Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
889
Views
0
Helpful
7
Replies

ASA 5505 behind Cisco 871 connection problems

Go to solution
DerekPlaine
Level 1
Level 1

‎12-19-2007 08:49 AM - edited ‎03-12-2019 05:52 PM

Hi guys,

we have recently purchased ASA 5505 and want to connect one with our 871 series router. so far 871 was our ADSL router and we would like to keep it.

our current setup (not working though) is:

871 ----- ASA 5505 ----- 2960 Switch ---- PCs, Servers (DHCP/DNS/SQL/Exchange/Backup).

we don't use DMZ so only two netowrks: 192.168.1.x/24 (871 <-> 5505) and 10.0.0.x/24 (5505 <-> inside lan).

before ASA 5505 was plugged in everything worked (users had internet, exchange was getting its emails).

in order to keep addressing in LAN we had to reconfigure 871 (by runnning startup wizard and assigning a new IP 192.168.1.1 to it).

ASA5505 was configured using startup wizard too: inside, outside networks, no DMZ, no DHCP on inside lan. however like i said when plugged in, there's no internet.

i was googling to see what we are missing, but due to lack of experience in networking wasn't able to find anything useful.

can some1 pls shed some light or advise where to read on the subject connection? books were ordered on Cisco IOS and Router's hardenning, but it will take time for them to arrive + read through.

many thanks for your replies.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to DerekPlaine

‎12-20-2007 06:11 AM

A tiered firewall solution can be more secure, but it's used in certain situations. For example lets say you have a web based application that has an Oracle database on the backend. You would put a firewall on the outer most edge (like you're doing). In that 'inside' network you would put the web server. Since the data lives on another server, you put another firewall between the web server and the Oracle server to protect the database. Does that make sense?

Double bridging can be done but there is no benefit and it just introduces further complexity and another point of failure. I would use the linksys as a the pppoe client and the ASA as the only firewall. That way you have the 871 as a spare since it can act either the pppoe client or a firewall in case of a failure of either device.

View solution in original post

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to DerekPlaine

‎12-20-2007 07:23 AM

The 5505 has better firewall and VPN performance. I don't think the router based firewalls are certified either so the government and sub-contractors are required to use certified firewalls like the ASA. In reality when I spec FW's for customers, I lean towards routers because routers have more features; unlimited users, Netflow, wireless, etc. Sometimes I have to spec a VPN-AIM card or a larger router, but it usually comes out cheaper than a lower end firewall with limited features or users. On the other hand, if the customer isn't doing anything special I always suggest an ASA. The are very stable and offer good performance.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎12-19-2007 10:01 AM

Derek-

One option is to set your 871 to bridge. Is your 871 your PPPoE client (does it have your pppoe username and password to connect to the ISP)? Here's a link on bridging.

http://cisco.com/en/US/partner/products/hw/routers/ps380/products_qanda_item09186a00800949ec.shtml#q1

Basically what you want the router to do is terminate the DSL connection and then transparently (no IP's) pass all traffic to your ASA. There are other ways too. How many public IP's do you have?

0 Helpful

Go to solution
DerekPlaine
Level 1
Level 1
In response to Collin Clark

‎12-19-2007 02:20 PM

hi and thanks for your reply.

i would not want to bridge the 871. the idea is to have 2 different networks for better security.

currently 871 uses ethernet ext. bridged modem for ADSL connection and we only have 1 static public IP.

any suggestions on how to implement that?

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to DerekPlaine

‎12-19-2007 02:35 PM

Having two network doesn't imply better security and in this case it prevents functionality. You should only NAT once and most people prefer to do that with a firewall. If you had multiple IP's you could subnet them further then have a routable subnet between the 871 and the ASA, but with only 1 IP you're limited in what you can do. You can either bridge the 871 or remove it. What are looking to provide more security to/from?

0 Helpful

Go to solution
DerekPlaine
Level 1
Level 1
In response to Collin Clark

‎12-20-2007 02:46 AM

i've read here and there that having LAN in separate network provides a little more security rather than having all in one net right behind the router/firewall. 871 has its own firewall (not sure if its better that ASA though) and ASA is firewall by itself so making a subnet between them made sense according to internet writeups. you kinda have two firewalls not one.

871 is not an ADSL router and has a Linksys modem hooked to it in bridge mode. can there be double bridging at all:

[bridged modem] - [bridged 871] - ASA

or shall we drop 871 and use ASA instead?

since 871 has firewall capabilities, can it be used at all in given network or will it only complicate whole setup?

many thanks for your advices.

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to DerekPlaine

‎12-20-2007 06:11 AM

A tiered firewall solution can be more secure, but it's used in certain situations. For example lets say you have a web based application that has an Oracle database on the backend. You would put a firewall on the outer most edge (like you're doing). In that 'inside' network you would put the web server. Since the data lives on another server, you put another firewall between the web server and the Oracle server to protect the database. Does that make sense?

Double bridging can be done but there is no benefit and it just introduces further complexity and another point of failure. I would use the linksys as a the pppoe client and the ASA as the only firewall. That way you have the 871 as a spare since it can act either the pppoe client or a firewall in case of a failure of either device.

0 Helpful

Go to solution
DerekPlaine
Level 1
Level 1
In response to Collin Clark

‎12-20-2007 07:09 AM

thank you for the quick response. we will go with one ASA firewall solution.

last question though: since ASA 5505 doesn't offer intrusion detection and anti-virus protection like 5510 does, isn't it then similar to 871 router (firewall wise)? in other words what are the benefits of using ASA over 871?

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to DerekPlaine

‎12-20-2007 07:23 AM

The 5505 has better firewall and VPN performance. I don't think the router based firewalls are certified either so the government and sub-contractors are required to use certified firewalls like the ASA. In reality when I spec FW's for customers, I lean towards routers because routers have more features; unlimited users, Netflow, wireless, etc. Sometimes I have to spec a VPN-AIM card or a larger router, but it usually comes out cheaper than a lower end firewall with limited features or users. On the other hand, if the customer isn't doing anything special I always suggest an ASA. The are very stable and offer good performance.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card