We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Adding a ASA 5505 behind a Cisco 2811 router

Medium Priority
1,236 Views
Last Modified: 2013-11-16
I am having a T1 line installed tomorrow and it will use a Cisco 2811 router. I also have a Cisco ASA 5510 that I would like to place behind the router. Will all traffic pass through the router or do I need to configure it in a certain way?  I have only done this with DSL modems before and have always placed them in bridged mode.

Thanks
Comment
Watch Question

Commented:
If the ISP is configuring that router, they will usually configure it much like a DSL modem as far as: giving you a usuable IP, or set of IP's, a gateway address, and DNS.

You then setup your firewall/router as you would with a DSL connection.

Author

Commented:
So what would the router configuration look like?  Does it pass all traffic by default unless there is an ACL?

Commented:
which router do you mean, yours?  for yours thats up to you, probably not ALL traffic, that would be a bit unsecure ;)   Use NAT and port forwarding as normal to present HTTP and SMTP (for example) to the T1.
If you mean the ISP router, yes it should pass all traffic to your network and vice versa.  But they would configure that, they probably wont even give you the password.  That being said, some ISP's will block certain ports unless you specify otherwise, but I doubt that will be the case for a T1.


Author

Commented:
No I mean my Cisco 2811 router. What would the configuration look like?

Commented:
They are both yours? Then I'm confused, why do you have two routers?  Is something going to lie between them?

Author

Commented:
Hmmm...lets try again. My 2811, the router where the T1 will terminate at my location, what is a sample configuration?  I am not referring to the ISP's router. I do not have two routers, just one.
Ernie BeekSenior infrastructure engineer
CERTIFIED EXPERT
Top Expert 2012

Commented:
Normally, such a router will pass through all traffic. The configuration depends a bit on how many public ip's you have. If it's just one, the router can be bridged and the public address will be assigned to the outside interface of the ASA using dhcp. The router will be transparent then.
If you have a public subnet, the router will have one of the ip's in that subnet and will be the gateway (to the internet) for that subnet. The ASA will have a static ip in that subnet as well, using the router as DG. Here the router is routing (so not transparent) but will still forward all traffic, atleast if the ISP doesn't have policies regarding that.

Commented:
sory wayy2be, I'm not familiar enough with cisco's to provide a sample config file, if thats what your looking for.  I thought you were just asking about the TCP/IP stuff.

Author

Commented:
Erniebeek:

I will have 12 public IPs mostly firewalls. The public IPs will be the outside interface of ASA devices. I will have 2 web servers as well. I am thinking of this layout:


[INTERNET]<----------------------------->[Cisco 2811 Router]<----------DMZ--------->[Main Cisco ASA FW]

I can place the public facing  ASA's and the web servers in the DMZ.  What do you think of this?
Ernie BeekSenior infrastructure engineer
CERTIFIED EXPERT
Top Expert 2012

Commented:
Well normally you would do it like this:

[INTERNET]<-------->[Cisco 2811 Router]<-------->[Main Cisco ASA FW]<-------->[LAN]
                                                                                             |
                                                                                             |
                                                                                        [DMZ]

That way all the traffic in and out the DMZ is also controlled through the ASA.

Do you mean that for every public IP you will have a separate ASA? Of course you will have your reasons for that but it might be an idea to think of one heavier model (5520 for example) with multiple DMZ's. That way you only have to manage one ASA instead of twelve (less overhead).

Author

Commented:
Correct, thats what I was trying to draw. I think all I need to do is configure one interface as a DMZ and hang a switch off that interface. Then I can connect to the switch the other devices that will face the internet, which are web servers and ASA 5505s. What do you think of that plan?

The ASA 5510 will also replace a VPN concentrator so I am guessing that I need to configure the outside interface with a public IP so that VPN peers can connect.  Correct?
Senior infrastructure engineer
CERTIFIED EXPERT
Top Expert 2012
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
So I still need to give the router an IP address on the outside interface and one of the inside interface. I suppose that the outside IP will be provided by the ISP, what should I use on the inside interface (the one that leads to the ASA?
Ernie BeekSenior infrastructure engineer
CERTIFIED EXPERT
Top Expert 2012

Commented:
Worse case the router needs one IP of the public subnet, the ASA gets a second and the rest (minus the network and broadcast address) you can use on the ASA to link up internal servers.

But that depends on what the required settings/setup of your ISP are. I don't assume they just gave you the T1 and said: 'plug your router in here and good luck'.

So you must have some info from your ISP:
-ip range (the public addresses you got)
-DG for the router (you bought that router your self or got it with the T1?).
-etc.

I think some more insight is needed on the ISP and the info you got from them to be able to create a working set up.

Author

Commented:
What is a DG?
Ernie BeekSenior infrastructure engineer
CERTIFIED EXPERT
Top Expert 2012

Commented:
Oh, sorry. Default gateway.
CERTIFIED EXPERT

Commented:
For just a T1 (1.56 mb) conection a 5510 is more than capable.

The 2811 would probably be setup with a HDLC/PPP connection on the T1 side, depending on the ISP this will either be numbered or unnumbered. you will then need to use one of your public address for the ethernet side of the router. Your ISP should be able to supply you with a sample Cisco config.

This might be of use http://www.freeccnaworkbook.com/labs/section-5-configuring-wide-area-network-links/lab-5-1-configuring-point-to-point-t1-links-using-ppp-or-hdlc/

DSL routers that work in bridge mode are not the same as a 2811 router. PPPoA is a very different protocol.

There is notthing stopping you from putting ACLs (Access Control Lists) on the router, and I would always do this to prevent telnet and SSh access to it apart from the addresses/networks that you want to allow to access it.

As you have a 5510, I would not use NAT on the 2811 as traffic will then be going over two layers of NAT.

Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.