06-10-2012 10:07 AM - edited 03-07-2019 07:10 AM
Hi
I have a datacentre where we has only one ISP link which is already terminated to cisco PIX with configured VPN's to clients.recently we bought a new cisco asa security + to set up a new VPN's for different data centres. we are looking to use both the firewalls the only problem is we have only 1 ISP link.
please help me on how can i use the one ISP link to different firewalls.
ISPdetails:
WAN pool: 14.140.0.X/30
Lan Pool: 14.180.0.Y/28
wan pool is configured to cisco pix , can i use the Lan pool of ISP as an outside IP address for the new Cisco ASA(remebering i need to configure L2L ipsec VPN's where the Ip is ideally would be the Peer IP for the other datacentres).
or please suggest meon how to configure this ISP links to two firewalls.
ISPlink
"
"
Cisco Pix(14.140.0.X/30) + ASA
06-10-2012 10:38 AM
You can have your internet link suspended to the router and down to that you can connected to firewalls..... you can define the static route to make such adjust ments....
2 scenarios
WAN router --- Rtr---Firewalls
WAN rtr -->rtr -->L2 SW-->ASA 1 & ASA 2
in router you need to define the static routes for ASA's destination ip's... so that if a traffic comes for public ip defined in ASA1 it should forward to ASA1 and similarly for ASA2.
06-10-2012 10:45 AM
Hi karthikeyan,
we donot have a router but have L3 switch . can you please explain me how to configure this on L3 switch.
should i use VLANs in the switch say Vlan 10 of wan router and the same VLan to be asigned for two ASA's. if vlans work in my scenario should i have to creat SVI vlan with IP address or just need to assign ports with vlan 10.and that should work.
Thanks,
srikanth
06-11-2012 01:08 AM
Suspend your Internet link in L3 switch... and connect your firewalls also in the l3 switch with routed interface
Say WAn router --14.140.0.1/30 & Your L3 switch ina routed interface assign 14.140.0.2/30
You need to have a default route in l3 switch - ip route 0.0.0.0 0.0.0.0 14.140.0.1(WAN router)
Break the subnets as per the requirement. 1st step am breaking 2 /30 subnets
1st firewall: 14.180.0.0/30
14.180.0.1 - L3 switch routed interface
14.180.0.2 - ASA firewall outside interface
Default route -> route ouside 0.0.0.0 0.0.0.0 14.180.0.1(l3 sw ip)
2nd firewall:14.180.0.4/30
14.180.0.5 - L3 switch routed interface
14.180.0.6 - ASA firewall outside interface
Default route -> route ouside 0.0.0.0 0.0.0.0 14.180.0.5(l3 sw ip)
You can use the remaining IP's in that range for PAT as per your requirement. But you need to point out the static route whichever is used for the respective firewalls.
say if you use 14.180.0.10 for 1st firewall. then you may need to have the static route in l3 switch for the same pointing to the respective firewall.
ip route 14.180.0.10 255.255.255.255 14.180.0.2
<---------- PAT IP -------------------------->
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide