Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Routing (Remove 1800 and use ASA)

Posted on 2013-06-21
13
Medium Priority
?
244 Views
Last Modified: 2013-11-07
1. Network Layout: Fairpoint Adtran -> Cisco 1800 -> Cisco ASA -> Internal LAN
2. I want to get rid of the Cisco 1800 and just use the ASA. How can I accomplish this?

I have an 1800 router with following config:

interface FastEthernet0/0
 ip address 71.255.140.22 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 71.255.136.57 255.255.255.248
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 71.255.140.21

I have an ASA attached to fa0/1 with the following config:

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.x.x 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 71.255.136.x 255.255.255.248

global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 71.255.136.57 1
0
Comment
Question by:blake8
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
13 Comments
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39266021
use this on the asa:

interface Vlan2
 nameif outside
 security-level 0
 ip address 71.255.140.22 255.255.255.252

route outside 0.0.0.0 0.0.0.0 71.255.140.21 1

You can use 71.255.136.56/29 for e.g. NAT on the ASA.
0
 

Author Comment

by:blake8
ID: 39266060
Can you provide example of how that would be done.  I would also need a new interface name? I have a VPN tunnel setup right now that uses "outside"
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39266077
If I was you I would copy the configuration from the device to a (t)ftp server and do this:

1. change the ip address line at Vlan2 from:
  ip address 71.255.136.x 255.255.255.248
to
  ip address 71.255.140.22 255.255.255.252
2. Remove the default route:
  route outside 0.0.0.0 0.0.0.0 71.255.136.57 1
3. Add the new default route:
  route outside 0.0.0.0 0.0.0.0 71.255.140.21 1

tftp the modified configuration back to the startup-config of the ASA.

Now poweroff the 1800 and the ASA. Put the cable from the 1800 FastEthernet0/0 in the ASA and replace the cable which is plugged in from the FastEthernet0/1 interface.

Power on the ASA and everything should work.
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 

Author Comment

by:blake8
ID: 39266097
That doesn't give me my ip block that is on the ASA.

What about the 71.255.136.x block that was assigned to me? This is the IP that all tunnels are using as well.

crypto isakmp enable outside

?? something like this ??
object network obj-192.168.0.3
     subnet 192.168.0.0 255.255.255.0
     nat (inside,outside) static 71.255.136.x
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39266116
You need to change the IP addresses on the other endpoints.

The reason is that the ISP has a route like this:

ip route 71.255.136.56 255.255.255.248 71.255.140.22

If you replace the 1800 with the ASA you will be the next hop from your ISP. You are able to use the 71.255.136.56/29 subnet. However, for VPN termination we use the interface IP which now have changed to 71.255.140.22.
0
 

Author Comment

by:blake8
ID: 39266151
Hmmm, how about this?

int Vlan3
 nameif fp-outside
 security level 0
 ip address 71.255.136.x 255.255.255.248

crypto map enable fp-outside

nat (inside,fp-outside) source dynamic inside_nets interface descrption outbound PAT for FairPoint
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39266161
you could try that, let me know if that works.

as far as I know IPSEC traffic needs to be terminated on the incoming interface but I could be wrong.
0
 

Author Comment

by:blake8
ID: 39266253
So possibly I would have to just change the ip on my end points to 71.255.140.22 and still use configuration above for my internet traffic?
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39269025
Yes. But beware of your NAT statement. If you want to keep the same IP for your outbound internet you should use the IP instead of the interface because the interface IP changed.

You noe have more IP's you can use. You can even make a DMZ interface with the public range for example.
0
 

Author Comment

by:blake8
ID: 39271651
Does this look better?

## ASA ##

int Vlan2
 nameif outside
 security-level 0
 ip address 71.255.140.22 255.255.255.252

object network inside_nets
 subnet 192.168.11.0 255.255.255.0

object network obj-exchange
 host 192.168.11.9

access-list outside_access_in extended permit tcp any object obj-exchange eq https
access-list outside_access_in extended deny ip any any

nat (inside,outside) source dynamic inside_nets interface

object network obj-exchange
 nat (inside,outside) static 71.255.136.56

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 71.255.140.21 1

webvpn
 enable outside

crypto map outside_map interface outside
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39271663
Yes it does, this wil work, the NAT statements depend on the version of IOS you are running.

I highly recommend you update to IOS version 9 as it appears you are running an older version.
0
 

Author Comment

by:blake8
ID: 39271682
IOS 8.4
0
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 2000 total points
ID: 39586450
Does the config works with the commands I delivered?
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question