asked on Cisco ASA 5505 behind Cisco 857 Integrated Router
- AT&T DSL -
Wall -> Cisco 857 Integrated Router -> Web Server
Web Server is NATed downstream of Router.
I'm adding a Cisco ASA 5505 to the mix. Until I get for it a Security Plus license and configure a DMZ deployment, I would like it to handle firewall duties.
II'll try posting a sh run on Monday but until then, if you all could recommend the best way of deploying the Cisco 857 Router, Cisco ASA 5505 and Web Server for simple NAT (no DMZ) with the Router doing the routing and the Cisco ASA handling firewall duties.
Or if one of you could recommend a better deployment...
On the Router side:
in Dialer0
ip address *Gateway IP* *xxx.xxx.xxx.xxx
DHCP enabled
------
NAT works fine with just this deployment
------
To have the ASA serve in between the Router and Web Server, possibly blocking traffic using ACLs, I've tried configuring the following on the ASA.
On the outside interface:
in Vlan2
ip address *IP from block of Public Static IPs provided by ISP* *xxx.xxx.xxx.xxx*
access-list outside_access_in extended permit ip any host *IP from block of Public Static IPs provided by ISP*
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 *Gateway IP*
I get no internet connectivity.
Thank you in advance!
Wall -> Cisco 857 Integrated Router -> Web Server
Web Server is NATed downstream of Router.
I'm adding a Cisco ASA 5505 to the mix. Until I get for it a Security Plus license and configure a DMZ deployment, I would like it to handle firewall duties.
II'll try posting a sh run on Monday but until then, if you all could recommend the best way of deploying the Cisco 857 Router, Cisco ASA 5505 and Web Server for simple NAT (no DMZ) with the Router doing the routing and the Cisco ASA handling firewall duties.
Or if one of you could recommend a better deployment...
On the Router side:
in Dialer0
ip address *Gateway IP* *xxx.xxx.xxx.xxx
DHCP enabled
------
NAT works fine with just this deployment
------
To have the ASA serve in between the Router and Web Server, possibly blocking traffic using ACLs, I've tried configuring the following on the ASA.
On the outside interface:
in Vlan2
ip address *IP from block of Public Static IPs provided by ISP* *xxx.xxx.xxx.xxx*
access-list outside_access_in extended permit ip any host *IP from block of Public Static IPs provided by ISP*
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 *Gateway IP*
I get no internet connectivity.
Thank you in advance!
Anti-Virus AppsCiscoWeb Servers
Last Comment
asavener
The 857 is a pretty lightweight router. Can you eliminate it and connect the ASA directly to the Internet connection?
The best way to deploy would be to have the router setup for simple routing (with just a static route to the next hop ISP router especially given its a basic device) and instead have the ASA perform both the NAT and firewalling. The config should look like this:
a static NAT for the web server
static (inside,outside) 222.xxx.xxx.xxx 10.xxx.xxx.xxx netmask 255.255.255.255
The 222.xxx is the external IP and 10.xxx is the internal IP.
An inbound access rule
access-list outside_access_in extended permit tcp any host 222.xxx.xxx.xxx eq www
To diagnose, try pinging the router from within the ASA and if successful try pinging the next hop router from within the ASA to make sure you have internet connectivity.
a static NAT for the web server
static (inside,outside) 222.xxx.xxx.xxx 10.xxx.xxx.xxx netmask 255.255.255.255
The 222.xxx is the external IP and 10.xxx is the internal IP.
An inbound access rule
access-list outside_access_in extended permit tcp any host 222.xxx.xxx.xxx eq www
To diagnose, try pinging the router from within the ASA and if successful try pinging the next hop router from within the ASA to make sure you have internet connectivity.
ASKER
@asavener Unfortunately, the Cisco ASA cannot accept RJ11 which is necessary with my AT&T dsl connection. I need the Router for that and the PPPoE authenticaiton.
@deankas Thanks for the recommendation. I may do that. Anyone else familiar with this type of deployment and have any recommendations?
@deankas Thanks for the recommendation. I may do that. Anyone else familiar with this type of deployment and have any recommendations?
ASKER
@deankas
"The best way to deploy would be to have the router setup for simple routing (with just a static route to the next hop ISP router especially given its a basic device)"
Would I have to apply the static route from the router to the ASA to a specific interface on the router - a cable then running from this interface on the router directly to the en0 (outside interface) of the ASA. If you could point me to the command for this, I would appreciate this as well.
I understand I would have to assign the route to a specific one on the ASA - the outside interface.
I believe I would need to apply the Gateway IP to the outside interface of the ASA.
Aside from the PPPoE authentication, I believe all I would need is this static route you mentioned with no DHCP necessary, correct?
"The best way to deploy would be to have the router setup for simple routing (with just a static route to the next hop ISP router especially given its a basic device)"
Would I have to apply the static route from the router to the ASA to a specific interface on the router - a cable then running from this interface on the router directly to the en0 (outside interface) of the ASA. If you could point me to the command for this, I would appreciate this as well.
I understand I would have to assign the route to a specific one on the ASA - the outside interface.
I believe I would need to apply the Gateway IP to the outside interface of the ASA.
Aside from the PPPoE authentication, I believe all I would need is this static route you mentioned with no DHCP necessary, correct?
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
You might be able to set up the router's ethernet port as "unnumbered" followed by the DSL interface name.
ASKER
@asavener
"the router's ethernet port"
This would be the Vlan1 interface you're referring to...
Like this?
in Vlan1
ip address unnumbered inside
"the router's ethernet port"
This would be the Vlan1 interface you're referring to...
Like this?
in Vlan1
ip address unnumbered inside
This line would go on the router, not the ASA.
ASKER
@asavener
Understood.
I would input:
in Vlan1
ip address unnumbered inside
on the router... or do I even need to configure Vlan1 if I plan on allowing the ASA to handle the NAT and the router does not do DHCP.
Understood.
I would input:
in Vlan1
ip address unnumbered inside
on the router... or do I even need to configure Vlan1 if I plan on allowing the ASA to handle the NAT and the router does not do DHCP.
DSL interface on the router should display as an ATM interface.
int vlan1
ip unnumbered atm0
This will allow the ASA to communicate using the public IPs, and the router as the default gateway.
int vlan1
ip unnumbered atm0
This will allow the ASA to communicate using the public IPs, and the router as the default gateway.
ASKER
@asavener
Thanks. I will try this...
Thanks. I will try this...
ASKER
On the Cisco 857 Integrated Router, I hope to authenticate with PPPoE "with just a static route to the next hop ISP router" per deankas' suggestion. (The new hop ISP router would be the ASA and the ASA would then handle the NAT/DHCP).
I've taken the config commands that allowed for the Cisco to PPPoE, (excluding of course, the NAT and DHCP commands) but have changed the Vlan1 interface in hopes of passing along the a Public IP to the ASA.
If I connect an ethernet cable to the Router and my computer, I get no IP, no internet connectivity. Obviously, I have not configured DHCP but am attempting to have the Router assign a Public IP on Vlan1 so that the ASA's outside interface will eventually receive this IP. I wasn't sure what would happen but thought the computer would possibly receive the public IP from the Router.
I have included the sh run for the Router.
I've taken the config commands that allowed for the Cisco to PPPoE, (excluding of course, the NAT and DHCP commands) but have changed the Vlan1 interface in hopes of passing along the a Public IP to the ASA.
If I connect an ethernet cable to the Router and my computer, I get no IP, no internet connectivity. Obviously, I have not configured DHCP but am attempting to have the Router assign a Public IP on Vlan1 so that the ASA's outside interface will eventually receive this IP. I wasn't sure what would happen but thought the computer would possibly receive the public IP from the Router.
I have included the sh run for the Router.
Building configuration...
Current configuration : 1332 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname NVTCiscoRouter
!
boot-start-marker
boot-end-marker
!
enable secret 5 *
no aaa new-model
!
!
dot11 syslog
!
!
ip cef
no ip domain lookup
ip domain name nvtinc.net
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip unnumbered ATM0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Dialer0
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp pap sent-username * password *
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
!
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
end
interface Vlan1
ip unnumbered ATM0
ip nat inside
Should be ip unnumbered Dialer0 (since Dialer0 is the interface with the IP address.)
Also, remove the NAT statements, since if you have public IPs on both interfaces, you won't need to perform NAT
Make sure to remove "ip nat outside" from the dialer interface as well.
ip unnumbered ATM0
ip nat inside
Should be ip unnumbered Dialer0 (since Dialer0 is the interface with the IP address.)
Also, remove the NAT statements, since if you have public IPs on both interfaces, you won't need to perform NAT
Make sure to remove "ip nat outside" from the dialer interface as well.
ASKER
Regarding: ip unnumbered Dialer0 - That's what I thought :)
If I connect a computer to the Router now, should it receive the x.x.x.54 IP with S/N 255.255.255.248.
Or do I have to manually input it?
--- I put in a request for the IPs to be obfuscated. Coffee hasn't kicked in ---
If I connect a computer to the Router now, should it receive the x.x.x.54 IP with S/N 255.255.255.248.
Or do I have to manually input it?
--- I put in a request for the IPs to be obfuscated. Coffee hasn't kicked in ---
ASKER
@asavener Also, should I be able to connect to the internet at this point? I see no DNS entries in the sh run.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.