2 Public Connections & Router/ASA bridging

Unanswered Question
Jul 23rd, 2010

I am looking at deploying my new ASA 5510 in the following manner:

ADSL & Cable Connections <---> Cisco 2811 Router in Bridge mode <-->NAT <---> ASA 5510 in Routing mode <----> Core Switch

*(Site2Site VPN will be running on ASA)

My questions are thus:

1) Since I have two public (static) IPs from the DSL & Cable connections, should I have two router interfaces connected to two interfaces on the ASA, or can I just have one interface connecting the router and ASA, binding both public IPs onto one ASA interface?

2) Do you see any pitfalls in doing it this way (router in bridge mode) vs just doing a double NAT (NAT traffic at the router, and then again at the ASA)

Thanks!

-Josh


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
August Ritchie Fri, 07/23/2010 - 13:31

You should be able to bind two IP addresses to one interface on the ASA.

Like say you had two servers on the core switch and you wanted to use two different external IP addresses. You can do something like below where 1.1.1.1 belongs to one ISP and 2.2.2.2 belongs to another ISP

static (inside,outside)  2.2.2.2 192.168.1.5

static (inside,outside)  1.1.1.1 192.168.1.6

You just need to make sure that you have a route back from the router for the networks pointing to the ASA.

As for pitfalls, double nat may make things confusing but is viable.

Hopefully this makes sense/helps, please tell me if I am not understanding your question.

jacksonit Fri, 07/23/2010 - 13:42

Yes, that makes sense.

As a follow-up question, since the router is bridging the connection, I will need to configure the ASA interface with ppp, etc, for the public IPs--But can I do that with the Interface having two public IPs bound to it?

Thanks!

-Josh

August Ritchie Fri, 07/23/2010 - 13:59

Both ISPs require PPPoE to get access to your public IP addresses?

The way I was describing before you would have one public IP address allocated to the physical interface, and then basically the ASA would proxy for the secondary IP address and foward it back to whatever device needed it.

So here was my scenario

router|1.1.1.2 ---- 1.1.1.1| ASA

Then the ASA would have a static for the other ip address so you could host different items like another webserver.

So on the router you would put something like

ip route 2.2.2.2 255.255.255.255 1.1.1.1

And on the ASA you would have

static (inside,outside) 2.2.2.2 192.168.5.5

But if both ISPs require that you do PPPoE to get the IP address, then we will need to think of another way as the ASA will only allow you to get one address from PPPoE.

Is there no way the other ISP could just route the IP back to you without having to do PPPoE?

jacksonit Mon, 07/26/2010 - 06:19

Only one of the ISPs require PPPoE.

So I could either set it up like you had, or I could run two cables to two nics on the ASA:

ISP#1 <> Router(Int1) <> NAT <--> ASA (Int1)

ISP#2 <> Router(Int2) <> NAT <--> ASA (Int2) (VPN runs over this connection)

Would this have any benefit over your previous proposed solution?

Thanks!

-Josh

August Ritchie Mon, 07/26/2010 - 07:50

Ahh since I know that you are using this second link for a VPN, I would say running the two connections directly to the ASA should be fine.

The problem usually with this scenario is that the ASA won't load balance between two ISPs, but since we know the destination for the VPN traffic, we can setup static routes to send it across a secondary internet connection.

So in short, I believe just connecting both ISPs as you have described, directly to the ASA, should be the easiest way. Here is my usual configuration for splitting off the VPN traffic.

Scenario:

E1 is for all traffic but VPN

E2 is VPN only

Default gateway for E1 is 77.0.0.1

Default gateway for E2 is 88.0.0.1

VPN peer is 65.0.0.1 255.255.255.255

VPN lan peers are at 10.0.0.0 255.0.0.0

config:

//default route out E1

route E1 0.0.0.0 0.0.0.0 77.0.0.1

//VPN connections through E2

route E2 65.0.0.1 255.255.255.255 88.0.0.1

route E2 10.0.0.0 255.0.0.0 88.0.0.1

Actions

This Discussion

Related Content