Cisco: Route Ethernet Hand Off to Router..Assign Public IP to FW and Route outgoing internet traffic to ISP

You need a layer 2 connection to the ISP.  Trunk the external router interface through to the ASA, or connect the ISP directly to an interface on the ASA.

Alternately, perform your NAT operations on the edge router.  Often this will result in traffic being "double NAT'd".  Some folks don't like that, but it will work.

I've implemented it both ways.

I have no more available ports on the ASA.  Four ports are taken by two port-channels, two ports per port-channel.

The 4451-X router has some weird command variations of layer 2.  So I am not sure exactly how to go about creating a trunk connection between router and ASA, if I could make room for a connection on the ASA.  Following are two commands relating to layer 2 I found on the switch.  Which one would work?

Traditionally, you'd make it an access-layer port on VLAN 14, and either trunk the internal interface to your internal switch or make that one an access-layer VLAN port, too.

interface G0/0/1
switchport mode access
swithport access vlan 14

The router does not have switchport options

Sorry, it pulled up an IOS command reference when I searched for the 4451-x.  Weird.



Looking through the configuration examples, I don't see a way to accomplish this using the 4451-x ISR.  

I would check with Cisco TAC, though, in case I'm wrong.

No other alternative to do this with a layer 3?  Or to establish routes some how through the /30 point to point between the router and switch?

Maybe I'm a bit confused but to clarify, The ISP issued /27
I configured the router with the /27 and the /30 assigned based on our available subnets.  /27 would never mistakenly be assigned because its our public IP block.

I was discussing a new /30 using public addresses.  Use that for the link between your router and the ISP's.  Then they route the /27 to your router.

I sent an email to one of the representative.  I doubt they will so moving on.    They are using line "encapsulation dot1Q 110" on the interface that connects to my router.  Not sure if I could take that somehow to continue trunking?  

Earlier you mentioned the idea of connecting the ISP directly to firewall.  Then when would the router come to play... wouldn't/should it still be needed?  Since I do not have enough interfaces on the ASA I created a VLAN on 6500 with the public IP then connected the ISP to an interface in VLAN14.   Assigned the firewall a public IP address and added NAT translation (internal, New_Internet).  So now I have two public IPs assigned to the firewall.  Not sure though how to tell traffic in the DMZ vlan with IP /27 (new ISP public block), route through /27 and not /24 (old ISP public ip block)

I much appreciated your fast response (up to the point of the last comment I had). lol
Your recommendation for the provider to supply a /30 route the public IP to my router was a success!  They made the changes without having to twist an arm.  Therefore I am now able to assign the interface on the router connected to the switch a public IP address (rather than public IP assigned to the interface connected to the ISP.)  
Please see my other questions --- route issue.  It would be great, with your knowledge, to hear your feedback.

I much appreciated your fast response (up to the point of the last comment I had). lol
In a similar term, your recommendation for the provider to supply a /30 private route to the public IP to my router was a success!