Solved

Help with terminolgy and review: 3 WAN Connections going through Cisco ASA Firewall

Posted on 2011-02-14
4
708 Views
Last Modified: 2012-06-27
Our active/standy ASA pair will have three incoming WAN connections as shown in the graphic included. Right now I'm just working on setting up one of the WAN connections to the Firewall on Ethernet 0 Port. Could you help me with the terminalogy and how I should setup the one WAN connection to the Firewall?

1) I'm thinking of making each WAN connection on a different VLAN then on the ASA Ethernet 0 Port make sub interfaces as shown here. Is that correct?

2) On the one WAN connection i'm setting up I have a block of 5 public IPs. I need to somehow get one public IP to the sub interface of the firewall. Can you give me an example of how you do that on the edge router and what is it called?
Untitled.jpg
0
Comment
Question by:First Last
  • 2
  • 2
4 Comments
 
LVL 12

Accepted Solution

by:
Fidelius earned 500 total points
ID: 34892834
Hello,

1. you are on right track with separate VLANs for every ISP connection.

To be able to put public address on ASA sub-interface, you will need to use BVI on each router. So you will not need sub-interfaces on router, just on ASA.
More info about BVI:
http://www.cisco.com/en/US/tech/tk389/tk815/technologies_tech_note09186a0080094663.shtml
http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/A_2864-Bridging-Cisco-Router-Interfaces.html

I will assume following (you replace IP's and VLAN's as you need):
5 IP pool: 192.168.1.2-192.168.1.6 /29
VLAN 10

On Cisco 2811 router create BVI:
bridge irb
bridge 1 protocol ieee
bridge 1 route ip
!
interface BVI1
 ip address 192.168.1.1 255.255.255.248
!
int fa0/0
 bridge-group 1
!
int fa0/1
 bridge-group 1
!
int ser 0/0
 bridge-group 1
!

On 2960 switch create one access VLAN port and trunk port:
vlan 10
!
int fa 0/1
 description Link toward 2811
 switchport mode access
 switchport access vlan 10
!
int fa 0/24
 description Trunk toward ASA
 switchport mode trunk
!


On ASA create subinterface on fa 0/0:

interface fa 0/0
description 802.1q Trunking Interface
no nameif
no security-level
no ip address
!
interface fa 0/1.10
 nameif outside
 security-level 0
 ip address 192.168.1.3 255.255.255.248 standby 192.168.1.4
!

Regards!
0
 
LVL 1

Author Comment

by:First Last
ID: 34900520
Fidelius,

Everything you wrote makes perfect sense except for the use of bridging.

My 2811 router is connect through two Cisco 2960's to two ASA's. Why Can't I just put a VLAN on the switch and 2811 router going to a subinterface on the ASA's as you described and bypass the bridging? From what I'm reading I'll still use the same number of public IP's in the process and since my switch is running at layer 2 I won't lose the vlan header information.

This afternoon I'll attempt to implement what you described above.

Thank you.
 
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 34901469
Hello,

You can't have two interfaces on a router in same subnet if you don't use bridging. You need at least ethernet ports in bridge group. I assumed that you have one of five public IP's on serial interface toward ISP, and want to use IP from same subnet on ASA outside interface. Therefore you need to put also serial interface in same bridge group.

If you have different subnet on serial link, you need to put in bridge group only interfaces toward 2960.

Hope this clarifies situation a bit. If you have more doubts don't hesitate to ask.

Regards!
0
 
LVL 1

Author Closing Comment

by:First Last
ID: 34918349
It took some time consulting with my co-worker to fully understand what Fidelius recommended, but it now makes perfect sense. Thank you very much.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Setting up a VPN 60 177
parental control on huwei HG658b 1 26
Boosting Power of a Cisco Access Point 8 58
What Cisco IOS has CBAC support? 4 20
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question