exorcist84
asked on
Add CISCO ASA 5512x firewall
Hello
As per the diagram attached of our network, I need to add the new CISCO ASA 5512x firewall into the network and transfer firewall and VPN roles from the current CISCO 1941 router into the firewall without any working hour downtime. i was thinking to put firewall behind the router and assign Public IP address to start migrating all remote sites VPN to firewall.
Question
How do i assign public IP address to firewall?
how does firewall and packet inspection is going to work as all the traffic need to go through firewall and router.
I was thinking to assign Public ip address to router subinterface and forward the traffic for that IP address to firewall for VPN, but don't know how firewall and packet inspection is going to work?
Please help
EE.png
As per the diagram attached of our network, I need to add the new CISCO ASA 5512x firewall into the network and transfer firewall and VPN roles from the current CISCO 1941 router into the firewall without any working hour downtime. i was thinking to put firewall behind the router and assign Public IP address to start migrating all remote sites VPN to firewall.
Question
How do i assign public IP address to firewall?
how does firewall and packet inspection is going to work as all the traffic need to go through firewall and router.
I was thinking to assign Public ip address to router subinterface and forward the traffic for that IP address to firewall for VPN, but don't know how firewall and packet inspection is going to work?
Please help
EE.png
ASKER
Thanks for the info
How about i connect ISP -> router -> firewall - > Switch -> servers
Assign additional public IP address to a new sub interface of router as below
interface GigabitEthernet0/1.2
ip address 203.xxx.xxx.20 255.255.255.248
and then NAT that public ip address to firewall private IP address
static (inside, outside) 203.xxx.xxx.20 10.0.0.2 netmask 255.255.255.255
Will that work?
i guess the traffic will hit firewall, but don't know how it will route back to default gateway or get to another servers in network.
Can you please clarify?
How about i connect ISP -> router -> firewall - > Switch -> servers
Assign additional public IP address to a new sub interface of router as below
interface GigabitEthernet0/1.2
ip address 203.xxx.xxx.20 255.255.255.248
and then NAT that public ip address to firewall private IP address
static (inside, outside) 203.xxx.xxx.20 10.0.0.2 netmask 255.255.255.255
Will that work?
i guess the traffic will hit firewall, but don't know how it will route back to default gateway or get to another servers in network.
Can you please clarify?
So your ISP's connectiion is directly into your router?
O.K. that does create a small issue.
What type of hand off does your ISP provide?
O.K. that does create a small issue.
What type of hand off does your ISP provide?
ASKER
We got Fiber connection to our router, if that's what you were asking?
xDSL, DS3, T1, OCx, or Ethernet?
ASKER
I'm not sure, but it's not Ethernet, so i can't connect firewall directly into ISP.
How will type make a difference ? thanks
How will type make a difference ? thanks
If it was ethernet, you could connect the ISP connection to a switch and then put the router and firewall side by side.
Do you have a single IP subnet assigned to you, or is the outside interface of your router on a seperate subnet from the public IP addresses assigned to you?
Do you have a single IP subnet assigned to you, or is the outside interface of your router on a seperate subnet from the public IP addresses assigned to you?
ASKER
it's a separate subnet. IP address of outside interface of router starts with 120.x.x.x
while public IP addresses subnet starts with 203.x.x.x
while public IP addresses subnet starts with 203.x.x.x
O.K., that will make this easier, but I still need to think about how to physically and logically set this up so that you can use the router and move things over piece meal.
On the router you have outside (the 120.x.x.x) interface and inside. Is the inside on private IP address with all of the 203.x.x.x as NAT's in the router?
Or do you actually use the 203.x.x.x on the inside and put the 203.x.x.x on your servers?
On the router you have outside (the 120.x.x.x) interface and inside. Is the inside on private IP address with all of the 203.x.x.x as NAT's in the router?
Or do you actually use the 203.x.x.x on the inside and put the 203.x.x.x on your servers?
ASKER
Thanks for your thoughts
Yes the inside interface of router has private IP address 10.0.0.x and 203.x.x.x/29 ip addresses are on NAT and loopback.
Yes the inside interface of router has private IP address 10.0.0.x and 203.x.x.x/29 ip addresses are on NAT and loopback.
ASKER
Any more thoughts on this bro?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hello - Thanks
Things are changed a little. I had a understanding that fiber is going into our router, but Fiber is actually terminating at ISP device(Cisco ME 3400) and then ethernet goes into Cisco 1941 router which means following structure is possible
ISP >> firewall >> router >> switch >> Servers and clients
Sorry - I'm new to networking.
i'm gonna work with this new topology in GNS3 and ask you if i stuck anywhere. Can i have your email address please?
Things are changed a little. I had a understanding that fiber is going into our router, but Fiber is actually terminating at ISP device(Cisco ME 3400) and then ethernet goes into Cisco 1941 router which means following structure is possible
ISP >> firewall >> router >> switch >> Servers and clients
Sorry - I'm new to networking.
i'm gonna work with this new topology in GNS3 and ask you if i stuck anywhere. Can i have your email address please?
ASKER
my email address is sukhjit.singh84@gmail.com
That makes life a LOT easier to put in a parallel setup.
If you have enough IP addresses in the 120.x.x.x range what I would suggest is
/----- ROUTER -- \
ME3400 <---> Switch < > Switch <---> Servers
\---- FIREWALL---/
Give the firewall an address in the 120.x.x.x range. You can then have the router or the firewall do NAT'ing for 203.x.x.x address.
What you will need to do though is as you move the NAT from the router to the firewall for a server is update that servers default route to the firewall's inside interface.
If you don't have addresses in the 120.x.x.x range there a few things you can do have the router or the firewall NAT addresses.
Wish I could give you my e-mail, but EE terms of use prevents it. If you run into problems just post a question here. Either I or one of the many other experts will be more than happy to help.
If you have enough IP addresses in the 120.x.x.x range what I would suggest is
/----- ROUTER -- \
ME3400 <---> Switch < > Switch <---> Servers
\---- FIREWALL---/
Give the firewall an address in the 120.x.x.x range. You can then have the router or the firewall do NAT'ing for 203.x.x.x address.
What you will need to do though is as you move the NAT from the router to the firewall for a server is update that servers default route to the firewall's inside interface.
If you don't have addresses in the 120.x.x.x range there a few things you can do have the router or the firewall NAT addresses.
Wish I could give you my e-mail, but EE terms of use prevents it. If you run into problems just post a question here. Either I or one of the many other experts will be more than happy to help.
You can't put the firewall behind the router and get public IP addresses to it unless you bridge the connection through the router, which will cause other problems.
My personal opinion is that you install the firewall parallel to the router and migrate slowly from the router to the firewall "function" by "function".
Say the router is NAT'ing for web server, move that NAT and all acl's for that function to the firewall, update the routing on the web server to point to the firewall's inside address.