Adding a ASA 5505 behind a Cisco 2811 router

If the ISP is configuring that router, they will usually configure it much like a DSL modem as far as: giving you a usuable IP, or set of IP's, a gateway address, and DNS.

You then setup your firewall/router as you would with a DSL connection.

So what would the router configuration look like?  Does it pass all traffic by default unless there is an ACL?

which router do you mean, yours?  for yours thats up to you, probably not ALL traffic, that would be a bit unsecure ;)   Use NAT and port forwarding as normal to present HTTP and SMTP (for example) to the T1.
If you mean the ISP router, yes it should pass all traffic to your network and vice versa.  But they would configure that, they probably wont even give you the password.  That being said, some ISP's will block certain ports unless you specify otherwise, but I doubt that will be the case for a T1.

No I mean my Cisco 2811 router. What would the configuration look like?

They are both yours? Then I'm confused, why do you have two routers?  Is something going to lie between them?

Hmmm...lets try again. My 2811, the router where the T1 will terminate at my location, what is a sample configuration?  I am not referring to the ISP's router. I do not have two routers, just one.

Normally, such a router will pass through all traffic. The configuration depends a bit on how many public ip's you have. If it's just one, the router can be bridged and the public address will be assigned to the outside interface of the ASA using dhcp. The router will be transparent then.
If you have a public subnet, the router will have one of the ip's in that subnet and will be the gateway (to the internet) for that subnet. The ASA will have a static ip in that subnet as well, using the router as DG. Here the router is routing (so not transparent) but will still forward all traffic, atleast if the ISP doesn't have policies regarding that.

sory wayy2be, I'm not familiar enough with cisco's to provide a sample config file, if thats what your looking for.  I thought you were just asking about the TCP/IP stuff.

Erniebeek:

I will have 12 public IPs mostly firewalls. The public IPs will be the outside interface of ASA devices. I will have 2 web servers as well. I am thinking of this layout:


[INTERNET]<----------------------------->[Cisco 2811 Router]<----------DMZ--------->[Main Cisco ASA FW]

I can place the public facing  ASA's and the web servers in the DMZ.  What do you think of this?

Well normally you would do it like this:

[INTERNET]<-------->[Cisco 2811 Router]<-------->[Main Cisco ASA FW]<-------->[LAN]
                                                                                             |
                                                                                             |
                                                                                        [DMZ]

That way all the traffic in and out the DMZ is also controlled through the ASA.

Do you mean that for every public IP you will have a separate ASA? Of course you will have your reasons for that but it might be an idea to think of one heavier model (5520 for example) with multiple DMZ's. That way you only have to manage one ASA instead of twelve (less overhead).

Correct, thats what I was trying to draw. I think all I need to do is configure one interface as a DMZ and hang a switch off that interface. Then I can connect to the switch the other devices that will face the internet, which are web servers and ASA 5505s. What do you think of that plan?

The ASA 5510 will also replace a VPN concentrator so I am guessing that I need to configure the outside interface with a public IP so that VPN peers can connect.  Correct?

So I still need to give the router an IP address on the outside interface and one of the inside interface. I suppose that the outside IP will be provided by the ISP, what should I use on the inside interface (the one that leads to the ASA?

Worse case the router needs one IP of the public subnet, the ASA gets a second and the rest (minus the network and broadcast address) you can use on the ASA to link up internal servers.

But that depends on what the required settings/setup of your ISP are. I don't assume they just gave you the T1 and said: 'plug your router in here and good luck'.

So you must have some info from your ISP:
-ip range (the public addresses you got)
-DG for the router (you bought that router your self or got it with the T1?).
-etc.

I think some more insight is needed on the ISP and the info you got from them to be able to create a working set up.

What is a DG?

Oh, sorry. Default gateway.

For just a T1 (1.56 mb) conection a 5510 is more than capable.

The 2811 would probably be setup with a HDLC/PPP connection on the T1 side, depending on the ISP this will either be numbered or unnumbered. you will then need to use one of your public address for the ethernet side of the router. Your ISP should be able to supply you with a sample Cisco config.

This might be of use http://www.freeccnaworkbook.com/labs/section-5-configuring-wide-area-network-links/lab-5-1-configuring-point-to-point-t1-links-using-ppp-or-hdlc/

DSL routers that work in bridge mode are not the same as a 2811 router. PPPoA is a very different protocol.

There is notthing stopping you from putting ACLs (Access Control Lists) on the router, and I would always do this to prevent telnet and SSh access to it apart from the addresses/networks that you want to allow to access it.

As you have a 5510, I would not use NAT on the 2811 as traffic will then be going over two layers of NAT.