cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
610
Views
0
Helpful
4
Replies

How to install ASA5505 in a PIX501 network

jottenba
Level 1
Level 1

Greetings,

We are planning to replace our (50  user) PIX501 with an ASA5505.  However, the ASA5505 is constrained and  will be not be available until June.  Main reason for the change is  there is no VPN client for new windows7 computers.

I have my own 10 user ASA5505, and am wondering if I  can use it to handle VPN for the new machines until the 50 user ASA  arrives.

We have several public IP's available.  Currently the  PIX uses 1 public IP to handle traffic for the internal network.  A  second public IP is routed directly to a server (mail) on the internal  network.  A third public IP handles current VPN traffic for remote user  machines.

I'd like to install my ASA connected to the  inside of the PIX.  I'd configure the PIX to route a fourth public IP to  the ASA5505.

So my questions are:

Is this even  possible?

Do I need to connect an inside VLAN of the ASA back  into the inside network of the PIX (so that VPN connections can access  workstations on the PIX inside network)?

Thanks in  advance for comments, suggestions!

-John

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

jottenba wrote:

Greetings,

We are planning to replace our (50  user) PIX501 with an ASA5505.  However, the ASA5505 is constrained and  will be not be available until June.  Main reason for the change is  there is no VPN client for new windows7 computers.

I have my own 10 user ASA5505, and am wondering if I  can use it to handle VPN for the new machines until the 50 user ASA  arrives.

We have several public IP's available.  Currently the  PIX uses 1 public IP to handle traffic for the internal network.  A  second public IP is routed directly to a server (mail) on the internal  network.  A third public IP handles current VPN traffic for remote user  machines.

I'd like to install my ASA connected to the  inside of the PIX.  I'd configure the PIX to route a fourth public IP to  the ASA5505.

So my questions are:

Is this even  possible?

Do I need to connect an inside VLAN of the ASA back  into the inside network of the PIX (so that VPN connections can access  workstations on the PIX inside network)?

Thanks in  advance for comments, suggestions!

-John

John

If the public IPs you have are all from the same subnet then a better solution which avoids NAT etc. on the pix is to postion the ASA alongside the pix rather than behind it so the ASA outside interface is on the same public IP subnet as the outside interface of the pix.

If you put the ASA behind the pix and the 4th IP is from the same range as the others you cannot route the 4th IP through the pix to the ASA. What you can do is NAT the 4th public IP to a private IP and use this private IP as the ASA outside interface but this complicates things and you would need NAT traversal etc.

Jon

Thanks Jon,

I liked your idea and made an attempt over the weekend to implement it. However, I was unable to get the ASA to communicate outside.

Ah  - but as I write this I'm realizing I never put a route ( route outside 0.0.0.0 0.0.0.0 x.x.x.241 1 ).  Hopefully that was the issue and I can proceed...

-John

jottenba wrote:

Thanks Jon,

I liked your idea and made an attempt over the weekend to implement it. However, I was unable to get the ASA to communicate outside.

Ah  - but as I write this I'm realizing I never put a route ( route outside 0.0.0.0 0.0.0.0 x.x.x.241 1 ).  Hopefully that was the issue and I can proceed...

-John

John

Yes that would make a difference

Hope it goes okay now you have the default-route.

Jon

Well it works fine having a route in there...almost:

I used the wizard to setup VPN client access on the ASA.  I am able to connect in remotely, BUT am unable to access any machines on the inside network.

[At the address translation exception step I have left the selected network list blank on one attempt and added 192.168.1.0/24 in another attempt]

The inside network of the PIX is 192.168.1.0/24

I have the ASA inside VLAN connected to the inside network of the PIX, and assigned it address 192.168.1.15.  Machines on the inside network are able to access the ASA using ASDM.

I was hoping the wizard would just 'do it' but I must be missing something?  [I'm using ASDM 5.2(4) on the ASA 7.2(4)]

Thanks!

John

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: