Cisco 2800 & ASA 5510 Routing Question

katredrum
katredrum used Ask the Experts™
on
Hello Experts,

I have a Cisco 2800 router currently in production that is doing the routing of all VLANs and is also the gateway of our network. We are preparing for a network upgrade and the company has purchased ASA 5510.

Since the 2800 serves as our T1 Internet Gateway and our bandwidth upgrade will have a RJ-45 drop and that ASA is new to me, I'm trying to co-deploy it until the day we will switch over from T1 to RJ-45. I am re-configuring all VLANs to be routed by the ASA (I'm currently only testing non-production VLANs) but don't know how to send Internet traffic to the 2800 for Internet access.

The goal in the end is to have everything configured on the ASA prior to the switch and just have to change routing the Internet traffic from the 2800 to the new ISP.

Is this possible to do? Has anyone done this? Can anyone recommend any other way to do this?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
It would be useful to know how your VLANS are divided such as by host type, floor, or  department etc, which VLANS have the most inter-vlan traffic, the model of your 2800 series router and if you require any enforced segregation.

The ASA has a maximum of 300mbps of firewall  throughput, if you used it for inter-vlan traffic as well as internet access, you might find that you internet access is affected by the inter-vlan traffic.

I would therefore tend to keep the 2800 series router to do your inter-vlan routing, and just have the firewall as a firewall. I would use static routes on the ASA pointing at the 2800 for the other subnets/VLANS. then when you want to switch over, you just change the default route on the 2800 to point at the ASA. The ASA  inside interface should be on the VLAN with the most internet traffic.

The exception would be for traffic such as a "Guest" VLAN where you do not want the traffic to access the internal network at all, this should terminate on the ASA.

If the performance of the 2800 is not sufficient for the inter-vlan taffic, you could add additional Fast Ethernet/Gigabit interfaces, or replace it with a L3 switch, either would be a more appropriate choice than the ASA for routing internal traffic.

I have seen several small networks that would quite happily fit in a single /24 that were segregated by somebody for unknown reasons. Two years I came across one for an office of 60 people across two floors with half a dozen servers and four printers where it had been divided up into six VLANS with no access control lists between them, moving it all onto a single VLAN had the expected massive improvement on internal performance and allowed the over worked dual port 10/100 router (2621 from memory) router to be retired, when they grew to approach 200 users, we put in a gigabit L3 switch and moved the smaller of the two floors onto a new subnet.

Unless you have a requirement to divide up the network, I would always tend to keep it as simple as possible.

Author

Commented:
Arne,

I hope my scenario is not like the one you had two years ago. My network is divided by departments using VLANs to make the broadcast domain smaller. By doing this, it actually helped speed up user experience. We also have about the same users and devices...approx 60 users, 8 servers, and 8 printers.

Here is my VLAN configuration:
VLAN1 = common resources (Domain Controllers, Internet, Printers, router/switch management, email server)
VLAN2 = VPN Users
VLAN3 = Professionals
VLAN4 = Accounting/Admin
VLAN5 = Telephone

I did this because users in their own respective VLAN would not congest other departments as they typically access their own server placed in their own VLAN. The only time users need inter-VLAN routing is when they access the Internet, authenticating with AD, needing DNS request, DHCP, print and email which are all on VLAN1.

I really like your idea to keep the 2800 as my inter-VLAN router and use the ASA as a firewall but I was planning to take the 2800 and move it to our branch office for site-to-site VPN with the ASA.

So in your opinion, if I plan to use only  the ASA as our router/firewall, should I consolidate my VLANs into 3 instead of 5? I could put the Common Resources (VLAN1), VPN Users (VLAN2) and the Professionals (VLAN3) together because they make most of the workforce and keeping Accounting/Admin (VLAN4) and Telephone (VLAN5) separate giving me 3 VLANs.

This reminds me though that the reason I kept the Exchange Server on its own VLAN (1) was to keep users traffic from VLAN4 separate from VLAN3. My main goal was to ensure the Professionals (VLAN3) had the quickest access to all resources. Taking everyone else off was why I divided them into separate VLANs. Question now is...would it be less intrusive for my Professionals (VLAN3) if...

-Everyone was put into the same VLAN sharing a larger broadcast domain,
-Keeping the VLANs how it is making the ASA route Inter-VLAN traffic,
-Consolidating VLAN1, 2 & 3 making the fastest access but having VLAN4 traffic share resources

I guess it all boils down to what is quicker, Inter-VLAN routing or having to share a larger broadcast domain. Can you give me your opinion on which is the better choice?
If all of your users were running Appletalk on OS9 or earlier, I might split it as you have it,  but as long as you're running on switched 100mb Ethernet instead of using 10base2 or 10baseT on hubs:-) you should have no issues with a single "internal" VLAN

Before doing this, you could attach a computer running wireshark to a network port and monitor the amount of broadcast traffic, my guess is that it would be measured in single digit kbps.

With modern servers, you should be able to consolidate your servers. I've consolidated many small servers into file server clusters with better availability and performance for everyone. Several of these have been for companies with high levels of users working on multi gigabyte artwork files and did this for less than the cost of replacing all of the individual servers when they reached their replacement point, the power consumption and electricity bill can also be a driver for doing this.

The exception might be HR or Finance, but I would only usually split them out if their IT was managed by dedicated HR or Finance IT department, for a company where I presume you manage all of it, I would quite happily put it all on one (clustered) server, or with 2k8 r2, two servers with DFS, one with Intel and one with AMD for even more redundancy.

I would keep the phone system on its own VLAN, but this could be terminated on the ASA as the traffic volume should be relatively small and you can also use it to restrict access to only required hosts.

Instead of using the 2800 at the remote office I would get an ASA5505, the NAT and ACL configuration is much simpler and you keep to a common platform with identical setup etc.

I moved one company that had grown through acquisition from three small offices into one large one, they were 300 people, and with gigabit to the desktop switches I put in a single VLAN and a new file server, two of the companies had already had gigabit and were pleasantly surprised when the new infrastructure was faster...

In short, divide up a network when you _need_ to, but try your best not to need to :-)
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Thanks for the suggestions! I wanted to go back to my original question. Is there a way I can have users behind the ASA access the Internet via the 2800? How would I do it and what command(s) would I have to put on my ASA?
on the 2800
disable NAT
change the default route to point at the ASA

on the ASA
add a static route to the subnet with the 2800 as the gateway
add a new dynamic nat rule for the subnet behind the 2800, or modify the existing one to include the subnet behind the 2800

Author

Commented:
Arne,

I don't quite understand.

On the 2800, if I disable NAT how would my users access the Internet? The 2800 still holds the path to the Internet via WIC T1.

I apologize I'm still new to the ASA and don't really know how create a dynamic NAT rule.

INTERNET ---- 2800 ---- ASA ---- VLAN8

I'm trying to to have users in VLAN8 to access the Internet via 2800.

Is your instructions for what I'm trying to do?
your current config

2800 - main vlan
        - other vlan

to
2800 - main vlan - ASA (running NAT)
         - second vlan

or

Internet - ASA (running NAT) - main VLAN  - 2800 - second VLAN

the router then acts as an internal only router and doesn't need NAT.

Although the ASA can run routing protocols this is more to to determine what route to send a packet to, but it isn't a router...

Author

Commented:
current config and ultimately wanting to do...

Internet - 2800 - ASA - VLANs

I need to allow users behind the ASA to access the internet via the 2800's T1
Presumably you are running NAT on the 2800.

Presumably, you have a single public address on the T1 side of the 2800 and a block of addresses that you are using for NAT.

You could remove NAT from the 2800, use one of the addresses for its "internal" interface and use the rest on the ASA. This would mean either moving to a flat LAN, or using the ASA for communicating between VLANS.

When you new connection is activated, you simply add configure it on the ASA and modify the NAT rules and routing on the ASA.
So to put commands to what ArneLovius stated for ASA. I have attached a drawing that may help. All ip info made up.

ASA outside Interface

int e0/0
nameif outside
security 0
ip address (ip address in the same external subnet as the 2800)

ASA outside interface connected to 2800 interface both configured with an internal range ip address.

int e0/1
nameif inside
security 100
ip address (ip address in the VLAN 8 range)

You will need to make sure the default route on the ASA is pointing to the interface of the 2800. Then the 2800 will need to have a default route pointing all traffic to the internet.

For NATing

nat (inside) 1 {vlan 8 ip address range}
global (outside) 1 {external ip address range}

topo

Author

Commented:
hitsotntd,

Thank you for doing this. Instead of the public IP addresses between the 2800 and ASA, could I use private IP addresses? Just wondering why it would have to be a public IP address. I will try this as soon as I can.
Yes absolutely, just make sure the routes point to the correct interface.

Author

Commented:
okay i've tried this and unable to get out from a workstation in VLAN8.

My 2800 interface is configured as 10.50.1.2/24
My ASA outside interface is configured as 10.50.1.1/24

I've set the default routes on the ASA as:
route OUTSIDE 0.0.0.0 0.0.0.0 10.50.1.2

The workstations can ping the internal interface but cannot go beyond that. Any ideas?
Can the asa ping the 2800 interface?
Can the workstation ping the outside interface of the ASA?
Can the 2800 ping the outside interface of the asa?
Does the 2800 have a route back to the VLAN8? This is prob the issue.

2800 route should say something like, ip route (VLAN 8 network) 10.50.1.1 255.255.255.0
Also, you can run the command "show xlate" and this will tell you exactly what the internal vlan8 ip address is being NATed/translated too.

Author

Commented:
From my workstation, I cannot ping the outside of my ASA (10.50.1.1).

From the ASA, I can ping the outside interface (10.50.1.1) and inside interface (192.168.0.1) of the ASA. I can also ping the internal interface (10.50.1.2) of the 2800 but not the public interface.

When I run the "show xlate" command it returns "0 in use, 0 most used"

From the 2800, I can ping all interfaces on the 2800 as well as the outside interface of the ASA (10.50.1.1) and the inside interface of the ASA (192.168.0.1).

Author

Commented:
Seems like traffic is not getting past the ASA's default route as it is not showing up with anything with the "show xlate" command. Any other ideas?
oh and btw, Mightysampson is me too, I messed up on my username and wanted to change it.
Ok, so you said that the 2800 can ping the inside interface of the ASA? If you have the cabling like we think, you should not be able to ping the inside interface from the 2800 unless you have an ACL allowing it.

Does your workstation have a default gateway of 192.168.0.1?
Can your workstation ping the inside ip address of 192.168.0.1?

Would you mind showing me your the output on the ASA from the following commands? You can X.X any info you don't want me to view. I should be able to get this running pretty quick with seeing these outputs.

Show run access-list
show run access-group
show run nat
show run static
show run interface
show route

Also, how bout these output on the 2800?

show ip int bri
show ip route

Author

Commented:
Workstation does have the default gateway as 192.168.0.1 AND can ping it.

On the ASA
Show run access-list:
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1
Show run access-group:
null
Show run nat:
null
show run static:
null
show run interface:
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 10.50.1.1 255.255.255.0
!
interface Ethernet0/1
nameif INSIDE
security-level 100
ip address 192.168.0.1 255.255.255.0
!
show route:
route OUTSIDE 0.0.0.0 255.255.255.255 10.50.1.2 1
route INSIDE 192.168.1.0 255.255.255.0 192.168.1.1 1

On the 2800
show ip int bri:
FastEthernet0/0.50 10.50.1.2 Yes manual up up
Serial0/0 Public IP Yes NVRAM up up

show ip route:
C 10.50.1.0 is directly connected, FastEthernet0/0.50
S 192.168.0.0/24 [1/0] via 10.50.1.1
S* 0.0.0.0/0 [1/0] via public ip
Well I do see some needed commands,

1.  You have no access-group binding your access-list to an interface. The example below is binding the access-list global_mp to the inbound traffic on the outside interface. Do not input this command unless your absolutely sure you want to. Your current access-list is permitting any TCP traffic to which ever machines are in the object group "DM_INLINE_TCP_1". If you want something to access something from the outside you will use the below access-group and the ACL named "global_mp" to make that happen.

1a. access-group global_mp in interface outside

2. There is no NAT configured. Below are the commands to enter.

2a. nat (inside) 1 192.168.0.0 255.255.255.0
      global (outside) 1 {public ip range}

3. Testing

3a. Try pinging 8.8.8.8 from the 2800.
3b. Try pinging 8.8.8.8 from workstation
3c. enter "show xlate" in ASA to see the NATed internal to the external.

Other then those everything looks good to me. You have all the routing correct. All interfaces are configured correctly. I am sure all you needed was the NATing configured.

Still not sure why you would be able to ping the inside address from the 2800.

Samp

Author

Commented:
Okay not sure if I need option 1.

I did the 2a command. Question on 2a. global public IP. Is this the IP address of my 2800's WAN interface?

3. Testing results:
3a. OK
3b. No reply
3c. Global 192.168.0.3 Local 192.168.0.3

Workstation still cannot ping 8.8.8.8.

Thanks for all the help. I'm still trying without any success.
No problem at all. We will get this up and running. We are almost there.

Global public IP address is going to be the same range as the serial 0/0 on the 2800.
FYI, it doesn't have to be a range, it can be just 1 public address. Here is an example for a one IP address and a range.

{Many to ONE NAT}
nat (inside) 1 192.168.0.0 255.255.255.0
global (outside) 1 69.85.58.68 255.255.255.255

{Many to Many NAT}
nat (inside) 1 192.168.0.0 255.255.255.0
global (outside) 1 69.85.58.0 255.255.255.0

Author

Commented:
Okay I configured the global (outside) with the correct public IP and still no luck.

Am I supposed to be able to ping 8.8.8.8 from the ASA because I am not able to. Also on the 2800 I have "IP NAT Outside" command on the S0/0 interface. Wondering if this is preventing traffic coming back into the network. I also have an access-list that is currently configured to allow traffic back in. Would I need to add the 192.168.0.0 network to be allowed back in from the internet?
You should NOT need "IP NAT Outside" on the S0/0. All NATing should be done by the ASA.

You will NOT need to add the 192.168 to be allowed back in.

Try pinging 8.8.8.8 from workstation and then run the show xlate command to make sure the NATing is taking place for the workstation.

Pinging from the ASA will depend what interface it is using to source. I can't 100% answer that question. Off the hip, I would think yes you should be able to but again, I am not 100% on that.

By Default, all traffic that is started from the "inside" will be allowed back in without a need for an Access-list.

Author

Commented:
Here is what my Serial0/0 is configured as...it's complex because I have production still behind the current router and I'm trying to add the ASA behind it concurrently. Please let me know if I cannot do this and if I have to take everyone off the 2800 and put it behind the ASA in order for this to work. Here is my WAN interface config:

interface Serial0/0
 description WAN Interface
 ip address PUBLICIP 255.255.255.252
 ip access-group 111 in
 ip access-group BLOCK_CS out
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip inspect CBAC_OUT out
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 crypto map SDM_CMAP_1

Author

Commented:
In the above config, I did take out the command ip nat outside but only do this when I test the workstation trying to ping 8.8.8.8.
Let me lab this up. I will get back to you on what will need to be done soon. I will then provide you with configs to be entered.

When you test, what are you getting with the "show xlate" command?

Is your public address on S0/0 the only external address you have?

Also, can you provide me with the access-list you have on the s0/0 interface?

Author

Commented:
On the ASA, show xlate:
2 in use, 2 most used
Global 192.168.0.2 Local 192.168.0.2
Global 192.168.0.3 Local 192.168.0.3

Actually I have a secondary public IP address but didn't think it would affect. Here it is anyway:
ip address PUBLICIP 255.255.255.248 secondary (I believe the ISP have created a static route on their end)

Access-list 111 is:

Extended IP access list 111
    10 permit tcp host X.X.X.X host PUBLICIP eq smtp
    20 permit tcp any host PUBLICIP eq www
    30 permit tcp any host PUBLICIP eq 443
    60 permit udp any host PUBLICIP eq domain
    70 permit ahp any host PUBLICIP
    80 permit esp any host PUBLICIP
    90 permit udp any host PUBLICIP eq isakmp
    100 permit udp any host PUBLICIP eq non500-isakmp
    110 permit icmp any host PUBLICIP echo-reply
    120 permit icmp any host PUBLICIP time-exceeded
    130 permit icmp any host PUBLICIP unreachable
    140 deny ip 10.0.0.0 0.255.255.255 any log-input
    150 deny ip 172.16.0.0 0.15.255.255 any log-input
    160 deny ip 192.168.0.0 0.0.255.255 any log-input
    170 deny ip 127.0.0.0 0.255.255.255 any log-input
    180 deny ip host 255.255.255.255 any log-input
    190 deny ip host 0.0.0.0 any log-input
    200 deny ip any any log-input
I completed the lab and you are not going to be able to have your topology the way it currently is.

You would need to turn off the inspection on your 2800 for the traffic to flow as expected.

You will probably want to setup a separate topology for testing your new ASA. You can do this by setting up the ASA's outside interface with an ip address in your external range. Then you could put a switch between your ISP device and the 2800. (this will require down time) With the switch in place, you could have both the ASA and the 2800 connected to the switch and communicating to the ISP and test freely on the ASA.

The end result is, the ASA will replace the 2800 as the firewall/inspection device and the 2800 will be your edge/peering device.

Samp
Any progress?
Yup, ArneLovius stated the correct answer from the very beginning. He should get the points.

Author

Commented:
Thanks for all your assistance. I will end up changing the config on the 2800 when we change ISPs. I cannot do it now but will use the info from this thread to get it working. Thanks again!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial