troubleshooting Question

ASA Connected to Internal Router Design Questions

Avatar of gdawsont2systems
gdawsont2systems asked on
4 Comments1 Solution619 ViewsLast Modified:

I wanted to run this by the experts:

I am planning to attempt the following configuration, and have a couple of questions that I would much appreciate feedback on.

Currently we have a simple one subnet network with no internal router, with the ASA just being our endpoint on the network. The ASA also acts as our VPN Concentrator, giving VPN addresses out on a different subnet that allows communication with the corporate subnet as well.  The goal is to have a Cisco ASA 5510 as the endpoint on my network connected to my ISP, and then have an internal Cisco router connected to my ASA for routing VLANS inside of my network.  

Here is how I would see to do it:

Cisco ASA
External Interface: (external IP address provided by ISP)
Internal Interface:  (
Default route for outside access to ISP
Static routes setup for internal subnets behind router, all pointing back to IP address of router interface connected to ASA.

Cisco Router
Default Route pointing back to the Cisco ASA internal interface
Internal interface setup for trunking to HP Switch
Logical Interfaces on router for each internal subnet
Access lists to allow logical interfaces communication between themselves (intra-vlan routing)

HP Switch
HP Switch would be configured with trunking to Cisco Router, and tagged with approriate VLANs

Workstations would be connected to HP switch and have an IP address on their appropriate subnet based on VLAN membership

Now the questions:

1) Based on this configuration, and based on the face I am using static NAT rules now on my ASA, my assumption is that the ASA will know based on my static routes that it needs to send it's NAT rules through my static route (to their destination behind the router) for communication. Am I right?

2) I need the ASA to be able to act as VPN concentrator for my network.  The VPN users will need to have an address that can communicate with all of the internal subnets.  I know currently (with my ASA as the only device on my network, no internal router) I can create VPN groups for this and allow access to certain subnets, but would this be as simple as having the VPN users have a gateway address of the IP address of the internal router interface connected to the ASA in order to be able to communicate with machines behind the router?  My greatest concern is how to make sure that VPN users can communicate with all the machines behind the internal router.

Thanks alot!
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 4 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 4 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros