Solved

Routing (Remove 1800 and use ASA)

Posted on 2013-06-21
13
232 Views
Last Modified: 2013-11-07
1. Network Layout: Fairpoint Adtran -> Cisco 1800 -> Cisco ASA -> Internal LAN
2. I want to get rid of the Cisco 1800 and just use the ASA. How can I accomplish this?

I have an 1800 router with following config:

interface FastEthernet0/0
 ip address 71.255.140.22 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 71.255.136.57 255.255.255.248
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 71.255.140.21

I have an ASA attached to fa0/1 with the following config:

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.x.x 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 71.255.136.x 255.255.255.248

global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 71.255.136.57 1
0
Comment
Question by:blake8
  • 7
  • 6
13 Comments
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39266021
use this on the asa:

interface Vlan2
 nameif outside
 security-level 0
 ip address 71.255.140.22 255.255.255.252

route outside 0.0.0.0 0.0.0.0 71.255.140.21 1

You can use 71.255.136.56/29 for e.g. NAT on the ASA.
0
 

Author Comment

by:blake8
ID: 39266060
Can you provide example of how that would be done.  I would also need a new interface name? I have a VPN tunnel setup right now that uses "outside"
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39266077
If I was you I would copy the configuration from the device to a (t)ftp server and do this:

1. change the ip address line at Vlan2 from:
  ip address 71.255.136.x 255.255.255.248
to
  ip address 71.255.140.22 255.255.255.252
2. Remove the default route:
  route outside 0.0.0.0 0.0.0.0 71.255.136.57 1
3. Add the new default route:
  route outside 0.0.0.0 0.0.0.0 71.255.140.21 1

tftp the modified configuration back to the startup-config of the ASA.

Now poweroff the 1800 and the ASA. Put the cable from the 1800 FastEthernet0/0 in the ASA and replace the cable which is plugged in from the FastEthernet0/1 interface.

Power on the ASA and everything should work.
0
 

Author Comment

by:blake8
ID: 39266097
That doesn't give me my ip block that is on the ASA.

What about the 71.255.136.x block that was assigned to me? This is the IP that all tunnels are using as well.

crypto isakmp enable outside

?? something like this ??
object network obj-192.168.0.3
     subnet 192.168.0.0 255.255.255.0
     nat (inside,outside) static 71.255.136.x
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39266116
You need to change the IP addresses on the other endpoints.

The reason is that the ISP has a route like this:

ip route 71.255.136.56 255.255.255.248 71.255.140.22

If you replace the 1800 with the ASA you will be the next hop from your ISP. You are able to use the 71.255.136.56/29 subnet. However, for VPN termination we use the interface IP which now have changed to 71.255.140.22.
0
 

Author Comment

by:blake8
ID: 39266151
Hmmm, how about this?

int Vlan3
 nameif fp-outside
 security level 0
 ip address 71.255.136.x 255.255.255.248

crypto map enable fp-outside

nat (inside,fp-outside) source dynamic inside_nets interface descrption outbound PAT for FairPoint
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39266161
you could try that, let me know if that works.

as far as I know IPSEC traffic needs to be terminated on the incoming interface but I could be wrong.
0
 

Author Comment

by:blake8
ID: 39266253
So possibly I would have to just change the ip on my end points to 71.255.140.22 and still use configuration above for my internet traffic?
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39269025
Yes. But beware of your NAT statement. If you want to keep the same IP for your outbound internet you should use the IP instead of the interface because the interface IP changed.

You noe have more IP's you can use. You can even make a DMZ interface with the public range for example.
0
 

Author Comment

by:blake8
ID: 39271651
Does this look better?

## ASA ##

int Vlan2
 nameif outside
 security-level 0
 ip address 71.255.140.22 255.255.255.252

object network inside_nets
 subnet 192.168.11.0 255.255.255.0

object network obj-exchange
 host 192.168.11.9

access-list outside_access_in extended permit tcp any object obj-exchange eq https
access-list outside_access_in extended deny ip any any

nat (inside,outside) source dynamic inside_nets interface

object network obj-exchange
 nat (inside,outside) static 71.255.136.56

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 71.255.140.21 1

webvpn
 enable outside

crypto map outside_map interface outside
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39271663
Yes it does, this wil work, the NAT statements depend on the version of IOS you are running.

I highly recommend you update to IOS version 9 as it appears you are running an older version.
0
 

Author Comment

by:blake8
ID: 39271682
IOS 8.4
0
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 500 total points
ID: 39586450
Does the config works with the commands I delivered?
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now