gdawsont2systems
asked on
ASA Connected to Internal Router Design Questions
Hello,
I wanted to run this by the experts:
I am planning to attempt the following configuration, and have a couple of questions that I would much appreciate feedback on.
Currently we have a simple one subnet network with no internal router, with the ASA just being our endpoint on the network. The ASA also acts as our VPN Concentrator, giving VPN addresses out on a different subnet that allows communication with the corporate subnet as well. The goal is to have a Cisco ASA 5510 as the endpoint on my network connected to my ISP, and then have an internal Cisco router connected to my ASA for routing VLANS inside of my network.
Here is how I would see to do it:
Cisco ASA
External Interface: (external IP address provided by ISP)
Internal Interface: (10.1.1.254)
Default route for outside access to ISP
Static routes setup for internal subnets behind router, all pointing back to IP address of router interface connected to ASA.
Cisco Router
Default Route pointing back to the Cisco ASA internal interface
Internal interface setup for trunking to HP Switch
Logical Interfaces on router for each internal subnet
Access lists to allow logical interfaces communication between themselves (intra-vlan routing)
HP Switch
HP Switch would be configured with trunking to Cisco Router, and tagged with approriate VLANs
Workstations
Workstations would be connected to HP switch and have an IP address on their appropriate subnet based on VLAN membership
Now the questions:
1) Based on this configuration, and based on the face I am using static NAT rules now on my ASA, my assumption is that the ASA will know based on my static routes that it needs to send it's NAT rules through my static route (to their destination behind the router) for communication. Am I right?
2) I need the ASA to be able to act as VPN concentrator for my network. The VPN users will need to have an address that can communicate with all of the internal subnets. I know currently (with my ASA as the only device on my network, no internal router) I can create VPN groups for this and allow access to certain subnets, but would this be as simple as having the VPN users have a gateway address of the IP address of the internal router interface connected to the ASA in order to be able to communicate with machines behind the router? My greatest concern is how to make sure that VPN users can communicate with all the machines behind the internal router.
Thanks alot!
I wanted to run this by the experts:
I am planning to attempt the following configuration, and have a couple of questions that I would much appreciate feedback on.
Currently we have a simple one subnet network with no internal router, with the ASA just being our endpoint on the network. The ASA also acts as our VPN Concentrator, giving VPN addresses out on a different subnet that allows communication with the corporate subnet as well. The goal is to have a Cisco ASA 5510 as the endpoint on my network connected to my ISP, and then have an internal Cisco router connected to my ASA for routing VLANS inside of my network.
Here is how I would see to do it:
Cisco ASA
External Interface: (external IP address provided by ISP)
Internal Interface: (10.1.1.254)
Default route for outside access to ISP
Static routes setup for internal subnets behind router, all pointing back to IP address of router interface connected to ASA.
Cisco Router
Default Route pointing back to the Cisco ASA internal interface
Internal interface setup for trunking to HP Switch
Logical Interfaces on router for each internal subnet
Access lists to allow logical interfaces communication between themselves (intra-vlan routing)
HP Switch
HP Switch would be configured with trunking to Cisco Router, and tagged with approriate VLANs
Workstations
Workstations would be connected to HP switch and have an IP address on their appropriate subnet based on VLAN membership
Now the questions:
1) Based on this configuration, and based on the face I am using static NAT rules now on my ASA, my assumption is that the ASA will know based on my static routes that it needs to send it's NAT rules through my static route (to their destination behind the router) for communication. Am I right?
2) I need the ASA to be able to act as VPN concentrator for my network. The VPN users will need to have an address that can communicate with all of the internal subnets. I know currently (with my ASA as the only device on my network, no internal router) I can create VPN groups for this and allow access to certain subnets, but would this be as simple as having the VPN users have a gateway address of the IP address of the internal router interface connected to the ASA in order to be able to communicate with machines behind the router? My greatest concern is how to make sure that VPN users can communicate with all the machines behind the internal router.
Thanks alot!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for the answers and the clarification.
ASKER
Well for question 1:
I just want to make sure that my ASA (being the closest to the Internet) will be able to use the same static NAT rules it has currently (public - private IP), and as long as I have static route to those private networks that are behind my router on the ASA (the static route gateway being the IP address of my router's interface connected to the ASA as the gateway) that my ASA will be able to pass that traffic.
As for question 2:
I will have static routes pointing to all of my subnets so all VLANs will be able to communicate with the ASA, and presumably all traffic will be able to come in to the respective subnets - see question 1 - (all going back to the IP of the interface of my router that is connected to the ASA). I do use split tunneling, so I will be sure to add those networks. So I should have the tunnel gateway be the address of the IP address on my router connected to the ASA?
Thanks!