Solved: public ip address for asa

nisar valappil · ‎02-01-2012

HI.......

We have Cisco router 2851 and asa firewall. We configured on he router for IP phones and ISP connected. The ISP directly connected on the router and asa firewall connected to the router. We have plan to configure VPN on the router. We have available public ip address. if i configure the VPN on the firewall we need to configure firewall local ip address to public ip address. SO how to configure firewall local ip to public ip ? Where we can configure , mean on the router or firewall. please see my firewall and router configuration ...

Please help .....

Marvin Rhoads · ‎02-01-2012

The ASA would typically be where you setup your public IP Address(es). The firewall normally needs to have a public IP on the outside interface for that to work. Once it does, you can perform dynamic NAT for outbound connections ("global (Outside) 1 xxx.xxx.xxx.185 netmask 255.255.255.255" does this).

However on the config you attached your outside interface has a private (RFC 1918) address:

interface Ethernet0/3

speed 100

duplex full

nameif Outside

security-level 0

ip address 192.168.255.2 255.255.255.252

Plus it being a /30 only gives you two addresses - one for the ASA and one for the router's Gi0/0 (per that config which you also attached). This is a bit odd setup but it seems to have been hacked together to work using the routing statement on the router "ip route xxx.xxx.xxx.184 255.255.255.248 192.168.255.2".

It's really a bit of a mess and extending it further may be possible but will make it even more complicated. I'd advise having someone sit down and re-work how the public IPs are routed to make it look like a more typical setup.

View solution in original post

nisar valappil · ‎02-01-2012

sorry... we have plan configure VPN on the firewall..

Marvin Rhoads · ‎02-01-2012

The ASA would typically be where you setup your public IP Address(es). The firewall normally needs to have a public IP on the outside interface for that to work. Once it does, you can perform dynamic NAT for outbound connections ("global (Outside) 1 xxx.xxx.xxx.185 netmask 255.255.255.255" does this).

However on the config you attached your outside interface has a private (RFC 1918) address:

interface Ethernet0/3

speed 100

duplex full

nameif Outside

security-level 0

ip address 192.168.255.2 255.255.255.252

Plus it being a /30 only gives you two addresses - one for the ASA and one for the router's Gi0/0 (per that config which you also attached). This is a bit odd setup but it seems to have been hacked together to work using the routing statement on the router "ip route xxx.xxx.xxx.184 255.255.255.248 192.168.255.2".

It's really a bit of a mess and extending it further may be possible but will make it even more complicated. I'd advise having someone sit down and re-work how the public IPs are routed to make it look like a more typical setup.

nisar valappil · ‎02-01-2012

Thanks for your support...

actually why we configured like this before we faced some issues in router having hanging and not responding. That time we thought router have heavy duty and process. So we removed the nat configuration from router and configured to firewall. so please guide me how i can solve my issues...

Thanks

Marvin Rhoads · ‎02-02-2012

Thanks for the rating Nisar.

I'd be hesitant to tell you how to redesign your network as it goes a bit beyond what I personally feel comfortable with in the context of a tech support forum. Others may want to junp in with their suggestions but I would personally recommend your team engage a local service provider to help sort things out.