Link to home
Start Free TrialLog in
Avatar of JustinBMak

asked on

Cisco 2801 Router as a Default Gateway for ISP

EE Folks:

I have a fiber internet connection that goes to a Cisco ME3400 (Fiber to Copper Converter) and then my new ASA5510 (directly - asa5510 is set up in routed mode). My ASA5510 keeps getting knocked offline due to the enormous amount of TCP packets out of sync I am receiving from my ISP. I called the ISP and they said my line is basically a Layer 2 link and that there is no routing. Cisco Engineer states I need to put a router between the ASA and my first hop (the Cisco ME3400).

So I am trying to work on this, I have it configured as I was going to put the Cisco ASA in transparent mode however an engineer at Cisco has informed me that it is not recommended due to the fact I use NATing for multiple things include my web server and for my consultants remote access.

So with that being said, I need to see what the best possible solution is. I would assume as the one Cisco Eng. stated is to put up a router but I wouldn't think you would want two routers on the same network - right? It's not best practice and a section of the CCIE Security KB is that you want a router in between your ASA and your ISP. So if this is all true, how would I set up the Router to be basically a gateway like how the folks at AT&T do when you get a bonded T1 circuit?

I "think" basically I would want the Cisco Router to be a gateway router to where the ASA can have one of my 16 IPs and set the ASA's default gateway as the Cisco 2801 but not sure how that would pass over to the Cisco ME3400 because obviously I need it!

Plus I am in the process of purchasing a Cisco 2Port Fast Ethernet WIC Card because I have two ISP and I am going to set up fail over on

I'm sure there will be tons of questions so please ask away! I am eager to set this up or return the ASA and go back to Sonicwall.
Avatar of MPonto
Flag of United States of America image

There are a thousand ways to do this and i will most likly be called wrong but here goes...
I would put a router outside the ASA like cisco suggested
use a different subnet between your asa and outside router
and use an access rule to drop any traffic not headed for your LAN

as for a fail over you might look at using a higher metric on the secondary ISP, but that really sounds like a seperate issue.

Avatar of ArneLovius
I'm not sure what you mean by "TCP packets out of sync".
Avatar of JustinBMak


So I just got off the phone with the Cisco Engineer.

He's not sure how to set up the Cisco 2801 Router but highly recommended that I do not move the ASA5510 over to transparent mode.

I basically just don't know how I would set up the Cisco 2801 to do nothing but pass traffic to the ASA and ONLY do ip-reassembly on the WAN Interface.

Currently to have my web server set up to be able to be accessible from the outside I would have to set up a NAT policy and forwarded it to the ASA and then another NAT Policy to forward that request to the web server so I am basically doing double configuration which I do not want to do. I will go back to Sonicwall if this is the case because the time and effort I am putting in configuration it will be worth going to a higher end model of Sonicwall.

Anyone with any ideas?
Avatar of ArneLovius
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial