Solved

Help with terminolgy and review: 3 WAN Connections going through Cisco ASA Firewall

Posted on 2011-02-14
4
698 Views
Last Modified: 2012-06-27
Our active/standy ASA pair will have three incoming WAN connections as shown in the graphic included. Right now I'm just working on setting up one of the WAN connections to the Firewall on Ethernet 0 Port. Could you help me with the terminalogy and how I should setup the one WAN connection to the Firewall?

1) I'm thinking of making each WAN connection on a different VLAN then on the ASA Ethernet 0 Port make sub interfaces as shown here. Is that correct?

2) On the one WAN connection i'm setting up I have a block of 5 public IPs. I need to somehow get one public IP to the sub interface of the firewall. Can you give me an example of how you do that on the edge router and what is it called?
Untitled.jpg
0
Comment
Question by:First Last
  • 2
  • 2
4 Comments
 
LVL 12

Accepted Solution

by:
Fidelius earned 500 total points
ID: 34892834
Hello,

1. you are on right track with separate VLANs for every ISP connection.

To be able to put public address on ASA sub-interface, you will need to use BVI on each router. So you will not need sub-interfaces on router, just on ASA.
More info about BVI:
http://www.cisco.com/en/US/tech/tk389/tk815/technologies_tech_note09186a0080094663.shtml
http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/A_2864-Bridging-Cisco-Router-Interfaces.html

I will assume following (you replace IP's and VLAN's as you need):
5 IP pool: 192.168.1.2-192.168.1.6 /29
VLAN 10

On Cisco 2811 router create BVI:
bridge irb
bridge 1 protocol ieee
bridge 1 route ip
!
interface BVI1
 ip address 192.168.1.1 255.255.255.248
!
int fa0/0
 bridge-group 1
!
int fa0/1
 bridge-group 1
!
int ser 0/0
 bridge-group 1
!

On 2960 switch create one access VLAN port and trunk port:
vlan 10
!
int fa 0/1
 description Link toward 2811
 switchport mode access
 switchport access vlan 10
!
int fa 0/24
 description Trunk toward ASA
 switchport mode trunk
!


On ASA create subinterface on fa 0/0:

interface fa 0/0
description 802.1q Trunking Interface
no nameif
no security-level
no ip address
!
interface fa 0/1.10
 nameif outside
 security-level 0
 ip address 192.168.1.3 255.255.255.248 standby 192.168.1.4
!

Regards!
0
 
LVL 1

Author Comment

by:First Last
ID: 34900520
Fidelius,

Everything you wrote makes perfect sense except for the use of bridging.

My 2811 router is connect through two Cisco 2960's to two ASA's. Why Can't I just put a VLAN on the switch and 2811 router going to a subinterface on the ASA's as you described and bypass the bridging? From what I'm reading I'll still use the same number of public IP's in the process and since my switch is running at layer 2 I won't lose the vlan header information.

This afternoon I'll attempt to implement what you described above.

Thank you.
 
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 34901469
Hello,

You can't have two interfaces on a router in same subnet if you don't use bridging. You need at least ethernet ports in bridge group. I assumed that you have one of five public IP's on serial interface toward ISP, and want to use IP from same subnet on ASA outside interface. Therefore you need to put also serial interface in same bridge group.

If you have different subnet on serial link, you need to put in bridge group only interfaces toward 2960.

Hope this clarifies situation a bit. If you have more doubts don't hesitate to ask.

Regards!
0
 
LVL 1

Author Closing Comment

by:First Last
ID: 34918349
It took some time consulting with my co-worker to fully understand what Fidelius recommended, but it now makes perfect sense. Thank you very much.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Routing between two networks? 10 50
Help with ASA config smtp traffic 10 38
cisco sg 200 trunking 4 24
Setting up static routes to  sonicwll 4 26
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now