should removed and paste it here please ) + any thing that might be removed u can share it please when u have time for sure

- the router has a default route using this next hop 

Yes it has to the next hop ip address of the isp router so this should be pointed to ASA stead of ISP router ?

Note my router interface G 0/1.328 ip is 172.19.138.2x and ISP router interface 172.19.138.1x

At last if u can just show me what lines should be removed from my config file would be appreciate also + ASA how to configure link so I can follow it with appreciation

amr alrazzaz

If the configuration for vpdn was not intended then I believe that you should remove it. I do not see how that would impact the site to site vpn that is configured. 

I am glad that you agree that configuration of the site to site vpn should be moved to the ASA and removed from the router. In a logical perspective it is better - and the licensing aspect makes it more important to move vpn to the ASA.

Assuming that you agree that the nat (address translation) should be on ASA instead of on router then the ip nat inside command should be removed from each of the subinterfaces on the router. 

I do not understand the addressing of the interface which connects to the ISP. The public IP address is what I would expect. But the secondary address in 172.19.138 I do not understand. In looking through the configuration the only way it is used is as the next hop in the static default route and in the access list to deny SSH access from outside. Are you telling us that the ISP specified this addressing? If so can you tell us a bit more of what the ISP communicated about this address? I am wondering if the 172.19.138 is for connectivity and if the Public IP is for address translation? I do not believe that the ASA/FTD supports the concept of a secondary address on the interface. Perhaps the output of show arp on the router might shed some light on the use of addresses.

The access list to deny access for SSH is not needed on the ASA. The default security policy of the ASA will take care of this. On the ASA you can configure addresses and subnets that are allowed to connect using SSH. Any network or subnet that is not configured as permitted will be denied. So you no longer need this access list.

Address translation can be configured on the ASA using is GUI.

Hi sir  may i have answer on this please

* if the primary IP address (the public IP) is moved to the ASA then a different private IP should be configured for this interface. This address should be in the same subnet as the IP address configured on the ASA inside interface. Perhaps it would use the 172.19.138 subnet?

This range 172.19.138.xx is from isp they provided to my to add it on my interface so I can reach their router

Now i have private range 10.246.0.0/20 I used like 12 subnetworks for local vlan (internal) , I still have more networks within range so can I use on for this purpose between router and ASA ?   (can i use it ?)

amr alrazzaz

I still would like a better understanding of the 2 IP addresses provided by the ISP. As I look at what has been posted, and particularly at the static default route I believe that the 172.19.138 network is intended to provide the routed transit link to the ISP and that the Public IP is provided for address translation. If that is the case then the 172.19.138 should be removed from the router config and should be configured as the IP address and mask of the ASA outside interface. And that the Public IP should be removed from the router config and should be used on the ASA for address translation. Some subnet from the 10.246.0.0 address block could be used for addressing on the link between your router and the ASA.

hi Again 

i have attached ye new design after added the ASA and i need to know the below please:

- is the ASA place is correct ?

- for the management port on ASA i connected directly to switch so is that correct ?or it will make a loop?  how it should be configured ? only put an ip address from the management vlan i have and remove that cable or it should be existing to access the ASA ?

- i have like 11 vlans and all created on router (sub i/f). i already configured on router for each sub i/f ip helper address, so how to configure it on ASA for each vlan ? ( flexconnect ?)  shall i keep the dhcp configurations on router ?? is it fine ?

- for the public ip address i have on the router i/f faced to isp public ip and secondary ip so is there availability to configure same on ASA i/f faced to isp ?

- where should i configure ACL ? shall i keep on router or remove and make it on asa?

note: i dont have isp router ,, im just asked them to put the service on the network cable directly   

hi Again 

i have attached ye new design after added the ASA and i need to know the below please:

- is the ASA place is correct ?

- for the management port on ASA i connected directly to switch so is that correct ?or it will make a loop?  how it should be configured ? only put an ip address from the management vlan i have and remove that cable or it should be existing to access the ASA ?

- i have like 11 vlans and all created on router (sub i/f). i already configured on router for each sub i/f ip helper address, so how to configure it on ASA for each vlan ? ( flexconnect ?)  shall i keep the dhcp configurations on router ?? is it fine ?

- for the public ip address i have on the router i/f faced to isp public ip and secondary ip so is there availability to configure same on ASA i/f faced to isp ?

- where should i configure ACL ? shall i keep on router or remove and make it on asa?

note: i dont have isp router ,, im just asked them to put the service on the network cable directly 

amr alrazzaz

I believe that the placement of the ASA is appropriate. 

I would not connect the management interface of the ASA to one of the switches. I would have all traffic between the ASA and your internal network go through the 2911 router. 

I would keep the 11 vlans, their vlan interfaces, and inter vlan routing on the router and would not attempt to move any of that to the ASA. I would leave the DHCP on the router.

I would suggest that the router is already routing between the vlans and would not change that. There is no need for any traffic from one part of your internal network to go through the ASA to get to another part of your internal network. I would configure a static default route on the router with the next hop as the IP address of the connected interface of the ASA. (I am having difficulty seeing the addressing but it appears to be in the 10.246.14 network?) So the router would forward all outbound traffic to the ASA. You probably will want to configure static routing on the ASA for all of the internal subnets so the ASA will go through the router to get to all of the internal subnets. Or you might consider implementing a dynamic routing protocol between router and ASA for the internal networks.

The drawing shows the ASA outside interface with a Public IP address and a Private IP address as secondary. I do not believe that this will work on the ASA. I still would like better information about what the service provider said about the IP addresses but believe that you will probably want the Private IP as the interface address and use the Public IP for address translation on the ASA.

There is a mention of vpn tunnels on the ASA. This would be appropriate (to move them from the router).