Solved

Add CISCO ASA 5512x firewall

Posted on 2013-12-02
15
1,155 Views
Last Modified: 2013-12-05
Hello

As per the diagram attached of our network, I need to add the new CISCO ASA 5512x firewall into the network and transfer firewall and VPN roles from the current CISCO 1941 router into the firewall without any working hour downtime. i was thinking to put firewall behind the router and assign Public IP address to start migrating all remote sites VPN to firewall.
Question
How do i assign public IP address to firewall?
how does firewall and packet inspection is going to work as all the traffic need to go through firewall and router.

I was thinking to assign Public ip address to router subinterface and forward the traffic for that IP address to firewall for VPN, but don't know how firewall and packet inspection is going to work?
Please help
EE.png
0
Comment
Question by:exorcist84
  • 8
  • 7
15 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 39693091
Do you have any scheduled down time?

You can't put the firewall behind the router and get public IP addresses to it unless you bridge the connection through the router, which will cause other problems.

My personal opinion is that you install the firewall parallel to the router and migrate slowly from the router to the firewall "function" by "function".

Say the router is NAT'ing for web server, move that NAT and all acl's for that function to the firewall, update the routing on the web server to point to the firewall's inside address.
0
 

Author Comment

by:exorcist84
ID: 39694177
Thanks for the info
How about i connect ISP -> router -> firewall - > Switch -> servers
Assign additional public IP address to a new sub interface of router as below

interface GigabitEthernet0/1.2
ip address 203.xxx.xxx.20 255.255.255.248

and then NAT that public ip address to firewall private IP address
static (inside, outside) 203.xxx.xxx.20 10.0.0.2 netmask 255.255.255.255
Will that work?
i guess the traffic will hit firewall, but don't know how it will route back to default gateway or get to another servers in network.
Can you please clarify?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39694219
So your ISP's connectiion is directly into your router?

O.K. that does create a small issue.

What type of hand off does your ISP provide?
0
 

Author Comment

by:exorcist84
ID: 39694255
We got Fiber connection to our router, if that's what you were asking?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39694267
xDSL, DS3, T1, OCx, or Ethernet?
0
 

Author Comment

by:exorcist84
ID: 39694334
I'm not sure, but it's not Ethernet, so i can't connect firewall directly into ISP.
How will type make a difference ? thanks
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39694354
If it was ethernet, you could connect the ISP connection to a switch and then put the router and firewall side by side.

Do you have a single IP subnet assigned to you, or is the outside interface of your router on a seperate subnet from the public IP addresses assigned to you?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:exorcist84
ID: 39694361
it's a separate subnet.  IP address of outside interface of router starts with 120.x.x.x
while public IP addresses subnet starts with 203.x.x.x
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39694384
O.K., that will make this easier, but I still need to think about how to physically and logically set this up so that you can use the router and move things over piece meal.

On the router you have outside (the 120.x.x.x) interface and inside.  Is the inside on private IP address with all of the 203.x.x.x as NAT's in the router?

Or do you actually use the 203.x.x.x on the inside and put the 203.x.x.x on your servers?
0
 

Author Comment

by:exorcist84
ID: 39694430
Thanks for your thoughts

Yes the inside interface of router has private IP address 10.0.0.x and 203.x.x.x/29  ip addresses are on NAT and loopback.
0
 

Author Comment

by:exorcist84
ID: 39694616
Any more thoughts on this bro?
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 39698121
Have not forgot about this.  Had a few things come up with my day job.  Trying to think about how to do this.

Right now the only thing I can come up with is doing double NAT's which could get confusing.

I'll draw a diagram of what it would look like logically and post sometime tomorrow.
0
 

Author Comment

by:exorcist84
ID: 39699692
hello - Thanks
Things are changed a little. I had a understanding that fiber is going into our router, but Fiber is actually terminating at ISP device(Cisco ME 3400) and then ethernet goes into Cisco 1941 router which means following structure is possible

ISP  >> firewall >> router >> switch >> Servers and clients

Sorry - I'm new to networking.

i'm gonna work with this new topology in GNS3 and ask you if i stuck anywhere. Can i have your email address please?
0
 

Author Comment

by:exorcist84
ID: 39699836
my email address is sukhjit.singh84@gmail.com
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39699979
That makes life a LOT easier to put in  a parallel setup.

If you have enough IP addresses in the 120.x.x.x range what I would suggest is

                                             /----- ROUTER -- \
ME3400 <---> Switch <                                     > Switch <---> Servers
                                             \---- FIREWALL---/


Give the firewall an address in the 120.x.x.x range.  You can then have the router or the firewall do NAT'ing for  203.x.x.x address.  

What you will need to do though is as you move the NAT from the router to the firewall for a server is update that servers default route to the firewall's inside interface.

If you don't have addresses in the 120.x.x.x range there a few things you can do have the router or the firewall NAT addresses.

Wish I could give you my e-mail, but EE terms of use prevents it.  If you run into problems just post a question here.  Either I or one of the many other experts will be more than happy to help.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now