Solved

sending 2 internet connections through one ASA 5505

Posted on 2009-05-12
12
714 Views
Last Modified: 2012-05-06
I posted a question some time ago about setting up one firewall to handle 2 internet connections.  

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_24222631.html

Basically I want to have one firewall which will cover a FIOS connection, to be used for workstations, and a T1, to be used for my servers.  I have a Netopia router from the ISP for T1 and the FIOS router from the ISP.  

I know that I am going to need another router to handle this.  I found a Cisco 1712 laying around and am wondering if this can handle this setup?  Does anyone have any idea if this is possible? The 1712 has a T1 WIC and a another WIC labeled 4esw, in addition to the ethernet port.

Anyone have any ideas if this will work.
0
Comment
Question by:ryan80
  • 6
  • 3
  • 3
12 Comments
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24370086
Hi,

You can use 1712 for that. The 1721 is a SOHO prduct designed for low level traffic. But it was initially designed for ADSL thus it is capable of traffic at 4 MBps or higher (not sure if it supports ADSL+). Since T1 connection is merely communicating at speed of 1,5 MBit it can handle this traffic quite well enough. Furthermore since 1721 is a "Security Router" it has its own Firewall and IDS built in so you don't have to route traffic over ASA. The only thing you would do is to configure the 1721 and then assign an address from the same segment as your servers. Later you'll need to change the default gateway address of servers if you want them to go to internet through your 1721. This makes the configuration very simple too. You don't need to route the traffic through your ASA.

The only drawback about Cisco 1721 is it is an end-of-life product you wont have new releases for its software and will be hard to maintain through Cisco if it matters to you.

Here's a link to the datasheet.

Cheers,
K.
0
 
LVL 4

Expert Comment

by:CCI_IT
ID: 24370487
Here is a silly question.
 
Why not terminate both Internet connections on the ASA and divide the traffic there?
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24370538
In fact. There are several reasons:
- First off all  I've checked the previous posting and you'd accepted an answer suggesting a solution over ASA. So you know about the solution and I wanted to porpose an alternative solution.
- Second is if you need to remap some ports back to your T1 session you'll need to do the configuration on both the new 1721 and ASA such as reverse mapping. i.e., mapping a port or IP to the T1 interface for outside access.
- Third 1721 is capable of securing an internet connection so it is flexible to configure it in such a way. (i.e., in its own segment). I like the level of security it provides.
- Last but not the least. In the first configuration ASA is the bottleneck. Though I don't know about the configuration. But if ASA dies you'll have no connection to your servers though bot internet connections are intact. So this would be really a redundant-backup- access solution.

I've mainly considered these factors and decided to propose this solution. But you might as well use access over the ASA. Moreover I have no idea what are the functions of these servers and what are their communication needs etc. Pick the pest topology that would suit your use.

Cheers,
K.

0
 
LVL 12

Author Comment

by:ryan80
ID: 24370994
I am really not very knowledgable to the capabilities of either device.  I currently am using the ASA 5505 to firewall the T1 connection for the servers.  I have a Exchange server, a CRM server, a FTP server, and a patch management server.  Neither of these servers are very high bandwidth. The FTP server can max out the line, but it is not used often.

The workstations use a decent amount of bandwidth.  We download a lot of large files.

Both the servers and the workstations are on the same network and subnet, they just use different gateways. Essentially we are just tyring to get more bandwidth with a cheap connection.

The configuration is pretty simple for the ASA.  We have 6 public IPs, 3 of which are assigned to particular machine, 2 of which are spread out among the other servers, IP KVM, and some remote access ports. We do have a VPN through the ASA.

Is it possible to route things through the ASA for both connections without another router? In the last post I was told that it was not possible, so I just assumed it wasnt.  

You mentioned not using the ASA because it would be a single point of failure.  Wouldnt the router be a single point of failure if it were to go down and I was using that for firewalling and combing the 2 connections?

0
 
LVL 4

Expert Comment

by:CCI_IT
ID: 24371048
Yes both Internet connections can be routed through the ASA.
Set up 2 global adress pools and route your internal clients to the connection you want to use.
For connections inbound from the Internet, the NAT translation is pretty straight forward and the IP address the external clients are trying to access will determine which Internet link is used.
The ASA is a router, no sense in adding an extra hop unless necessary.
The point about the ASA being a single point of failure is invalid. (based on the accepted solution). If the ASA goes down, you lose both connections to the Internet anyhow. That extra router really serves no purpose.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24371059
It is possible to route settings for ASA too. But As you've noticed All traffic goes through ASA. If I were you I'd setup it in directly connected network mode. Als oit is possible to have web based setup for 1721
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 30

Accepted Solution

by:
Kerem ERSOY earned 250 total points
ID: 24371071
> The point about the ASA being a single point of failure is invalid. (based on the accepted solution). If the
> ASA goes down, you lose both connections to the Internet anyhow. That extra router really serves no
> purpose.

So you say even if the ASA box is down you will be able to reach all services from internet? Oh sorry you've already said you loose both connections. Excuse me to me it sounded like the Dictionary Definition of Single Point of Failure :)) So yeah ASA being a single point of failure :))
Wish people had read what they write before posting. You made my day CCI_IT.
0
 
LVL 4

Assisted Solution

by:CCI_IT
CCI_IT earned 250 total points
ID: 24371177
In the interest of being nice, I'll simply suggest your read the quote you were so kind enough to retype.
"If the ASA goes down, you lose both connections to the Internet anyhow. "
If you translated that to "So you say even if the ASA box is down you will be able to reach all services from internet?" well then........
To the original poster, I was referring to a possible concern about placing both Internet connections on the ASA. Should you place both connections on the ASA or connect one to a secondary router and then to the ASA, the ASA being a single point of failure shouldnt be a factor in your decision. because.."If the ASA goes down, you lose both connections to the Internet anyhow. "
The better solution is to have 2 switches and 2 routers, but you will only have a firewall on one of your connections, should you split them up. It all really depends on which is more important to you. Fault tolerance vs more security and less complexity.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24372391
> If you translated that to "So you say even if the ASA box is down you will be able to reach all services
> from internet?" well then........

Yeah I was indicating taht your comment (just t being nice) absurd. In the following two sentences you told this is not being a "single point of failure" then "you loose both connections". This was my way of being nice an courteous against this. So I'll suggest you to reread with you'd written an what was my response to it. Also the sarcastic dose of my comment was not that I'm trying to being nice but your initial way of implication which "The point about the ASA being a single point of failure is invalid" :) Because the following sentence has confessed it is actually a SPOF. This is the second time I'm suggesting you to read an try to understand before commenting.

>The better solution is to have 2 switches and 2 routers, but you will only have a firewall on one of
> your connections, should you split them up.

This is also, how do you say it oh yeah "invalid". Because 1721 is a built-in security router. It includes a Firewall an IDS and VPN terminator too.

Anyway we're here to help people not to correct other Experts. So for the sake of being "nice" enough I'm ending this charming conversation.
0
 
LVL 12

Author Comment

by:ryan80
ID: 24428452
sorry i have let this sit for so long.  any ideas on what kind of commands i will need to use?  
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24537471
Oops it seems that I've missed your comment.

What will be your preferred topology ? You want to have the commands ?
 
0
 
LVL 12

Author Comment

by:ryan80
ID: 24540676
I just need to get some kind of idea in which direction to go in.  I dont really have a prefernce either way since there is going to be one device that will be the weak link in either set up.

If I can do it with the ASA 5505 that would actually be preferable, as I am more farmiliar with it and it is still under warranty, but as you said I dont want 2 firewall that I have to manage seperately, so this would be contingent on being able to disable the firewall in the 1721

Thanks
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now