Avatar of gdawsont2systems
gdawsont2systems asked on

ASA Connected to Internal Router Design Questions

Hello,

I wanted to run this by the experts:

I am planning to attempt the following configuration, and have a couple of questions that I would much appreciate feedback on.

Currently we have a simple one subnet network with no internal router, with the ASA just being our endpoint on the network. The ASA also acts as our VPN Concentrator, giving VPN addresses out on a different subnet that allows communication with the corporate subnet as well.  The goal is to have a Cisco ASA 5510 as the endpoint on my network connected to my ISP, and then have an internal Cisco router connected to my ASA for routing VLANS inside of my network.  

Here is how I would see to do it:

Cisco ASA
External Interface: (external IP address provided by ISP)
Internal Interface:  (10.1.1.254)
Default route for outside access to ISP
Static routes setup for internal subnets behind router, all pointing back to IP address of router interface connected to ASA.

Cisco Router
Default Route pointing back to the Cisco ASA internal interface
Internal interface setup for trunking to HP Switch
Logical Interfaces on router for each internal subnet
Access lists to allow logical interfaces communication between themselves (intra-vlan routing)

HP Switch
HP Switch would be configured with trunking to Cisco Router, and tagged with approriate VLANs

Workstations
Workstations would be connected to HP switch and have an IP address on their appropriate subnet based on VLAN membership

Now the questions:

1) Based on this configuration, and based on the face I am using static NAT rules now on my ASA, my assumption is that the ASA will know based on my static routes that it needs to send it's NAT rules through my static route (to their destination behind the router) for communication. Am I right?

2) I need the ASA to be able to act as VPN concentrator for my network.  The VPN users will need to have an address that can communicate with all of the internal subnets.  I know currently (with my ASA as the only device on my network, no internal router) I can create VPN groups for this and allow access to certain subnets, but would this be as simple as having the VPN users have a gateway address of the IP address of the internal router interface connected to the ASA in order to be able to communicate with machines behind the router?  My greatest concern is how to make sure that VPN users can communicate with all the machines behind the internal router.

Thanks alot!
CiscoVPNRouters

Avatar of undefined
Last Comment
gdawsont2systems

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Voltz-dk

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
gdawsont2systems

Thanks for the reply.

Well for question 1:

I just want to make sure that my ASA (being the closest to the Internet) will be able to use the same static NAT rules it has currently (public - private IP), and as long as I have static route to those private networks that are behind my router on the ASA (the static route gateway being the IP address of my router's interface connected to the ASA as the gateway) that my ASA will be able to pass that traffic.

As for question 2:

I will have static routes pointing to all of my subnets so all VLANs will be able to communicate with the ASA, and presumably all traffic will be able to come in to the respective subnets - see question 1 -  (all going back to the IP of the interface of my router that is connected to the ASA).  I do use split tunneling, so I will be sure to add those networks.  So I should have the tunnel gateway be the address of the IP address on my router connected to the ASA?

Thanks!
SOLUTION
batry_boy

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
gdawsont2systems

Thank you for the answers and the clarification.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23