12-30-2011 08:36 AM - edited 03-07-2019 04:06 AM
Today I'm going to be re-organzing my network, kind of and I just wanted to get a second opinon. Right now I have an ASA 5510 and a Cisco 2911 and a Cisco 2960 (and I have two more 2911s and 2960s that handles our phone network).
How the network is setup now........
Router 2911 is on the edge Gi0/0 has the public IP and Gi0/1 is not used and then I have 5 individual VLANs (Gi0/1.100, 1.200, 1.300, 1.400, 1.500)
VLAN100 is our internal network 10.10.18.1/24 (router is 10.10.18.1)
And the 2960 is used for swichport access, the ASA is on the side and only used as a VPN.
What I want to do is put the ASA on the edge so I can dump all the access-lists and everything then 2911 will only be used to route the traffic. Now I know I will have to reconfigure the VPN, which isn't a problem. My question is when putting the ASA on the edge do I just put the public IP on the ASA's e0/0 and then plug the 2911 into the e0/1 of the ASA and give the Gi0/0 of the 2911 the ip address of 10.10.18.1 or do I just shut it down? The reason behind this is because I would actually like to use the ASA for more than just the VPN passthrough.
12-30-2011 09:09 AM
If the Internet connection comes to you as Ethernet I don't see that you need the router at all. There may be some license and/or model limitations but the Asa can certainly handle 5 internal Vlans and a single external port.
Sent from Cisco Technical Support iPad App
12-30-2011 09:28 AM
Thanks Jeff,
So pretty much I should just keep the ASA on the side and just use it for a VPN (in the next few weeks I will be setting it up for a site to site vpn, the RA VPN is what I'm using it for now?
12-30-2011 09:31 AM
No put the router on the side and let the Asa do all of the work.
Thanks,
Jeff Van Houten
Vice President &
Chief Technology Officer
First Bank and Trust
909 Poydras St.
Suite 3300
New Orleans, LA 70112
www.fbtonline.com<>>
"Your Goals Come First"
12-30-2011 09:44 AM
Ah gotcha so ultimately I can do my new setup like this
ASA
e0/0 - Public IP
e0/1 - No Ip Address
e0/1.100 (with the 10.10.18.1 becoming new IP address for the ASA)
Router (plugged into e0/1 on the ASA)
gi0/0 - 10.10.18.2
2960 stays plugged into gi0/1 or if move the VLANs to ASA plugged the e0/1 of the ASA
12-30-2011 09:51 AM
Take the wire connecting the router to the switch today and plug the router end into the Asa internal interface. Configure all 5 Vlans on the Asa. Take the external wire connected to the router and plug into the external of the Asa. Configure external of Asa to external ip of the router. Move all acls to Asa. Turn off router.
Thanks,
Jeff Van Houten
Vice President &
Chief Technology Officer
First Bank and Trust
909 Poydras St.
Suite 3300
New Orleans, LA 70112
www.fbtonline.com<>>
"Your Goals Come First"
12-30-2011 10:31 AM
Hi,
If you just want to use the router coz you have one then I would recommend to keep it ahead of ASA i.e. your WAN side network boundary. Else you can keep router aside and use ASA as your WAN gateway with LAN side directly terminating onto the cisco 2960 Switch.
Regards,
Pawan Sharma
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide