SOS! Need suggestion for router, ASAP!

jlobrutto · ‎07-25-2012

We were just informed by an ISP that they are not providing a router for an installation on Friday. We have a ASA 5505 currently and the current ISP has an Adtran router in place. Our ASA has VPN's setup to our 2 other locations. About 30-40 people connect to this location over terminal services via the VPN, they also print and conduct minamal file tranfers. We are switching ISP's to go fro 3Meg to a 10meg circuit.

I have a very low budget and have been told all I need to get is a 800 series router with 2 interfaces to acomplish the task. I have included a diagram that the ISP gave me. can someone suggest the proper router i need to do what is described in the picture? The on other thing that i need to add is that we may want to hang a small switch off the router to put a seperate firewall in the future. if this prevents me from getting a 800 because this is really my price range we are willing to give this up.

I have put a "X" for the first two octets in the picture as to not post my ip's. Theees 2 octets are the same through out.

Thanks for any help you can provide as Network admin is not my forte.

darren.g · ‎07-25-2012

John Lo Brutto wrote:

We were just informed by an ISP that they are not providing a router for an installation on Friday. We have a ASA 5505 currently and the current ISP has an Adtran router in place. Our ASA has VPN's setup to our 2 other locations. About 30-40 people connect to this location over terminal services via the VPN, they also print and conduct minamal file tranfers. We are switching ISP's to go fro 3Meg to a 10meg circuit.

I have a very low budget and have been told all I need to get is a 800 series router with 2 interfaces to acomplish the task. I have included a diagram that the ISP gave me. can someone suggest the proper router i need to do what is described in the picture? The on other thing that i need to add is that we may want to hang a small switch off the router to put a seperate firewall in the future. if this prevents me from getting a 800 because this is really my price range we are willing to give this up.

I have put a "X" for the first two octets in the picture as to not post my ip's. Theees 2 octets are the same through out.

Thanks for any help you can provide as Network admin is not my forte.

Why use a router at all? The ASA will happily route your traffic out - as long as your ISP presents your 10 meg link as an ethernet service, and you don't need complex routing (which I assume you don't, given that it's a single link).

Just configure the WAN router IP (X.X.140.234) on your "outside" interface on the 5505 - it's got more than enough throughput to handle a 10 meg internet link - and add a static route into your ASA routing table something like this (values from your diagram)

route outside 0.0.0.0 0.0.0.0 X.X.140.233 1

You then NAT everything to your outside interface, and away you go.

Cheers.

jlobrutto · ‎07-26-2012

but then my inside will need to would need to be x.x.138.198/28, i need my inside to be 192.x.x.x/24. I need to use most of the IP's in the assigned public block. an do quite a bit of port forwarding.

as i said this is not my forte, please correct me if i am wrong.

Also just talked with the ISP, it needs to support RIP

darren.g · ‎07-26-2012

John Lo Brutto wrote:
but then my inside will need to would need to be x.x.138.198/28, i need my inside to be 192.x.x.x/24. I need to use most of the IP's in the assigned public block. an do quite a bit of port forwarding.
as i said this is not my forte, please correct me if i am wrong.
Also just talked with the ISP, it needs to support RIP

No, your "inside" can be anything you want - including an address in the 192.168.x.x/24 range (RFC1918) - if you have x.x.138.198/28 addressing you need, you assign a DMZ on another port (or using a VLAN, or using NAT to inside addresses). The ASA supports both RIP version 1 & 2, so it's still perfectly capable of what you want.

For example, you have tour "inside" network set to 192.168.1.0/24, with your ASA interface set to 192.168.1.254/24, and a server on 192.168.1.10/24 which you WANT to be x.x.138.199/28 as far as the outside world is concerned.

The following command on the ASA will NAT the x.x.138.199 address to 192.168.1.10

asa(config)# static (outside,inside) 192.168.1.10 x.x.138.199 netmask 255.255.255.255

With this, anything which is addressed to x.x.138.199 which comes IN to the ASA on the outside interface addressed to x.x.138.199 will be redirected to the INSIDE server 192.168.1.10

To make it bi-directional - I.E. anything which goes OUT the ASA from the INSIDE address 192.168.1.10 appears to originate from x.x.138.199, do this

asa(config)# static (inside,outside) x.x.138.199 192.168.1.10 netmask 255.255.255.255

Of course, if you use a DMZ, you don't have to NAT at all. - just assign one of your /28 addresses to the DMZ interface and use the others directly connected to this interface. I do exactly that with a chunk of my company's address space like this

asa# show run | include dmz

asa# nat (dmz) 0 access-list dmz_nat0_outbound

In short, you don't NEED a router provided the internet link is delivered via an ethernet drop - if it's some other format (SHDSL, high speed serial etc), you will need a router with an appropriate interface. The ASA will do what you need if configured correctly.

For configuration, I *strongly* suggest you find someone who knows what they're doing with ASA's and hire them to do it.

Cheers.

jwbensley · ‎07-27-2012

It looks to me like you are doing only basic routing so an 800 would suffice at the speeds you mentioned, or or a bit more future proofing 1841's are cheap these days and would do as you require.