Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
462
Views
15
Helpful
6
Replies

xDSL router with ASA and a single dynamically assigned IP - best configuration ?

rhbmcse
Level 1
Level 1

‎10-05-2018 04:34 AM - edited ‎03-05-2019 10:57 AM

Hi folks.

I'm currently CCENT and studying for CCNA.  I have decided to build my own home lab and use my existing SKY VDSL connection with a cisco 1117 router and an ASA (yet to be decided / purchased).

I'm a little hazy shall we say as to the best way to do this.  People are stating that the Edge firewall should be internet facing thus not exposing the router to the outside world but I cannot see how this is possible as the connection to the outside world is via a POTS socket to the router.

 

The only way I can think of implementing is Router outside i/f (private global) which is DHCP assigned from ISP.

Static NAT this to the inside i/f (private local) (but I don't know how to static NAT a DHCP assigned IP)

Which could then be connected to the ASA outside i/f

But what then ? a further overload NAT on the ASA meaning everything is double NATted ?

Which leads me on to my next and wholly related query of internal VLANS.  What should do the routing for the VLANS?  The ASA or should the ASA pass the routing requests up to the router to do the routing ?

 

I know the 1117 router has an inbuilt firewall and I could use this for simplicity but that's not how I want to train myself - I'd rather use real-life or an near as dammit configuration in a home lab.

 

I hope this makes sense.  If somebody can assist a confused CCNA student as to the BEST way that this should be configured, it would be appreciated!

 

Cheers.

 

Rob.

Labels:
0 Helpful
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎10-05-2018 06:46 AM

Until there is fancy about real kit, you can use VIRL / EVE-NG / GNS3 for your home LAB.

 

If your VDSL support bridge mode you can use your outside interface of FW(ASA) to internet facing.

 

or you can also do this way  VDSL---(outside) ASA --Inside--Lan users.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

rhbmcse
Level 1
Level 1
In response to balaji.bandi

‎10-05-2018 07:31 AM

I don't understand.

 

"Until there is fancy about real kit, you can use VIRL / EVE-NG / GNS3 for your home LAB"

 

This sentence does not make any sense.  But from what I do understand you're recommending I use simulators.  I have GNS3, Packet Tracer etc.  They're all garbage (IMO) and have you jumping through hoops and 'fudging' configurations to work around their limited functionality.  I prefer to use real equipment and have a full rack of Cisco routers and switches at home.  This question is more specifically about the best way of integrating with a Sky VDSL connection, single dynamically assigned IP with VDSL router and separate ASA.  Thank you for the recommendation on simulators but, no.

 

"If your VDSL support bridge mode you can use your outside interface of FW(ASA) to internet facing."

 

Again - this sentence does not make any sense.  If my VDSL support(s)? bridge mode.  By this are you referring to the Cisco router (it has just arrived with me from the vendor).  I'm unsure whether a C1117 ISR does support bridge mode.  Assuming that therefore it would simply "pass through" from one port to the other retaining the same IP on both LAN and WAN ?

 

"or you can also do this way  VDSL---(outside) ASA --Inside--Lan users."

 

Again - this doesn't make sense without an explanation as to how this would work.  VDSL interface is always outside - it has to be.  ASA inside?  Well yes, at least one of its interfaces would be if it's LAN side of (behind) the router but from what I gather this means double NATting which isn't desirable.  NAT once at the router, then once at the ASA ?

 

Many thanks for your response but I'm afraid not much of it has helped!

 

Rob.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to rhbmcse

‎10-05-2018 12:59 PM

Rob

 

I am not familiar with your environment. But if your statement that the outside connection is a POTS socket to the router is correct than I believe that you are correct that the router needs to be outside of the ASA. This does pose some exposure for the router and some might say that is not Best Practice. But it looks like you may not have much choice.

 

If you are going to have router outside of ASA and connecting to ISP I do not think you need to try some static NAT. Looks to me like traffic from inside will need to be natted on the router which would be dynamic nat. And in that case nat on ASA is not required. If you want to do nat on ASA as an educational endeavor you certainly can do that. But from a functionality perspective it is not needed.

 

HTH

 

Rick

HTH

Rick

rhbmcse
Level 1
Level 1
In response to Richard Burts

‎10-06-2018 03:20 AM

Hi Richard - thanks for your assistance with this.

Indeed - it is the C1117ISR that will be physically plugged into the BT DSL outlet and this therefore from your description should do the NATting?  When you say Dynamic NAT - I only have a single dynamically assigned IP so I'm guessing I need to use NAT overload (PAT) rather than Dynamic NAT?

 

I can certainly do that part.  It's the ASA inclusion that's confusing me from there on.  The xDSL port has the public IP which is NATTED to a private, nonroutable IP on the LAN side of the router.  How would the ASA then be configured to talk to the router?  

I was under the illusion that the ASA would need it's external (router facing) IP in the same subnet (obviously) as the router's inside interface but would then need to NAT further to its inside interface as part of the firewalling functionality?  Or can the ASAs inside and outside interfaces be on the same subnet and still perform its duties?

 

Just a bit confused as to how it all hangs together - especially when it comes to the inter-vlan routing & firewalling which I want to do.  Presumably the ASA handles this rather than the router?

 

Looking forward to your response - and thanks for the help.  Learning is good.  Especially hands on from experts like you.

 

Cheers.

 

Rob.

 

 

I am not familiar with your environment. But if your statement that the outside connection is a POTS socket to the router is correct than I believe that you are correct that the router needs to be outside of the ASA. This does pose some exposure for the router and some might say that is not Best Practice. But it looks like you may not have much choice.

 

If you are going to have router outside of ASA and connecting to ISP I do not think you need to try some static NAT. Looks to me like traffic from inside will need to be natted on the router which would be dynamic nat. And in that case nat on ASA is not required. If you want to do nat on ASA as an educational endeavor you certainly can do that. But from a functionality perspective it is not needed.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to rhbmcse

‎10-06-2018 07:54 AM

Rob

 

You are correct that I used terminology a bit ambiguously. I was trying to make a point about dynamic translation rather than static translation and called it nat. You are quite correct that with one Public IP that you will be doing overload or PAT rather than NAT.

 

You keep describing your environment as being a Public IP on outside which is NATTED to a private IP on the LAN side. There are multiple ways to get this to work and probably that is one alternative. But what makes more sense to me is to have the Public IP on the outside, a private IP on the inside, and to configure address translation with overload on the outside interface for anything with an inside address. 

 

If you do it that way it makes doing the ASA easier. This way the router LAN is a private IP and the ASA can have an IP in that subnet and connectivity is easy. You can do most of the things that the ASA would normally do other than doing address translation. You can configure traffic inspection, you can create access rules for traffic between inside and outside (and perhaps DMZ). If you want it as a training experience you could even configure address translation of the ASA, but that makes things considerably more complex and in general I would suggest not having address translation on your ASA.

 

As far as routing for your network you have some choices. My advice is that trying to route for your network on the router (through the ASA) is a bad choice. You could easily route for your network using the ASA. Or you might consider routing for your network on a layer 3 switch connected to the ASA.

 

HTH

 

Rick

HTH

Rick

paul driver
VIP
VIP
In response to rhbmcse

‎10-06-2018 09:56 AM - edited ‎10-06-2018 09:58 AM

Hello

just like to add to ricks post- even though the router is internet facing it can still be hardened down some degree via some iOS security such as cbac or zbfw then at least you some protection from the outside to that router.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card