Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

router behind firewall

Posted on 2008-10-08
6
Medium Priority
?
509 Views
Last Modified: 2012-05-05
Greetings,

I have wanted to figure out which users were the bandwidth hogs for a while.  

Doing some research I found that using NTop and NetFlow would be one of the better solutions, but that this is not possible with a PIX/ASA Firewall.  Additionally there isn't any way to get this information with the PIX/ASA by itself.  

So here we are, I have an extra Cisco 3700 Series router sitting around and was thinking about setting it up between my LAN and my Firewall, but wasn't sure how to proceed.

I mean I know how to route from Subnet to subnet but I figured that would break the Firewall NAT's in place, etc.

Can someone please outline how to configure my set up to get "by user" Bandwidth utilization/access and maintain granular access control on a per IP basis using my hardware?

P.S. if there is a way to do it without the Router Id love to hear about it also!
0
Comment
Question by:brittonv
  • 2
  • 2
  • 2
6 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22672391
Is the ASA the default gateway for the LAN?  Do you have multiple LAN subnets or just one?  You could "move" the Firewall inside/LAN subnet to the 3700 so the 3700 is the default gateway for the LAN.  You could then use a different subnet between the 3700 and ASA.  The 3700 would need a default route via the Firewall inside interface and the Firewall would need a route to the LAN subnet via the 3700.  You can then enable Netflow on the 3700.
0
 
LVL 8

Author Comment

by:brittonv
ID: 22672538
Thank you for the response.

My concern with this is that we don't exclusively use 1:1 Nat addresses.  We pull from a dynamic pool.  So if I put the Router outside the firewall, I wouldn't know which Local IP's were the ones I was seeing the traffic for.

If my only option is to install the router outside the firewall I will.  However I don't have the latest IOS installed on this router (12.2(8) T4 is installed) and it is no longer under contract to get the latest version.  From what I understand there are some security flaws in the current IOS Version.

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22672564
Sorry for the confusion.  I am actually talking about moving the router inside the Firewall.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 8

Author Comment

by:brittonv
ID: 22672997
Ah I see, sorry I got mixed up.

If I understand you correctly could you please verify my solution below:

I assume that my 192.168.2.0/24 local subnet would remain the same and use my ASA's current IP address of 192.168.2.1 on the Router.

I would configure the other side of the router with a different subnet, say 192.168.200.0/24.  

I would then put a route in the pix to route 192.168.2.0/24 to 192.168.200.2 (the inside address of the router) and on the router set it's default gateway to 192.168.200.1 (ip address of the ASA)  

If this is all correct, could you please tell me the commands I'd use on the router.  I have 0 IOS router experience so....

0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 2000 total points
ID: 22673213
You need to put the router in "router" mode and not in gateway mode - that disables NAT on the router - you cannot route to a subnet that is NATed behing a router.
Other than that, a route statement would tell the ASA that the 192.168.200.0 network lies behing 192.168.2.1 on the router (this might not work because of the ASA's IP being the default gateway.
Might I make a point that the default gateway on the outside interface of the router would be the IP address of the ASA on the 192.168.2.0 network.
Here is a working example:
ASA inside interface IP address: 192.168.2.1/24
Router outside IP: 192.168.2.2/24
Router inside network: 192.168.200.0/24
Router default gateway: 192.168.2.1
Now, to make this work, you only need one statement in the ASA (assuming you don't use NAT on the router):
route inside 192.168.200.0 255.255.255.0 192.168.2.2 1
Cheers! Let me know if you have any questions!
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22673225
BTW - all other networks connected to the ASA will automatically be routed to the router if computers behind the router try accessing them.
Also - remember NO NAT on the router!
Cheers!
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question