Link to home
Start Free TrialLog in
Avatar of exorcist84
exorcist84

asked on

Add CISCO ASA 5512x firewall

Hello

As per the diagram attached of our network, I need to add the new CISCO ASA 5512x firewall into the network and transfer firewall and VPN roles from the current CISCO 1941 router into the firewall without any working hour downtime. i was thinking to put firewall behind the router and assign Public IP address to start migrating all remote sites VPN to firewall.
Question
How do i assign public IP address to firewall?
how does firewall and packet inspection is going to work as all the traffic need to go through firewall and router.

I was thinking to assign Public ip address to router subinterface and forward the traffic for that IP address to firewall for VPN, but don't know how firewall and packet inspection is going to work?
Please help
EE.png
Avatar of giltjr
giltjr
Flag of United States of America image

Do you have any scheduled down time?

You can't put the firewall behind the router and get public IP addresses to it unless you bridge the connection through the router, which will cause other problems.

My personal opinion is that you install the firewall parallel to the router and migrate slowly from the router to the firewall "function" by "function".

Say the router is NAT'ing for web server, move that NAT and all acl's for that function to the firewall, update the routing on the web server to point to the firewall's inside address.
Avatar of exorcist84
exorcist84

ASKER

Thanks for the info
How about i connect ISP -> router -> firewall - > Switch -> servers
Assign additional public IP address to a new sub interface of router as below

interface GigabitEthernet0/1.2
ip address 203.xxx.xxx.20 255.255.255.248

and then NAT that public ip address to firewall private IP address
static (inside, outside) 203.xxx.xxx.20 10.0.0.2 netmask 255.255.255.255
Will that work?
i guess the traffic will hit firewall, but don't know how it will route back to default gateway or get to another servers in network.
Can you please clarify?
So your ISP's connectiion is directly into your router?

O.K. that does create a small issue.

What type of hand off does your ISP provide?
We got Fiber connection to our router, if that's what you were asking?
xDSL, DS3, T1, OCx, or Ethernet?
I'm not sure, but it's not Ethernet, so i can't connect firewall directly into ISP.
How will type make a difference ? thanks
If it was ethernet, you could connect the ISP connection to a switch and then put the router and firewall side by side.

Do you have a single IP subnet assigned to you, or is the outside interface of your router on a seperate subnet from the public IP addresses assigned to you?
it's a separate subnet.  IP address of outside interface of router starts with 120.x.x.x
while public IP addresses subnet starts with 203.x.x.x
O.K., that will make this easier, but I still need to think about how to physically and logically set this up so that you can use the router and move things over piece meal.

On the router you have outside (the 120.x.x.x) interface and inside.  Is the inside on private IP address with all of the 203.x.x.x as NAT's in the router?

Or do you actually use the 203.x.x.x on the inside and put the 203.x.x.x on your servers?
Thanks for your thoughts

Yes the inside interface of router has private IP address 10.0.0.x and 203.x.x.x/29  ip addresses are on NAT and loopback.
Any more thoughts on this bro?
ASKER CERTIFIED SOLUTION
Avatar of giltjr
giltjr
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
hello - Thanks
Things are changed a little. I had a understanding that fiber is going into our router, but Fiber is actually terminating at ISP device(Cisco ME 3400) and then ethernet goes into Cisco 1941 router which means following structure is possible

ISP  >> firewall >> router >> switch >> Servers and clients

Sorry - I'm new to networking.

i'm gonna work with this new topology in GNS3 and ask you if i stuck anywhere. Can i have your email address please?
my email address is sukhjit.singh84@gmail.com
That makes life a LOT easier to put in  a parallel setup.

If you have enough IP addresses in the 120.x.x.x range what I would suggest is

                                             /----- ROUTER -- \
ME3400 <---> Switch <                                     > Switch <---> Servers
                                             \---- FIREWALL---/


Give the firewall an address in the 120.x.x.x range.  You can then have the router or the firewall do NAT'ing for  203.x.x.x address.  

What you will need to do though is as you move the NAT from the router to the firewall for a server is update that servers default route to the firewall's inside interface.

If you don't have addresses in the 120.x.x.x range there a few things you can do have the router or the firewall NAT addresses.

Wish I could give you my e-mail, but EE terms of use prevents it.  If you run into problems just post a question here.  Either I or one of the many other experts will be more than happy to help.