Solved

Help with terminolgy and review: 3 WAN Connections going through Cisco ASA Firewall

Posted on 2011-02-14
4
679 Views
Last Modified: 2012-06-27
Our active/standy ASA pair will have three incoming WAN connections as shown in the graphic included. Right now I'm just working on setting up one of the WAN connections to the Firewall on Ethernet 0 Port. Could you help me with the terminalogy and how I should setup the one WAN connection to the Firewall?

1) I'm thinking of making each WAN connection on a different VLAN then on the ASA Ethernet 0 Port make sub interfaces as shown here. Is that correct?

2) On the one WAN connection i'm setting up I have a block of 5 public IPs. I need to somehow get one public IP to the sub interface of the firewall. Can you give me an example of how you do that on the edge router and what is it called?
Untitled.jpg
0
Comment
Question by:First Last
  • 2
  • 2
4 Comments
 
LVL 12

Accepted Solution

by:
Fidelius earned 500 total points
Comment Utility
Hello,

1. you are on right track with separate VLANs for every ISP connection.

To be able to put public address on ASA sub-interface, you will need to use BVI on each router. So you will not need sub-interfaces on router, just on ASA.
More info about BVI:
http://www.cisco.com/en/US/tech/tk389/tk815/technologies_tech_note09186a0080094663.shtml
http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/A_2864-Bridging-Cisco-Router-Interfaces.html

I will assume following (you replace IP's and VLAN's as you need):
5 IP pool: 192.168.1.2-192.168.1.6 /29
VLAN 10

On Cisco 2811 router create BVI:
bridge irb
bridge 1 protocol ieee
bridge 1 route ip
!
interface BVI1
 ip address 192.168.1.1 255.255.255.248
!
int fa0/0
 bridge-group 1
!
int fa0/1
 bridge-group 1
!
int ser 0/0
 bridge-group 1
!

On 2960 switch create one access VLAN port and trunk port:
vlan 10
!
int fa 0/1
 description Link toward 2811
 switchport mode access
 switchport access vlan 10
!
int fa 0/24
 description Trunk toward ASA
 switchport mode trunk
!


On ASA create subinterface on fa 0/0:

interface fa 0/0
description 802.1q Trunking Interface
no nameif
no security-level
no ip address
!
interface fa 0/1.10
 nameif outside
 security-level 0
 ip address 192.168.1.3 255.255.255.248 standby 192.168.1.4
!

Regards!
0
 
LVL 1

Author Comment

by:First Last
Comment Utility
Fidelius,

Everything you wrote makes perfect sense except for the use of bridging.

My 2811 router is connect through two Cisco 2960's to two ASA's. Why Can't I just put a VLAN on the switch and 2811 router going to a subinterface on the ASA's as you described and bypass the bridging? From what I'm reading I'll still use the same number of public IP's in the process and since my switch is running at layer 2 I won't lose the vlan header information.

This afternoon I'll attempt to implement what you described above.

Thank you.
 
0
 
LVL 12

Expert Comment

by:Fidelius
Comment Utility
Hello,

You can't have two interfaces on a router in same subnet if you don't use bridging. You need at least ethernet ports in bridge group. I assumed that you have one of five public IP's on serial interface toward ISP, and want to use IP from same subnet on ASA outside interface. Therefore you need to put also serial interface in same bridge group.

If you have different subnet on serial link, you need to put in bridge group only interfaces toward 2960.

Hope this clarifies situation a bit. If you have more doubts don't hesitate to ask.

Regards!
0
 
LVL 1

Author Closing Comment

by:First Last
Comment Utility
It took some time consulting with my co-worker to fully understand what Fidelius recommended, but it now makes perfect sense. Thank you very much.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now