cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2173
Views
0
Helpful
22
Replies

help in configration

CSCO11825412
Level 1
Level 1

hi there

i have network 10.7.10.0/22 conected by mpls router and conected by cisco router adsl for internet

ip for mpls router 10.7.10.1/22

ip for adsl 10.7.10.2/22

i want to install and configure cisco asa 5510 new

i cannot access to thes routers so i cannot change ip inteface and my network subnet

when i try to configure e0/0 outside network with ip 10.7.10.3

and e0/1 inside 10.7.10.4 with same subnet refuse by cisco asa

so in this sierno how i can configure it

and i want two route one for mpls

one for internet

i want full configure to make it and make good secuirty for my network

king regards

7 Accepted Solutions

Accepted Solutions

Hello Mohammed,

by default the asa firewall is on routed mode, this will lead to use different Ip address ( on different broadcast domains) on each of it's interfaces.

What you are looking for is to have the ASA in transparent mode,

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

http://blog.ine.com/2008/09/29/transparent-mode-firewall-guidelines/

remember to rate all of the helpful posts

Hope this helps

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Hello Mohammed,

I have no access to a box right now,

Is there a way you could open a case with TAC so we can configure it for you from scratch?

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Hello Mohammed,

what version you have on your ASA?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Hello Mohammed,

let's say you will connect the interface fas 0/0 to the cisco router ( outside) , then the fas 0/1 to the inside MPLS

conf te

ip address 10.7.10.4  255.255.252.0

int fast 0/0

nameif outside

no shut

interface  fast 0/1

nameif inside

no shut

route outside 0.0.0.0 0.0.0.0 10.7.10.2 ( This is for traffic to the asa or from the asa itself)

In your scenario the inside users will use the MPLS router as their default gateway but if they want to go to the internet they must go to the outside cisco router and for that they must go through the asa

got it?

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Hello,

there is none, that is the purpose of this configuration,

the same ip will be used on both inside and outside,

read the documents I provide you for further explanation

regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

MPLS router------ASA------Cisco Router

        All of this is on the same broadcast domain

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Hello,

You can do it on the ASA ( NAT on transparent mode is supported as long as you do not use the managment ip address , in this case is 10.7.10.4..

Example of nat

static ( inside,outside) 10.7.10.50 x.x.x.x (   here it goes the real ip address )

regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

22 Replies 22

CSCO11825412
Level 1
Level 1

???

Hello Mohammed,

by default the asa firewall is on routed mode, this will lead to use different Ip address ( on different broadcast domains) on each of it's interfaces.

What you are looking for is to have the ASA in transparent mode,

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

http://blog.ine.com/2008/09/29/transparent-mode-firewall-guidelines/

remember to rate all of the helpful posts

Hope this helps

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

THANKS JUILO

but transpert mode will be good in secure my network and i can puplish web server and exchange server and protect my network and access to two network as i sent in my qustion

i mean user if i put gw ip for asa

can access to inernet by defult route

and access to server in other network conected by mpls router

Hello Mohamed,

Well it's going to be a bump in the wire.. so It will still protect your network but your DG shoul be pointing to the outside router,

the asa will be in between the mpls router and outside cisco router, all traffic will traverse the ASA and will be restricted as configured

remember to rate all of the helpful posts

regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

thanks again

can u  please configure as i want

and DG in my case u mean put it adsl router ip =10.7.8.9

What ado you mean configure it?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

yes

runing confige as same case

Hello Mohammed,

I have no access to a box right now,

Is there a way you could open a case with TAC so we can configure it for you from scratch?

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

no problem and thank u very much

i dont want to configure it by remotly i just mean runing configue like my sanerio only to understand the point

Hello Mohammed,

what version you have on your ASA?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

5510 ver 8.0(2)

Hello Mohammed,

let's say you will connect the interface fas 0/0 to the cisco router ( outside) , then the fas 0/1 to the inside MPLS

conf te

ip address 10.7.10.4  255.255.252.0

int fast 0/0

nameif outside

no shut

interface  fast 0/1

nameif inside

no shut

route outside 0.0.0.0 0.0.0.0 10.7.10.2 ( This is for traffic to the asa or from the asa itself)

In your scenario the inside users will use the MPLS router as their default gateway but if they want to go to the internet they must go to the outside cisco router and for that they must go through the asa

got it?

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

nameif inside

where is ip interface her in inside>> .............. and this will be contected to switch

and mpls router will be in same switch coneted by lan network

Review Cisco Networking for a $25 gift card