[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Help with terminolgy and review: 3 WAN Connections going through Cisco ASA Firewall

Posted on 2011-02-14
4
Medium Priority
?
742 Views
Last Modified: 2012-06-27
Our active/standy ASA pair will have three incoming WAN connections as shown in the graphic included. Right now I'm just working on setting up one of the WAN connections to the Firewall on Ethernet 0 Port. Could you help me with the terminalogy and how I should setup the one WAN connection to the Firewall?

1) I'm thinking of making each WAN connection on a different VLAN then on the ASA Ethernet 0 Port make sub interfaces as shown here. Is that correct?

2) On the one WAN connection i'm setting up I have a block of 5 public IPs. I need to somehow get one public IP to the sub interface of the firewall. Can you give me an example of how you do that on the edge router and what is it called?
Untitled.jpg
0
Comment
Question by:First Last
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 12

Accepted Solution

by:
Fidelius earned 2000 total points
ID: 34892834
Hello,

1. you are on right track with separate VLANs for every ISP connection.

To be able to put public address on ASA sub-interface, you will need to use BVI on each router. So you will not need sub-interfaces on router, just on ASA.
More info about BVI:
http://www.cisco.com/en/US/tech/tk389/tk815/technologies_tech_note09186a0080094663.shtml
http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/A_2864-Bridging-Cisco-Router-Interfaces.html

I will assume following (you replace IP's and VLAN's as you need):
5 IP pool: 192.168.1.2-192.168.1.6 /29
VLAN 10

On Cisco 2811 router create BVI:
bridge irb
bridge 1 protocol ieee
bridge 1 route ip
!
interface BVI1
 ip address 192.168.1.1 255.255.255.248
!
int fa0/0
 bridge-group 1
!
int fa0/1
 bridge-group 1
!
int ser 0/0
 bridge-group 1
!

On 2960 switch create one access VLAN port and trunk port:
vlan 10
!
int fa 0/1
 description Link toward 2811
 switchport mode access
 switchport access vlan 10
!
int fa 0/24
 description Trunk toward ASA
 switchport mode trunk
!


On ASA create subinterface on fa 0/0:

interface fa 0/0
description 802.1q Trunking Interface
no nameif
no security-level
no ip address
!
interface fa 0/1.10
 nameif outside
 security-level 0
 ip address 192.168.1.3 255.255.255.248 standby 192.168.1.4
!

Regards!
0
 
LVL 1

Author Comment

by:First Last
ID: 34900520
Fidelius,

Everything you wrote makes perfect sense except for the use of bridging.

My 2811 router is connect through two Cisco 2960's to two ASA's. Why Can't I just put a VLAN on the switch and 2811 router going to a subinterface on the ASA's as you described and bypass the bridging? From what I'm reading I'll still use the same number of public IP's in the process and since my switch is running at layer 2 I won't lose the vlan header information.

This afternoon I'll attempt to implement what you described above.

Thank you.
 
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 34901469
Hello,

You can't have two interfaces on a router in same subnet if you don't use bridging. You need at least ethernet ports in bridge group. I assumed that you have one of five public IP's on serial interface toward ISP, and want to use IP from same subnet on ASA outside interface. Therefore you need to put also serial interface in same bridge group.

If you have different subnet on serial link, you need to put in bridge group only interfaces toward 2960.

Hope this clarifies situation a bit. If you have more doubts don't hesitate to ask.

Regards!
0
 
LVL 1

Author Closing Comment

by:First Last
ID: 34918349
It took some time consulting with my co-worker to fully understand what Fidelius recommended, but it now makes perfect sense. Thank you very much.
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question