router behind firewall

Greetings,

I have wanted to figure out which users were the bandwidth hogs for a while.  

Doing some research I found that using NTop and NetFlow would be one of the better solutions, but that this is not possible with a PIX/ASA Firewall.  Additionally there isn't any way to get this information with the PIX/ASA by itself.  

So here we are, I have an extra Cisco 3700 Series router sitting around and was thinking about setting it up between my LAN and my Firewall, but wasn't sure how to proceed.

I mean I know how to route from Subnet to subnet but I figured that would break the Firewall NAT's in place, etc.

Can someone please outline how to configure my set up to get "by user" Bandwidth utilization/access and maintain granular access control on a per IP basis using my hardware?

P.S. if there is a way to do it without the Router Id love to hear about it also!
LVL 8
brittonvAsked:
Who is Participating?
 
PugglewuggleConnect With a Mentor Commented:
You need to put the router in "router" mode and not in gateway mode - that disables NAT on the router - you cannot route to a subnet that is NATed behing a router.
Other than that, a route statement would tell the ASA that the 192.168.200.0 network lies behing 192.168.2.1 on the router (this might not work because of the ASA's IP being the default gateway.
Might I make a point that the default gateway on the outside interface of the router would be the IP address of the ASA on the 192.168.2.0 network.
Here is a working example:
ASA inside interface IP address: 192.168.2.1/24
Router outside IP: 192.168.2.2/24
Router inside network: 192.168.200.0/24
Router default gateway: 192.168.2.1
Now, to make this work, you only need one statement in the ASA (assuming you don't use NAT on the router):
route inside 192.168.200.0 255.255.255.0 192.168.2.2 1
Cheers! Let me know if you have any questions!
0
 
JFrederick29Commented:
Is the ASA the default gateway for the LAN?  Do you have multiple LAN subnets or just one?  You could "move" the Firewall inside/LAN subnet to the 3700 so the 3700 is the default gateway for the LAN.  You could then use a different subnet between the 3700 and ASA.  The 3700 would need a default route via the Firewall inside interface and the Firewall would need a route to the LAN subnet via the 3700.  You can then enable Netflow on the 3700.
0
 
brittonvAuthor Commented:
Thank you for the response.

My concern with this is that we don't exclusively use 1:1 Nat addresses.  We pull from a dynamic pool.  So if I put the Router outside the firewall, I wouldn't know which Local IP's were the ones I was seeing the traffic for.

If my only option is to install the router outside the firewall I will.  However I don't have the latest IOS installed on this router (12.2(8) T4 is installed) and it is no longer under contract to get the latest version.  From what I understand there are some security flaws in the current IOS Version.

0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
JFrederick29Commented:
Sorry for the confusion.  I am actually talking about moving the router inside the Firewall.
0
 
brittonvAuthor Commented:
Ah I see, sorry I got mixed up.

If I understand you correctly could you please verify my solution below:

I assume that my 192.168.2.0/24 local subnet would remain the same and use my ASA's current IP address of 192.168.2.1 on the Router.

I would configure the other side of the router with a different subnet, say 192.168.200.0/24.  

I would then put a route in the pix to route 192.168.2.0/24 to 192.168.200.2 (the inside address of the router) and on the router set it's default gateway to 192.168.200.1 (ip address of the ASA)  

If this is all correct, could you please tell me the commands I'd use on the router.  I have 0 IOS router experience so....

0
 
PugglewuggleCommented:
BTW - all other networks connected to the ASA will automatically be routed to the router if computers behind the router try accessing them.
Also - remember NO NAT on the router!
Cheers!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.