Solved

Help with terminolgy and review: 3 WAN Connections going through Cisco ASA Firewall

Posted on 2011-02-14
4
691 Views
Last Modified: 2012-06-27
Our active/standy ASA pair will have three incoming WAN connections as shown in the graphic included. Right now I'm just working on setting up one of the WAN connections to the Firewall on Ethernet 0 Port. Could you help me with the terminalogy and how I should setup the one WAN connection to the Firewall?

1) I'm thinking of making each WAN connection on a different VLAN then on the ASA Ethernet 0 Port make sub interfaces as shown here. Is that correct?

2) On the one WAN connection i'm setting up I have a block of 5 public IPs. I need to somehow get one public IP to the sub interface of the firewall. Can you give me an example of how you do that on the edge router and what is it called?
Untitled.jpg
0
Comment
Question by:First Last
  • 2
  • 2
4 Comments
 
LVL 12

Accepted Solution

by:
Fidelius earned 500 total points
ID: 34892834
Hello,

1. you are on right track with separate VLANs for every ISP connection.

To be able to put public address on ASA sub-interface, you will need to use BVI on each router. So you will not need sub-interfaces on router, just on ASA.
More info about BVI:
http://www.cisco.com/en/US/tech/tk389/tk815/technologies_tech_note09186a0080094663.shtml
http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/A_2864-Bridging-Cisco-Router-Interfaces.html

I will assume following (you replace IP's and VLAN's as you need):
5 IP pool: 192.168.1.2-192.168.1.6 /29
VLAN 10

On Cisco 2811 router create BVI:
bridge irb
bridge 1 protocol ieee
bridge 1 route ip
!
interface BVI1
 ip address 192.168.1.1 255.255.255.248
!
int fa0/0
 bridge-group 1
!
int fa0/1
 bridge-group 1
!
int ser 0/0
 bridge-group 1
!

On 2960 switch create one access VLAN port and trunk port:
vlan 10
!
int fa 0/1
 description Link toward 2811
 switchport mode access
 switchport access vlan 10
!
int fa 0/24
 description Trunk toward ASA
 switchport mode trunk
!


On ASA create subinterface on fa 0/0:

interface fa 0/0
description 802.1q Trunking Interface
no nameif
no security-level
no ip address
!
interface fa 0/1.10
 nameif outside
 security-level 0
 ip address 192.168.1.3 255.255.255.248 standby 192.168.1.4
!

Regards!
0
 
LVL 1

Author Comment

by:First Last
ID: 34900520
Fidelius,

Everything you wrote makes perfect sense except for the use of bridging.

My 2811 router is connect through two Cisco 2960's to two ASA's. Why Can't I just put a VLAN on the switch and 2811 router going to a subinterface on the ASA's as you described and bypass the bridging? From what I'm reading I'll still use the same number of public IP's in the process and since my switch is running at layer 2 I won't lose the vlan header information.

This afternoon I'll attempt to implement what you described above.

Thank you.
 
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 34901469
Hello,

You can't have two interfaces on a router in same subnet if you don't use bridging. You need at least ethernet ports in bridge group. I assumed that you have one of five public IP's on serial interface toward ISP, and want to use IP from same subnet on ASA outside interface. Therefore you need to put also serial interface in same bridge group.

If you have different subnet on serial link, you need to put in bridge group only interfaces toward 2960.

Hope this clarifies situation a bit. If you have more doubts don't hesitate to ask.

Regards!
0
 
LVL 1

Author Closing Comment

by:First Last
ID: 34918349
It took some time consulting with my co-worker to fully understand what Fidelius recommended, but it now makes perfect sense. Thank you very much.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now