• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1181
  • Last Modified:

Add CISCO ASA 5512x firewall

Hello

As per the diagram attached of our network, I need to add the new CISCO ASA 5512x firewall into the network and transfer firewall and VPN roles from the current CISCO 1941 router into the firewall without any working hour downtime. i was thinking to put firewall behind the router and assign Public IP address to start migrating all remote sites VPN to firewall.
Question
How do i assign public IP address to firewall?
how does firewall and packet inspection is going to work as all the traffic need to go through firewall and router.

I was thinking to assign Public ip address to router subinterface and forward the traffic for that IP address to firewall for VPN, but don't know how firewall and packet inspection is going to work?
Please help
EE.png
0
exorcist84
Asked:
exorcist84
  • 8
  • 7
1 Solution
 
giltjrCommented:
Do you have any scheduled down time?

You can't put the firewall behind the router and get public IP addresses to it unless you bridge the connection through the router, which will cause other problems.

My personal opinion is that you install the firewall parallel to the router and migrate slowly from the router to the firewall "function" by "function".

Say the router is NAT'ing for web server, move that NAT and all acl's for that function to the firewall, update the routing on the web server to point to the firewall's inside address.
0
 
exorcist84Author Commented:
Thanks for the info
How about i connect ISP -> router -> firewall - > Switch -> servers
Assign additional public IP address to a new sub interface of router as below

interface GigabitEthernet0/1.2
ip address 203.xxx.xxx.20 255.255.255.248

and then NAT that public ip address to firewall private IP address
static (inside, outside) 203.xxx.xxx.20 10.0.0.2 netmask 255.255.255.255
Will that work?
i guess the traffic will hit firewall, but don't know how it will route back to default gateway or get to another servers in network.
Can you please clarify?
0
 
giltjrCommented:
So your ISP's connectiion is directly into your router?

O.K. that does create a small issue.

What type of hand off does your ISP provide?
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
exorcist84Author Commented:
We got Fiber connection to our router, if that's what you were asking?
0
 
giltjrCommented:
xDSL, DS3, T1, OCx, or Ethernet?
0
 
exorcist84Author Commented:
I'm not sure, but it's not Ethernet, so i can't connect firewall directly into ISP.
How will type make a difference ? thanks
0
 
giltjrCommented:
If it was ethernet, you could connect the ISP connection to a switch and then put the router and firewall side by side.

Do you have a single IP subnet assigned to you, or is the outside interface of your router on a seperate subnet from the public IP addresses assigned to you?
0
 
exorcist84Author Commented:
it's a separate subnet.  IP address of outside interface of router starts with 120.x.x.x
while public IP addresses subnet starts with 203.x.x.x
0
 
giltjrCommented:
O.K., that will make this easier, but I still need to think about how to physically and logically set this up so that you can use the router and move things over piece meal.

On the router you have outside (the 120.x.x.x) interface and inside.  Is the inside on private IP address with all of the 203.x.x.x as NAT's in the router?

Or do you actually use the 203.x.x.x on the inside and put the 203.x.x.x on your servers?
0
 
exorcist84Author Commented:
Thanks for your thoughts

Yes the inside interface of router has private IP address 10.0.0.x and 203.x.x.x/29  ip addresses are on NAT and loopback.
0
 
exorcist84Author Commented:
Any more thoughts on this bro?
0
 
giltjrCommented:
Have not forgot about this.  Had a few things come up with my day job.  Trying to think about how to do this.

Right now the only thing I can come up with is doing double NAT's which could get confusing.

I'll draw a diagram of what it would look like logically and post sometime tomorrow.
0
 
exorcist84Author Commented:
hello - Thanks
Things are changed a little. I had a understanding that fiber is going into our router, but Fiber is actually terminating at ISP device(Cisco ME 3400) and then ethernet goes into Cisco 1941 router which means following structure is possible

ISP  >> firewall >> router >> switch >> Servers and clients

Sorry - I'm new to networking.

i'm gonna work with this new topology in GNS3 and ask you if i stuck anywhere. Can i have your email address please?
0
 
exorcist84Author Commented:
my email address is sukhjit.singh84@gmail.com
0
 
giltjrCommented:
That makes life a LOT easier to put in  a parallel setup.

If you have enough IP addresses in the 120.x.x.x range what I would suggest is

                                             /----- ROUTER -- \
ME3400 <---> Switch <                                     > Switch <---> Servers
                                             \---- FIREWALL---/


Give the firewall an address in the 120.x.x.x range.  You can then have the router or the firewall do NAT'ing for  203.x.x.x address.  

What you will need to do though is as you move the NAT from the router to the firewall for a server is update that servers default route to the firewall's inside interface.

If you don't have addresses in the 120.x.x.x range there a few things you can do have the router or the firewall NAT addresses.

Wish I could give you my e-mail, but EE terms of use prevents it.  If you run into problems just post a question here.  Either I or one of the many other experts will be more than happy to help.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now