10-29-2015 09:08 AM - edited 03-08-2019 02:29 AM
People i need your help
My network currently has a router connecting to the WAN and then it is connected to a cisco asa 5515x however the outside address is on the interface connected to the router from the ASA.
My plan is to remove the router and replace it with 2 cisco routers configured with HSRP.
I also have 7 vlans running through my LAN, so all the vlans gatways are on the routers to route between vlans also with HSRP how can i do this with the public address being before the routers?
How do i get through the firewall and use router interfaces as gateways with the constant protection of the asa?
Solved! Go to Solution.
10-29-2015 09:49 AM
So do you not have vlans at the moment ?
If so you can either -
1) route the vlans on the ASA but you are using two routers so I suspect you want to use those
or
2) move the routers behind the ASA.
But the second option is making assumptions about what the current router is doing ie. is it just internet or is it connected to a WAN for other sites.
What is link type that connects to the outside of the router ?
Jon
10-30-2015 08:11 AM
You would -
1) configure the routers LAN facing interfaces using subinterfaces for the vlans and HSRP.
The subinterface IPs woud be the default gateways for clients.
2) connect the WAN interface of router to the ASA inside interface via switch usually.
3) add a default route on the router pointing to the inside interface IP of the firewall and on the firewall add routes for the internal subnets with the IP of the WAN interface on the router.
Then you confiure a default route on the firewall pointing to the ISP next hop and configure NAT etc.on the firewall.
That would work fine and your routers are doing all the routing internally between vlans
Jon
10-29-2015 09:23 AM
It's not clear what you currently have.
There are two common scenarios -
1) LAN -> L3 switch -> ASA -> internet
where the L3 switch does the routing between vlans and obviously it could be a pair of L3 switches.
Optionally a router can be between the ASA and internet
2) LAN -> ASA -> internet
where the ASA does the routing between vlans.
Works fine as long as you do not have too many vlans as an ASA is not a router.
Again there could be a router between the ASA and the internet.
In both setups the public addressing is on the ASAs.
So how does that match up with what you are trying to do ?
Jon
10-29-2015 09:44 AM
Thanks mate,
At the moment i have LAN > ASA> Router
and the outside public IP is on the ASA outside interface faceing the router.
I want to be able to VLAN my network mabye without a layer 3 switch but router on a stick but how do I point the vlans to the asa as there gatway if the router on a stick is routing between them.
???????
P.s thank you for the qucik reply
10-29-2015 09:49 AM
So do you not have vlans at the moment ?
If so you can either -
1) route the vlans on the ASA but you are using two routers so I suspect you want to use those
or
2) move the routers behind the ASA.
But the second option is making assumptions about what the current router is doing ie. is it just internet or is it connected to a WAN for other sites.
What is link type that connects to the outside of the router ?
Jon
10-30-2015 02:08 AM
the router at the moment is just internet.
so can I have the 2 routers behind the ASA with hsrp and intervaln routing and the WAN going into the ASA? what will then be the gateway for hosts then will it still be the routers then a ACL from the routers to the ASA?
jeff
10-30-2015 02:09 AM
P.s there are no vlans at the moment .
10-30-2015 02:20 AM
currently LAN >ASA >Huwie Router
(Just For internet)
I want to VLAN 7 departments, doing this I will need to set a default gateway for each vlan network. (meaning I cant put the Router after the ASA).
I am aware I can route between VLANs on ASA but how many?
LAN> RO1 > ASA(Outside Public IP)
RO2 > ASA
(make routers the GW for Hosts)
Can I do this ^. I know how to create vlans, HSRP on routers.
Where do I NAT on the ASA or interface facing the ASA from router?
I have alot of questions I appologise I am stuck lol. Thanks again.
10-30-2015 02:29 AM
10-30-2015 06:33 AM
10-30-2015 07:14 AM
No problem ask as any questions you like.
I notice in your diagram there are two firewalls, is that what you already have.
You can have your routers inside the firewalls.
The routers route between vlans and have a default route pointing to the firewall.
The firewall had a default route to the ISP and routes for the internal IP subnets pointing back to the routers.
The clients default gateways are the subinterfaces on the routers.
Or you can not use the routers at all and use the firewall(s) only.
I am assuming the internet connections can be connected directly to the firewalls ?
Whichever you choose the firewall does all the NAT for clients.
The question about how many firewalls is important though because if you have dual internet connections that can complicate things.
Could you clarify ?
Like I say ask as much as you want, that's what these forums are for.
Jon
10-30-2015 07:30 AM
Thanks mate much appreciated.
This is my design and I am testing it. I am happy with the ISP going into the ASA(s).
My issue is with the ASA's I have little expierence with them and we have them managed out of house, so conifguration isnt a problem to the ISP, VPN etc.
You mention a default route pointing to the firewalls. Is this the connection between the routers and the ASA's?
Do I just configure a route between the 2901 gig0/1 int pointing to asa and the ASA's eth0/1 pointing back to the router for each. Configure a route out of routers interface to the asa's ?
it is 2 seperate ISP lines int to the ASA one in each.
Do I give the two inside interfaces on the ASA's ips?
Basically how do I configure the the Routes for all clients to get to the firewall, for them to be natted and sent out?
10-30-2015 07:34 AM
Whos gateway changes to allow the clients going for there router gateway to go to the ASA?
10-30-2015 07:37 AM
All I need now mate is to be able to know how to get my clients to ping the ASA inside interface with there router gateway?
10-30-2015 07:44 AM
Are the ASAs acting as a pair or are they standalone firewalls ?
Jon
10-30-2015 07:48 AM
at the moment I have it standalone, if you were to say tak one of those firewalls out so it was 2 routers going to asa then to internet how would i configure that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide