Adding ASA5510 to ISR2921 environment - basic qq's

Unanswered Question
Sep 8th, 2010

Not really an network guy so bear w/ me. I've been running a preconfig environment of an ISR 2921 with its own vlan, WAN is an single ethernet pipe incoming.

I need to introduce the ASA5510 into the equation, however some questions abound:

- We have a bank of 10 statics. ISR2921 has one on eth0/0, LAN on eth0/1, connected to a switch.

What would be the appropriate cabling layout for the ASA/ISR assuming this one single internet connection, and which would be connected to the switch?

Assume I want to have some static IP's as well as static mapping, and a DMZ zone for internal LAN ip ranges. I know I will need to wipe the config currently on the ISR and reauthor on the ASA.

My question belies on the cabling connection layout between the ASA, ISR, and switch, as well as the LAN.

Thanks in advance for any advice!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Sat, 09/11/2010 - 07:53


There are a couple of things in your post that I do not understand.

- when you say that you are running a preconfig environment of an ISR 2921 what does that mean? what is a preconfig environment?

- when you say that  We have a bank of 10 statics does that mean that you have 10 static addresses assigned to you by the ISP or does it mean something else?

I will try to provide some answers based on what I think is your environment. Most networks would have the ASA connected to the Internet connection/ISP connection. The router would connect its eth 0/0 connected to the ASA and its eth 0/1 connected to the switch. With this setup the static IP addresses would usually be on the ASA and the ASA would perform address translation (some could be static and some could be dynamic) for devices inside. This setup could provide the connectivity for the existing VLAN/subnet. Your post describes wanting to do a DMZ. Usually creating a DMZ involves connecting a separate switch (or perhaps router) on another interface of the ASA. Do you have another switch available to create a DMZ?



davidbirchell Sat, 09/11/2010 - 15:15

Thanks for replying, Richard, appreciate it!

Basically I have a ISR2921 router and ASA5520, planned for deployment, but to get the network up for some preliminary webserver connections, I lit up the ISR2921 with software-mode firewall. I knew I would introduce the ASA5510 into the network, and this is a good time to do it.

It is interesting you say the ISR should be behind the ASA - I was told by Cisco to do the ISR in front of the ASA, but that both ways would work fine.

Cisco did say that the ISR probably isn't needed in this setup due to only one incoming WAN interface, but I would like to set it up for future WAN additions and advanced routing with network engineers on site in the near future.

I have a bank of 10 statics assigned by my ISP, fed off an ethernet line. The ISR is assigned one of these IP's. I did a trial deploy of removing the ISR and setting the ASA up, but could not get internet connectivity (lots variables can do this, but I think my issue was static route to the internal vlan from the WAN)..

Now, assuming I want to set up the ISR in front, with WAN on eth0/0 on the ISR, and then connect eth0/1 to the ASA. Question here: Because I will be running NAT (now) and DMZ (near future), assume I will be having the ISR handle all the WAN connections. Should the router to ASA firewall connection be an external static IP as well, or an internal IP?

Interface eth0/1 on the ASA would then be connected to the 24-port Cisco switch, for the hosts. I will need to set up NAT to allow specific ports (http, ssh, sip, et al), but I need to achieve the connectivity first.

Although for network layout if it is recommended I put the ISR behind the ASA (as you recommended earlier), I should note that I already have the ISR configured with WAN/LAN, and NAT but expected to wipe that config and build again if needed.

I will procure another switch and use that for DMZ using the 3rd eth0/2 interface on the ASA, no problem. Just need to get the basic connectivity and proper routing set up here.


Richard Burts Sun, 09/12/2010 - 15:17


There are reasons to suggest putting the ISR behind the ASA and reasons to suggest putting the ISR in front of the ASA. What is the optimum placement depends on your particular environment. If there are plans for a second Internet connection then that could be a good reason to put the ISR in front of the ASA but that was not mentioned in your original post. And I agree that in the situation as described in the original post there is really no need for the ISR.

Part of my rationale for putting the ASA in front has to do with the static addresses and address translation. If the provider has given you a single block of static IP addresses, and if the "in front" device has an address from that address block configured on its interface then the assignment of static addresses and the translation of the addresses is to be done on the "in front" device. To me it makes more sense that the ASA have that since the address translation is more usually done on the ASA than on the router. But either solution could work. I work with some customers who get assigned a small subnet (frequently a /30) from the provider and a second larger block of addresses. This allows them to put a router in front (using the small subnet) and to put an ASA behind the router and the ASA to do the address translation. But that did not appear to be your circumstance.

There are multiple reasons why you may have had problems in getting Internet connectivity when you made your trial deploy using the ASA. It might have been routing to the internal VLAN, it might have been address translation issues, if you configured access lists then it might have been access list issues.

I believe that the answer to your question about addressing of the interfaces connecting the ISR and the ASA is that this would be an internal/private address. I do not see any reason why it should be a public address and that would require assignment of yet another subnet from the provide. As I mentioned above if you want the ISR in front and the address translation done on the ASA then you need to request a second (small) subnet.




This Discussion