02-01-2012 03:04 AM
HI.......
We have Cisco router 2851 and asa firewall. We configured on he router for IP phones and ISP connected. The ISP directly connected on the router and asa firewall connected to the router. We have plan to configure VPN on the router. We have available public ip address. if i configure the VPN on the firewall we need to configure firewall local ip address to public ip address. SO how to configure firewall local ip to public ip ? Where we can configure , mean on the router or firewall. please see my firewall and router configuration ...
Please help .....
Solved! Go to Solution.
02-01-2012 07:43 AM
The ASA would typically be where you setup your public IP Address(es). The firewall normally needs to have a public IP on the outside interface for that to work. Once it does, you can perform dynamic NAT for outbound connections ("global (Outside) 1 xxx.xxx.xxx.185 netmask 255.255.255.255" does this).
However on the config you attached your outside interface has a private (RFC 1918) address:
interface Ethernet0/3
speed 100
duplex full
nameif Outside
security-level 0
ip address 192.168.255.2 255.255.255.252
Plus it being a /30 only gives you two addresses - one for the ASA and one for the router's Gi0/0 (per that config which you also attached). This is a bit odd setup but it seems to have been hacked together to work using the routing statement on the router "ip route xxx.xxx.xxx.184 255.255.255.248 192.168.255.2".
It's really a bit of a mess and extending it further may be possible but will make it even more complicated. I'd advise having someone sit down and re-work how the public IPs are routed to make it look like a more typical setup.
02-01-2012 03:05 AM
sorry... we have plan configure VPN on the firewall..
02-01-2012 07:43 AM
The ASA would typically be where you setup your public IP Address(es). The firewall normally needs to have a public IP on the outside interface for that to work. Once it does, you can perform dynamic NAT for outbound connections ("global (Outside) 1 xxx.xxx.xxx.185 netmask 255.255.255.255" does this).
However on the config you attached your outside interface has a private (RFC 1918) address:
interface Ethernet0/3
speed 100
duplex full
nameif Outside
security-level 0
ip address 192.168.255.2 255.255.255.252
Plus it being a /30 only gives you two addresses - one for the ASA and one for the router's Gi0/0 (per that config which you also attached). This is a bit odd setup but it seems to have been hacked together to work using the routing statement on the router "ip route xxx.xxx.xxx.184 255.255.255.248 192.168.255.2".
It's really a bit of a mess and extending it further may be possible but will make it even more complicated. I'd advise having someone sit down and re-work how the public IPs are routed to make it look like a more typical setup.
02-01-2012 10:26 PM
Thanks for your support...
actually why we configured like this before we faced some issues in router having hanging and not responding. That time we thought router have heavy duty and process. So we removed the nat configuration from router and configured to firewall. so please guide me how i can solve my issues...
Thanks
02-02-2012 07:06 AM
Thanks for the rating Nisar.
I'd be hesitant to tell you how to redesign your network as it goes a bit beyond what I personally feel comfortable with in the context of a tech support forum. Others may want to junp in with their suggestions but I would personally recommend your team engage a local service provider to help sort things out.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide