?
Solved

Routing (Remove 1800 and use ASA)

Posted on 2013-06-21
13
Medium Priority
?
242 Views
Last Modified: 2013-11-07
1. Network Layout: Fairpoint Adtran -> Cisco 1800 -> Cisco ASA -> Internal LAN
2. I want to get rid of the Cisco 1800 and just use the ASA. How can I accomplish this?

I have an 1800 router with following config:

interface FastEthernet0/0
 ip address 71.255.140.22 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 71.255.136.57 255.255.255.248
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 71.255.140.21

I have an ASA attached to fa0/1 with the following config:

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.x.x 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 71.255.136.x 255.255.255.248

global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 71.255.136.57 1
0
Comment
Question by:blake8
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
13 Comments
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39266021
use this on the asa:

interface Vlan2
 nameif outside
 security-level 0
 ip address 71.255.140.22 255.255.255.252

route outside 0.0.0.0 0.0.0.0 71.255.140.21 1

You can use 71.255.136.56/29 for e.g. NAT on the ASA.
0
 

Author Comment

by:blake8
ID: 39266060
Can you provide example of how that would be done.  I would also need a new interface name? I have a VPN tunnel setup right now that uses "outside"
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39266077
If I was you I would copy the configuration from the device to a (t)ftp server and do this:

1. change the ip address line at Vlan2 from:
  ip address 71.255.136.x 255.255.255.248
to
  ip address 71.255.140.22 255.255.255.252
2. Remove the default route:
  route outside 0.0.0.0 0.0.0.0 71.255.136.57 1
3. Add the new default route:
  route outside 0.0.0.0 0.0.0.0 71.255.140.21 1

tftp the modified configuration back to the startup-config of the ASA.

Now poweroff the 1800 and the ASA. Put the cable from the 1800 FastEthernet0/0 in the ASA and replace the cable which is plugged in from the FastEthernet0/1 interface.

Power on the ASA and everything should work.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:blake8
ID: 39266097
That doesn't give me my ip block that is on the ASA.

What about the 71.255.136.x block that was assigned to me? This is the IP that all tunnels are using as well.

crypto isakmp enable outside

?? something like this ??
object network obj-192.168.0.3
     subnet 192.168.0.0 255.255.255.0
     nat (inside,outside) static 71.255.136.x
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39266116
You need to change the IP addresses on the other endpoints.

The reason is that the ISP has a route like this:

ip route 71.255.136.56 255.255.255.248 71.255.140.22

If you replace the 1800 with the ASA you will be the next hop from your ISP. You are able to use the 71.255.136.56/29 subnet. However, for VPN termination we use the interface IP which now have changed to 71.255.140.22.
0
 

Author Comment

by:blake8
ID: 39266151
Hmmm, how about this?

int Vlan3
 nameif fp-outside
 security level 0
 ip address 71.255.136.x 255.255.255.248

crypto map enable fp-outside

nat (inside,fp-outside) source dynamic inside_nets interface descrption outbound PAT for FairPoint
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39266161
you could try that, let me know if that works.

as far as I know IPSEC traffic needs to be terminated on the incoming interface but I could be wrong.
0
 

Author Comment

by:blake8
ID: 39266253
So possibly I would have to just change the ip on my end points to 71.255.140.22 and still use configuration above for my internet traffic?
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39269025
Yes. But beware of your NAT statement. If you want to keep the same IP for your outbound internet you should use the IP instead of the interface because the interface IP changed.

You noe have more IP's you can use. You can even make a DMZ interface with the public range for example.
0
 

Author Comment

by:blake8
ID: 39271651
Does this look better?

## ASA ##

int Vlan2
 nameif outside
 security-level 0
 ip address 71.255.140.22 255.255.255.252

object network inside_nets
 subnet 192.168.11.0 255.255.255.0

object network obj-exchange
 host 192.168.11.9

access-list outside_access_in extended permit tcp any object obj-exchange eq https
access-list outside_access_in extended deny ip any any

nat (inside,outside) source dynamic inside_nets interface

object network obj-exchange
 nat (inside,outside) static 71.255.136.56

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 71.255.140.21 1

webvpn
 enable outside

crypto map outside_map interface outside
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39271663
Yes it does, this wil work, the NAT statements depend on the version of IOS you are running.

I highly recommend you update to IOS version 9 as it appears you are running an older version.
0
 

Author Comment

by:blake8
ID: 39271682
IOS 8.4
0
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 2000 total points
ID: 39586450
Does the config works with the commands I delivered?
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question