Wasn't too sure where to post this, but I guess it is a WAN/Routing question so hopefully this forum is ok.
I would like someone to explain the configuration concepts of the following scenario if possible...
I currently have an 1841 router with load balanced ADSL lines. I am doing all the NATs and ACLs on this router. I have allocated a NAT pool of my public addreses and just do the mapping and ACL as required.
I would now like to add an ASA 5505 so that I can provide IPSEC VPN access. As the ASA is a firewall as well, I thought it might be an idea to configure it to do the ACL rather than the 1841.
The questions I have are:
I am guessing I would need to get rid of the NATs on the 1841 and reconfigure them on the ASA. Do I then just assign one public IP to the 1841 FE0/0 and then a 2nd public IP on the outside ASA interface? I can then just do all the NATs on the ASA with a NAT pool on it?
Will the 1841 just act as a true router, basically forwarding all packets received to the ASA, or should I double up and do some ACL checks on it as well?
Any assistance is greatly appreciated - I hope I have explained myself correctly ;)
In Diagram you have good logical physical layaout., this scenario is completely feasable , you would let all traffic inbound from the router beside implementing basic ACL filtering at your edge, the 1841 router can do the basic filtering listed in bellow link, but I do not believe it will be overkill as you are just leting through traffic, for example IPsec encryption l2l vpn or IPsec for that matter is handled and processed by firewall.. but you could start gathering some baisc information from the 1841 for its performance to stablish a baseline prior to network changes, take notes of 1841 cpu utilization as well as all of its interfaces, this way you can have a feeling of your current edge performance to compare with after the changes.
Filtering at the edge Transit ACLs
AS far as accessing host from public to DMZ should not be a problem as long there is a static NAT in asa firewall with acls allowing traffic e.g. static (dmz,oustide) tcp interface 80 localIP_ip 80 netmask 255.255.255.255 for http etc.. fruthermore you could do port forwarding using the ASA outside interface IP address and forward tcp ports to different local destination IPs..
Overall I think you have the design well, if in future you consider implementing redundant ISP for back solution using ASA there is a good link you can reference bellow for future reference.
Just in case you were not aware, when buying ASA you will need security plus license to have DMZ support.