Cisco: Route Ethernet Hand Off to Router..Assign Public IP to FW and Route outgoing internet traffic to ISP

The image attached displays the questions in detail.  I have been assigned a public IP gateway address from service provider so it leaves me to assign the connected interface the next octet.  Right?  That puts the router online and next is the connection to the firewall.  A point to point was established between the two so I can manage the router and use the link to route traffic through.  How is there a way to pass INTERNET traffic to the ASA so I can assign a public IP on the firewall?   Then to route traffic the necessary traffic to provide internet access to the internal networks?  


Description of the desired needs
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You need a layer 2 connection to the ISP.  Trunk the external router interface through to the ASA, or connect the ISP directly to an interface on the ASA.

Alternately, perform your NAT operations on the edge router.  Often this will result in traffic being "double NAT'd".  Some folks don't like that, but it will work.

I've implemented it both ways.
xstream62Author Commented:
I have no more available ports on the ASA.  Four ports are taken by two port-channels, two ports per port-channel.

The 4451-X router has some weird command variations of layer 2.  So I am not sure exactly how to go about creating a trunk connection between router and ASA, if I could make room for a connection on the ASA.  Following are two commands relating to layer 2 I found on the switch.  Which one would work?
interface GigabitEthernet0/0/1
service instance 1 ethernet
 encapsulation dot1q 14
 or a command like this
interface GigabitEthernet0/0/1
no ip address
vlan-id dot1q 14
Traditionally, you'd make it an access-layer port on VLAN 14, and either trunk the internal interface to your internal switch or make that one an access-layer VLAN port, too.

interface G0/0/1
switchport mode access
swithport access vlan 14
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

xstream62Author Commented:
The router does not have switchport options
Sorry, it pulled up an IOS command reference when I searched for the 4451-x.  Weird.

Looking through the configuration examples, I don't see a way to accomplish this using the 4451-x ISR.  

I would check with Cisco TAC, though, in case I'm wrong.
xstream62Author Commented:
No other alternative to do this with a layer 3?  Or to establish routes some how through the /30 point to point between the router and switch?
You could possibly set it up with the ISP to have a different /30 to their equipment, and then have the /27 routed to you.  I've done that, but I don't recommend it.  The problem is that the ISP is forever thinking that the /27 is unassigned and then it's given to some other customer and you have to fight to get it back.  I've had two or three customers try it that way and that's what's happened in every case.

The ISR is just not a good fit for what you're trying to do, IMO.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
xstream62Author Commented:
Maybe I'm a bit confused but to clarify, The ISP issued /27
I configured the router with the /27 and the /30 assigned based on our available subnets.  /27 would never mistakenly be assigned because its our public IP block.
I was discussing a new /30 using public addresses.  Use that for the link between your router and the ISP's.  Then they route the /27 to your router.
xstream62Author Commented:
I sent an email to one of the representative.  I doubt they will so moving on.    They are using line "encapsulation dot1Q 110" on the interface that connects to my router.  Not sure if I could take that somehow to continue trunking?  

Earlier you mentioned the idea of connecting the ISP directly to firewall.  Then when would the router come to play... wouldn't/should it still be needed?  Since I do not have enough interfaces on the ASA I created a VLAN on 6500 with the public IP then connected the ISP to an interface in VLAN14.   Assigned the firewall a public IP address and added NAT translation (internal, New_Internet).  So now I have two public IPs assigned to the firewall.  Not sure though how to tell traffic in the DMZ vlan with IP /27 (new ISP public block), route through /27 and not /24 (old ISP public ip block)

current connection, limited time need to gradually move servers from one isp to new isp IP block
xstream62Author Commented:
I much appreciated your fast response (up to the point of the last comment I had). lol
Your recommendation for the provider to supply a /30 route the public IP to my router was a success!  They made the changes without having to twist an arm.  Therefore I am now able to assign the interface on the router connected to the switch a public IP address (rather than public IP assigned to the interface connected to the ISP.)  
Please see my other questions --- route issue.  It would be great, with your knowledge, to hear your feedback.
xstream62Author Commented:
I much appreciated your fast response (up to the point of the last comment I had). lol
In a similar term, your recommendation for the provider to supply a /30 private route to the public IP to my router was a success!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.