Avatar of JustinBMak
 asked on

Cisco 2801 Router as a Default Gateway for ISP

EE Folks:

I have a fiber internet connection that goes to a Cisco ME3400 (Fiber to Copper Converter) and then my new ASA5510 (directly - asa5510 is set up in routed mode). My ASA5510 keeps getting knocked offline due to the enormous amount of TCP packets out of sync I am receiving from my ISP. I called the ISP and they said my line is basically a Layer 2 link and that there is no routing. Cisco Engineer states I need to put a router between the ASA and my first hop (the Cisco ME3400).

So I am trying to work on this, I have it configured as I was going to put the Cisco ASA in transparent mode however an engineer at Cisco has informed me that it is not recommended due to the fact I use NATing for multiple things include my web server and for my consultants remote access.

So with that being said, I need to see what the best possible solution is. I would assume as the one Cisco Eng. stated is to put up a router but I wouldn't think you would want two routers on the same network - right? It's not best practice and a section of the CCIE Security KB is that you want a router in between your ASA and your ISP. So if this is all true, how would I set up the Router to be basically a gateway like how the folks at AT&T do when you get a bonded T1 circuit?

I "think" basically I would want the Cisco Router to be a gateway router to where the ASA can have one of my 16 IPs and set the ASA's default gateway as the Cisco 2801 but not sure how that would pass over to the Cisco ME3400 because obviously I need it!

Plus I am in the process of purchasing a Cisco 2Port Fast Ethernet WIC Card because I have two ISP and I am going to set up fail over on

I'm sure there will be tons of questions so please ask away! I am eager to set this up or return the ASA and go back to Sonicwall.
Networking Hardware-OtherNetwork SecurityBroadband

Avatar of undefined
Last Comment

8/22/2022 - Mon

There are a thousand ways to do this and i will most likly be called wrong but here goes...
I would put a router outside the ASA like cisco suggested
use a different subnet between your asa and outside router
and use an access rule to drop any traffic not headed for your LAN

as for a fail over you might look at using a higher metric on the secondary ISP, but that really sounds like a seperate issue.


I'm not sure what you mean by "TCP packets out of sync".

Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy

So I just got off the phone with the Cisco Engineer.

He's not sure how to set up the Cisco 2801 Router but highly recommended that I do not move the ASA5510 over to transparent mode.

I basically just don't know how I would set up the Cisco 2801 to do nothing but pass traffic to the ASA and ONLY do ip-reassembly on the WAN Interface.

Currently to have my web server set up to be able to be accessible from the outside I would have to set up a NAT policy and forwarded it to the ASA and then another NAT Policy to forward that request to the web server so I am basically doing double configuration which I do not want to do. I will go back to Sonicwall if this is the case because the time and effort I am putting in configuration it will be worth going to a higher end model of Sonicwall.

Anyone with any ideas?

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question