Perimeter router with ASA configuration ?

ribin.jones · ‎07-06-2010

Hi,

I got to implement a new network. I have a Cisco router, an ASA and a Layer 3 switch. I would like to make the router as a perimeter router and ASA as firewall. So, the whole connection will be like below:

Internet -> Cisco router -> ASA -> Layer 3 -> PC's.

I got 2 ISP's and I will be configuring two HWIC's of the router with two public IP's and one WIC with private IP to connect with the ASA.I need to do IPSEC VPN's in ASA and so as all the NATings of my servers.

1. So, do I need to NAT the ASA in the cisco router?

2. If I do so, will I be able to create vpn tunnels from the ASA inside?

3. Can I then NAT all the servers in my LAN in ASA using my other free public IP's?

Thanks for any help and suggestions.

- Ribin

Federico Coto Fajardo · ‎07-06-2010

Hi,

1. Most likely you need a static NAT on the router for the address of the ASA (if the segment between the router and ASA is private).

2. You can then establish VPN tunnels from the Internet terminating on the ASA and access the internal LAN. If you need to establish a VPN from inside the ASA, you should be able as well.

3. You can definitely NAT on the ASA with the appropiate route on the router.

Federico.

Ganesh Hariharan · ‎07-06-2010

Hi,
I
got to implement a new network. I have a Cisco router, an ASA and a
Layer 3 switch. I would like to make the router as a perimeter router
and ASA as firewall. So, the whole connection will be like below:
Internet -> Cisco router -> ASA -> Layer 3 -> PC's.
I
got 2 ISP's and I will be configuring two HWIC's of the router with two
public IP's and one WIC with private IP to connect with the ASA.I need
to do IPSEC VPN's in ASA and so as all the NATings of my servers.
1. So, do I need to NAT the ASA in the cisco router?
2. If I do so, will I be able to create vpn tunnels from the ASA inside?
3. Can I then NAT all the servers in my LAN in ASA using my other free public IP's?
Thanks for any help and suggestions.
- Ribin

Ribin,

Aggreed with Federico you can do natting in router if ASA and router interface is private and then can esatblish ipsec tunnel on public ip of ASA from internet also.

And if you want to do natting in ASA then ASA needs to in public lan, check out the below link for natting and ipsec configuration on ASA

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

http://cisco.biz/en/US/products/ps6120/products_configuration_example09186a008045a2d2.shtml

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

ribin.jones · ‎07-07-2010

Ok..

1. If we go ahead this way, will the router act as a perimeter router?(Note: we are doing NAT of ASA in the router)

2. How can we do load balancing (I need to send traffic via both my ISP's at the same time) using this set up?

3. Is there an option where we will connect the router and ASA using public IP's (so, the router will just act as a router sitting in ISP end doing just the basic default gateway routing to the ISP's) ?

- Ribin

ribin.jones · ‎07-12-2010

No more help ?? Please get me some solution....

- Ribin

Nagaraja Thanthry · ‎07-12-2010

Hello,

You can do the NAT on the firewall as long as your router is not doing RPF check. If you decide to do the NAT on the ASA, here is a sample configuration:

On the router:

interface Serial0/0

Description connection to ISP1

ip address 64.1.1.1 255.255.255.252

exit

interface serial0/1

Description connection to ISP2

ip address 100.1.1.1 255.255.255.252

exit

interface fastEthernet 0/0

Description connection to Firewall (firewall IP 192.168.1.2)

ip address 192.168.1.1 255.255.255.0

exit

ip route 64.1.1.4 255.255.255.252 192.168.1.2

ip route 64.1.1.8 255.255.255.248 192.168.1.2

ip route 100.1.1.4 255.255.255.252 192.168.1.2

ip route 100.1.1.8 255.255.255.248 192.168.1.2

access-list 1 permit 64.1.1.0 0.0.0.15

access-list 2 permit 100.1.1.0 0.0.0.15

route-map LB permit 10

match ip address 1

set ip next-hop 64.1.1.2

route-map LB permit 20

match ip address 2

set ip next-hop 100.1.1.2

interface fastEthernet 0/0

ip policy route-map LB

On the Firewall:

interface ethernet 0/0

nameif outside

security-level 0

ip address 192.168.1.2 255.255.255.0

exit

route outside 0.0.0.0 0.0.0.0 192.168.1.1

For the NAT rules, you need to identify which traffic goes to which ISP and then NAT accordingly.For example, if you want all HTTP/HTTPS traffic to go vial ISP2 and everything else to go via ISP1, then

access-list WEB permit tcp any any eq 80

access-list WEB permit tcp any any eq 443

global (outside) 1 64.1.1.4 - 64.1.1.15

global (outside) 2 100.1.1.4 - 100.1.1.15

nat (inside) 1 0.0.0.0 0.0.0.0

nat (inside) 2 access-list WEB

https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#t10

Hope this helps.

Regards,

NT

ribin.jones · ‎07-12-2010

What is RPF check?

Is there an option where we will connect the router and ASA using public IP's (so, the router will just act as a router sitting in ISP end doing just the basic default gateway routing to the ISP's) ?

The example shows the PIX and Router connected using Private IP's. If I do like that, will I be able to create VPN tunnels from ASA?

- Ribin

ribin.jones · ‎07-14-2010

No more help?

Nagaraja Thanthry · ‎07-14-2010

Hello,

If you want to connect the ASA and the router using public IP, then you need to work with your ISP and make sure that they give you a range of IP addresses that are different from the address assigned to the ISP link. Then they need to add route statements with routes for the new range pointing to your ISP link address.

On the other hand, you could configure NAT on the router to translate the public IP to the ASA IP.

ip nat source static extendable

As long as you are not blocking anything on the router, you should still be able to establish VPN tunnels between the ASA and outside networks.

Hope this answers your questions.

Regards,

NT

ribin.jones · ‎07-14-2010

Thank you very much for the response.

First scenario where both the router and ASA connected using public IP's:

I got a pool of 32 IP addresses from the ISP (say a.b.c.1 to 1a.b.c.32) and the ISP has provoded me a gateway IP also. In that case, can I give the router IP as a.b.c.1 with default route to the ISP gateway and the ASA IP as a.b.c.2 with default route set as a.b.c.1 (router IP)?

Second scenario where router and ASA connected uising private IP's:

Yes, if I do NAT for the ASA private IP, I will be able to create VPN tunnels from ASA. What about NAT of other servers? Can I do the NAT of servers placed inside my network (behind the ASA and L3) in ASA using my free public IP's? Note:ASA is already NATed in the perimter router.

- Ribin

Nagaraja Thanthry · ‎07-14-2010

Hello,

I see your point. In this scheme, routing would become a mess. The easiest solution, if you can work with your ISP is to change the mask on your ISP link from /27 to /30 and configure your ISP interface such that the ISP interface and the gateway fall in the same range of /30. Then, request the ISP to configure a static route that points remaining 28 addresses to your router (just like the in the example I had given earlier). Now, you can configure the link between the ASA and router to be in public domain and you do not need to do anything on the router (except load balancing).

The other option is to do all the NAT on the router and just do firewalling operations on the ASA. This will also work but if you have any VoIP type applications, then there could be some issues. So, based on your needs and what can be achievable, you need to pick a scheme that works best for your network.

Hope this helps.

Regards,

NT