We help IT Professionals succeed at work.

ASA 5500(for VPN) and 6509 Switch

Oliver TANGIRI asked
I have about 20 vlans with 6509 connecting to the ISP router.
I intend to bring it an ASA 5510 firewall and have it do VPN for my external clients. I want the 6509 to be the main link to the ISP router.
I wan to use my private address space on the ASA interfaces(outside and inside)
My question to the expert is, can this be done easily?  Can someone explain to me without necesarily providing me the commands, how ot achieve this? The ASA would have something like for the inside and the 192.168.41 for the outside interface. The 6509 does intervlan routing and is connecting to the ISP router on say
I am not allowed to use any of the addresses on the space on the ASA.
Can someone please help?
Thank You!
Watch Question

I presume you want to have a VPN device than an actual firewall by itself?

Yes, it can be done.

Oliver TANGIRINetwork Engineer


Yes, please, VPN so teleworkers can dial in using the cisco vpn client etc etc..  Not interested in actual firewall roles here.
Please shed some light on a possible design if you can.
Have you also looked at the FWSM module that sits right inside the 6500 chassis? Does the same thing that an ASA would do.

Oliver TANGIRINetwork Engineer


I am familiar with the FWSM a little bit and I am setting up one for one of our sites as well. I understand the whole norton of creating sub interfaces for an ASA and creating vlan interfaces in the FWSM only etc etc just you can let it route for those subnets.
The help I need here is for someone to say, for example, I would get this IP on the outside of the ASA, this on the inside, the default route would be this etc etc. My 6509 does EIGrP with the ISP and I have one vlan interface ONLY connected to the ISP router via a single swithport. I won't be running more that one physical connection to the ISP gear.
I have attached a sketch.

I assume that the ISP router does your NAT from public IPs to the 172.16 IPs currently.  It should all work fine if the ISP router has a route to your via the 6509 (learnt from the 6509 EIGRP advertisement of the connected interface) and the ASA has a default route of the 6509 (since it does not do EIGRP).  Put a NAT on the ISP router from a public IP to and that should be enough for what you need

You could alternatively change the link to the ISP to be a trunk, so the ISP router has two virtual interfaces.  You would trunk the VLAN that currently the link to the ISP router sits on and a new VLAN - for the new VLAN you wouldn't put a Layer 3 interface on the 6509, you would just put the ASA port into this VLAN.  The ISP router would have an IP in this new VLAN for example, and would still have a NAT from a public IP to the ASA IP.  The ASA would have its default gateway as

The only link between the ASA (192.168.x.x networks) and the 172.16 networks would be via the ISP router.  if you don't want this to be allowed you could put ACLs on the ISP router, however the ASA would be easier to configure and would acheive the same thing.