Solved

Add CISCO ASA 5512x firewall

Posted on 2013-12-02
15
1,163 Views
Last Modified: 2013-12-05
Hello

As per the diagram attached of our network, I need to add the new CISCO ASA 5512x firewall into the network and transfer firewall and VPN roles from the current CISCO 1941 router into the firewall without any working hour downtime. i was thinking to put firewall behind the router and assign Public IP address to start migrating all remote sites VPN to firewall.
Question
How do i assign public IP address to firewall?
how does firewall and packet inspection is going to work as all the traffic need to go through firewall and router.

I was thinking to assign Public ip address to router subinterface and forward the traffic for that IP address to firewall for VPN, but don't know how firewall and packet inspection is going to work?
Please help
EE.png
0
Comment
Question by:exorcist84
  • 8
  • 7
15 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 39693091
Do you have any scheduled down time?

You can't put the firewall behind the router and get public IP addresses to it unless you bridge the connection through the router, which will cause other problems.

My personal opinion is that you install the firewall parallel to the router and migrate slowly from the router to the firewall "function" by "function".

Say the router is NAT'ing for web server, move that NAT and all acl's for that function to the firewall, update the routing on the web server to point to the firewall's inside address.
0
 

Author Comment

by:exorcist84
ID: 39694177
Thanks for the info
How about i connect ISP -> router -> firewall - > Switch -> servers
Assign additional public IP address to a new sub interface of router as below

interface GigabitEthernet0/1.2
ip address 203.xxx.xxx.20 255.255.255.248

and then NAT that public ip address to firewall private IP address
static (inside, outside) 203.xxx.xxx.20 10.0.0.2 netmask 255.255.255.255
Will that work?
i guess the traffic will hit firewall, but don't know how it will route back to default gateway or get to another servers in network.
Can you please clarify?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39694219
So your ISP's connectiion is directly into your router?

O.K. that does create a small issue.

What type of hand off does your ISP provide?
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 

Author Comment

by:exorcist84
ID: 39694255
We got Fiber connection to our router, if that's what you were asking?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39694267
xDSL, DS3, T1, OCx, or Ethernet?
0
 

Author Comment

by:exorcist84
ID: 39694334
I'm not sure, but it's not Ethernet, so i can't connect firewall directly into ISP.
How will type make a difference ? thanks
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39694354
If it was ethernet, you could connect the ISP connection to a switch and then put the router and firewall side by side.

Do you have a single IP subnet assigned to you, or is the outside interface of your router on a seperate subnet from the public IP addresses assigned to you?
0
 

Author Comment

by:exorcist84
ID: 39694361
it's a separate subnet.  IP address of outside interface of router starts with 120.x.x.x
while public IP addresses subnet starts with 203.x.x.x
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39694384
O.K., that will make this easier, but I still need to think about how to physically and logically set this up so that you can use the router and move things over piece meal.

On the router you have outside (the 120.x.x.x) interface and inside.  Is the inside on private IP address with all of the 203.x.x.x as NAT's in the router?

Or do you actually use the 203.x.x.x on the inside and put the 203.x.x.x on your servers?
0
 

Author Comment

by:exorcist84
ID: 39694430
Thanks for your thoughts

Yes the inside interface of router has private IP address 10.0.0.x and 203.x.x.x/29  ip addresses are on NAT and loopback.
0
 

Author Comment

by:exorcist84
ID: 39694616
Any more thoughts on this bro?
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 39698121
Have not forgot about this.  Had a few things come up with my day job.  Trying to think about how to do this.

Right now the only thing I can come up with is doing double NAT's which could get confusing.

I'll draw a diagram of what it would look like logically and post sometime tomorrow.
0
 

Author Comment

by:exorcist84
ID: 39699692
hello - Thanks
Things are changed a little. I had a understanding that fiber is going into our router, but Fiber is actually terminating at ISP device(Cisco ME 3400) and then ethernet goes into Cisco 1941 router which means following structure is possible

ISP  >> firewall >> router >> switch >> Servers and clients

Sorry - I'm new to networking.

i'm gonna work with this new topology in GNS3 and ask you if i stuck anywhere. Can i have your email address please?
0
 

Author Comment

by:exorcist84
ID: 39699836
my email address is sukhjit.singh84@gmail.com
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39699979
That makes life a LOT easier to put in  a parallel setup.

If you have enough IP addresses in the 120.x.x.x range what I would suggest is

                                             /----- ROUTER -- \
ME3400 <---> Switch <                                     > Switch <---> Servers
                                             \---- FIREWALL---/


Give the firewall an address in the 120.x.x.x range.  You can then have the router or the firewall do NAT'ing for  203.x.x.x address.  

What you will need to do though is as you move the NAT from the router to the firewall for a server is update that servers default route to the firewall's inside interface.

If you don't have addresses in the 120.x.x.x range there a few things you can do have the router or the firewall NAT addresses.

Wish I could give you my e-mail, but EE terms of use prevents it.  If you run into problems just post a question here.  Either I or one of the many other experts will be more than happy to help.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
slow vpn connection 9 77
Use multiple VLANs on the same interface on a Cisco 877 4 46
Where is running-config located at in ASR9K? 3 16
VLAN Question 7 32
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question