• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 251
  • Last Modified:

Routing (Remove 1800 and use ASA)

1. Network Layout: Fairpoint Adtran -> Cisco 1800 -> Cisco ASA -> Internal LAN
2. I want to get rid of the Cisco 1800 and just use the ASA. How can I accomplish this?

I have an 1800 router with following config:

interface FastEthernet0/0
 ip address 71.255.140.22 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 71.255.136.57 255.255.255.248
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 71.255.140.21

I have an ASA attached to fa0/1 with the following config:

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.x.x 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 71.255.136.x 255.255.255.248

global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 71.255.136.57 1
0
blake8
Asked:
blake8
  • 7
  • 6
1 Solution
 
Henk van AchterbergSr. Technical ConsultantCommented:
use this on the asa:

interface Vlan2
 nameif outside
 security-level 0
 ip address 71.255.140.22 255.255.255.252

route outside 0.0.0.0 0.0.0.0 71.255.140.21 1

You can use 71.255.136.56/29 for e.g. NAT on the ASA.
0
 
blake8Author Commented:
Can you provide example of how that would be done.  I would also need a new interface name? I have a VPN tunnel setup right now that uses "outside"
0
 
Henk van AchterbergSr. Technical ConsultantCommented:
If I was you I would copy the configuration from the device to a (t)ftp server and do this:

1. change the ip address line at Vlan2 from:
  ip address 71.255.136.x 255.255.255.248
to
  ip address 71.255.140.22 255.255.255.252
2. Remove the default route:
  route outside 0.0.0.0 0.0.0.0 71.255.136.57 1
3. Add the new default route:
  route outside 0.0.0.0 0.0.0.0 71.255.140.21 1

tftp the modified configuration back to the startup-config of the ASA.

Now poweroff the 1800 and the ASA. Put the cable from the 1800 FastEthernet0/0 in the ASA and replace the cable which is plugged in from the FastEthernet0/1 interface.

Power on the ASA and everything should work.
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 
blake8Author Commented:
That doesn't give me my ip block that is on the ASA.

What about the 71.255.136.x block that was assigned to me? This is the IP that all tunnels are using as well.

crypto isakmp enable outside

?? something like this ??
object network obj-192.168.0.3
     subnet 192.168.0.0 255.255.255.0
     nat (inside,outside) static 71.255.136.x
0
 
Henk van AchterbergSr. Technical ConsultantCommented:
You need to change the IP addresses on the other endpoints.

The reason is that the ISP has a route like this:

ip route 71.255.136.56 255.255.255.248 71.255.140.22

If you replace the 1800 with the ASA you will be the next hop from your ISP. You are able to use the 71.255.136.56/29 subnet. However, for VPN termination we use the interface IP which now have changed to 71.255.140.22.
0
 
blake8Author Commented:
Hmmm, how about this?

int Vlan3
 nameif fp-outside
 security level 0
 ip address 71.255.136.x 255.255.255.248

crypto map enable fp-outside

nat (inside,fp-outside) source dynamic inside_nets interface descrption outbound PAT for FairPoint
0
 
Henk van AchterbergSr. Technical ConsultantCommented:
you could try that, let me know if that works.

as far as I know IPSEC traffic needs to be terminated on the incoming interface but I could be wrong.
0
 
blake8Author Commented:
So possibly I would have to just change the ip on my end points to 71.255.140.22 and still use configuration above for my internet traffic?
0
 
Henk van AchterbergSr. Technical ConsultantCommented:
Yes. But beware of your NAT statement. If you want to keep the same IP for your outbound internet you should use the IP instead of the interface because the interface IP changed.

You noe have more IP's you can use. You can even make a DMZ interface with the public range for example.
0
 
blake8Author Commented:
Does this look better?

## ASA ##

int Vlan2
 nameif outside
 security-level 0
 ip address 71.255.140.22 255.255.255.252

object network inside_nets
 subnet 192.168.11.0 255.255.255.0

object network obj-exchange
 host 192.168.11.9

access-list outside_access_in extended permit tcp any object obj-exchange eq https
access-list outside_access_in extended deny ip any any

nat (inside,outside) source dynamic inside_nets interface

object network obj-exchange
 nat (inside,outside) static 71.255.136.56

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 71.255.140.21 1

webvpn
 enable outside

crypto map outside_map interface outside
0
 
Henk van AchterbergSr. Technical ConsultantCommented:
Yes it does, this wil work, the NAT statements depend on the version of IOS you are running.

I highly recommend you update to IOS version 9 as it appears you are running an older version.
0
 
blake8Author Commented:
IOS 8.4
0
 
Henk van AchterbergSr. Technical ConsultantCommented:
Does the config works with the commands I delivered?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now