Improve company productivity with a Business Account.Sign Up

x
?
Solved

Routing (Remove 1800 and use ASA)

Posted on 2013-06-21
13
Medium Priority
?
249 Views
Last Modified: 2013-11-07
1. Network Layout: Fairpoint Adtran -> Cisco 1800 -> Cisco ASA -> Internal LAN
2. I want to get rid of the Cisco 1800 and just use the ASA. How can I accomplish this?

I have an 1800 router with following config:

interface FastEthernet0/0
 ip address 71.255.140.22 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 71.255.136.57 255.255.255.248
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 71.255.140.21

I have an ASA attached to fa0/1 with the following config:

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.x.x 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 71.255.136.x 255.255.255.248

global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 71.255.136.57 1
0
Comment
Question by:blake8
  • 7
  • 6
13 Comments
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39266021
use this on the asa:

interface Vlan2
 nameif outside
 security-level 0
 ip address 71.255.140.22 255.255.255.252

route outside 0.0.0.0 0.0.0.0 71.255.140.21 1

You can use 71.255.136.56/29 for e.g. NAT on the ASA.
0
 

Author Comment

by:blake8
ID: 39266060
Can you provide example of how that would be done.  I would also need a new interface name? I have a VPN tunnel setup right now that uses "outside"
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39266077
If I was you I would copy the configuration from the device to a (t)ftp server and do this:

1. change the ip address line at Vlan2 from:
  ip address 71.255.136.x 255.255.255.248
to
  ip address 71.255.140.22 255.255.255.252
2. Remove the default route:
  route outside 0.0.0.0 0.0.0.0 71.255.136.57 1
3. Add the new default route:
  route outside 0.0.0.0 0.0.0.0 71.255.140.21 1

tftp the modified configuration back to the startup-config of the ASA.

Now poweroff the 1800 and the ASA. Put the cable from the 1800 FastEthernet0/0 in the ASA and replace the cable which is plugged in from the FastEthernet0/1 interface.

Power on the ASA and everything should work.
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 

Author Comment

by:blake8
ID: 39266097
That doesn't give me my ip block that is on the ASA.

What about the 71.255.136.x block that was assigned to me? This is the IP that all tunnels are using as well.

crypto isakmp enable outside

?? something like this ??
object network obj-192.168.0.3
     subnet 192.168.0.0 255.255.255.0
     nat (inside,outside) static 71.255.136.x
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39266116
You need to change the IP addresses on the other endpoints.

The reason is that the ISP has a route like this:

ip route 71.255.136.56 255.255.255.248 71.255.140.22

If you replace the 1800 with the ASA you will be the next hop from your ISP. You are able to use the 71.255.136.56/29 subnet. However, for VPN termination we use the interface IP which now have changed to 71.255.140.22.
0
 

Author Comment

by:blake8
ID: 39266151
Hmmm, how about this?

int Vlan3
 nameif fp-outside
 security level 0
 ip address 71.255.136.x 255.255.255.248

crypto map enable fp-outside

nat (inside,fp-outside) source dynamic inside_nets interface descrption outbound PAT for FairPoint
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39266161
you could try that, let me know if that works.

as far as I know IPSEC traffic needs to be terminated on the incoming interface but I could be wrong.
0
 

Author Comment

by:blake8
ID: 39266253
So possibly I would have to just change the ip on my end points to 71.255.140.22 and still use configuration above for my internet traffic?
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39269025
Yes. But beware of your NAT statement. If you want to keep the same IP for your outbound internet you should use the IP instead of the interface because the interface IP changed.

You noe have more IP's you can use. You can even make a DMZ interface with the public range for example.
0
 

Author Comment

by:blake8
ID: 39271651
Does this look better?

## ASA ##

int Vlan2
 nameif outside
 security-level 0
 ip address 71.255.140.22 255.255.255.252

object network inside_nets
 subnet 192.168.11.0 255.255.255.0

object network obj-exchange
 host 192.168.11.9

access-list outside_access_in extended permit tcp any object obj-exchange eq https
access-list outside_access_in extended deny ip any any

nat (inside,outside) source dynamic inside_nets interface

object network obj-exchange
 nat (inside,outside) static 71.255.136.56

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 71.255.140.21 1

webvpn
 enable outside

crypto map outside_map interface outside
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39271663
Yes it does, this wil work, the NAT statements depend on the version of IOS you are running.

I highly recommend you update to IOS version 9 as it appears you are running an older version.
0
 

Author Comment

by:blake8
ID: 39271682
IOS 8.4
0
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 2000 total points
ID: 39586450
Does the config works with the commands I delivered?
0

Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

587 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question