×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cisco 2821 Router behind Cisco ASA5505

Unanswered Question
Feb 26th, 2014
User Badges:

Dear All,


I have a Cisco ASA5505 with Security plus license, and there are 3 VLAN configured on the ASA5505.


VLAN1 inside

VLAN2 outside

VLAN3 guest wireless VLAN


Ethernet0/0 access VLAN 2 connected to ISP with static IP address


Ethernet0/1 is trunk port connected to Cisco 2960G. It works great, and inside can access to outside, VPN client from outside can remote access to inside. All my devices are connected to 2960G, and for sure my inside LAN traffic will tied down to 100Mb because the ASA5505 interface is 100Mb. I am thinking to get the Cisco 2821 router and place it between the ASA5505 and 2960G and have 2821 route the traffic at 1Gb connection for inside LAN. I know static route and NAT need to be configure on 2821 as well as configuration change on ASA5505. I do not want to upgrade the ASA5505 to ASA5510 because too much power for home user . Is it possible? If yes could you please shed me the light to make it work? I greatly appreciate your help.


Best regards,


Vincent Le

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Wed, 02/26/2014 - 17:11
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Vincent


Firstly there would be no need to do NAT on the router as the ASA is doing that but you would need routes on the 2821 and the ASA.


But what you do need a router for. You say you want to route the traffic at 1Gbps but route between what ?


Is it so you can route between the inside network and the wireless network ?  I wouldn't have thought so as you generally don't want the guest network to be able to communicate with the internal network.


So what exactly do you want to route between ?


Edit - worth noting that with the right IOS version and feature set your switch may be capable of doing limited routing so you would not need a router but again it depends on what you are trying to route between.


Jon

mynet4lab Wed, 02/26/2014 - 18:32
User Badges:

Hello Jon,

I greatly appreciate your reply.


At present for my home network connection is only 100Mb once I sending and receiving data from pc1 to pc2, because the interface of ASA5505 is 100Mb, and the 2960G layer 2 switch is 1Gb.


I am thinking if I have a router place between ASA5505 and my layer 2 switch. If pc1 send file to pc2 or pc2 to pc1 I have 1Gb connection (pc1 and pc2 is in the same VLAN 1), instead of 100Mb. Because the traffic will pass through the trunk port up to the ASA5505. Am I correct? If this is a case that's why I want to have a router to handle inside network, if inside network need to access outside go to the ASA5505.


I can route between the inside network and the wireless network by the access-list on the ASA5505, just for test only and for now guest wireless network not allow to communicate with inside network.


Here is my home network connection

DSL modem connected to ASA5505 eth0/0

ASA5505 eth0/1 trunk port connected to 1st 2960G gi0/8

1st 2960G gi0/7 trunk port connected to 2nd 2960G gi0/8


Hyper-V servers, VMware ESXi servers, Cisco 1142N-A-K9 Accesspoint, Printer all connected to both 2960G VLAN1


Cisco Adaptive Security Appliance Software Version 8.4(6)

Device Manager Version 7.1(3)Cisco Adaptive Security Appliance Software Version 8.4(6)
Device Manager Version 7.1(3)
========================================================================================

Cisco 2969G is the layer 2 switches

Switch Ports Model              SW Version            SW Image                
------ ----- -----              ----------            ----------              
*    1 8     WS-C2960G-8TC-L    12.2(55)SE            C2960-LANBASEK9-M
========================================================================================

Cisco 2821 Router IOS version  15.1(3)T


Sorry Jon, if my explanation is not clear


Best regards

Vincent

Jon Marshall Wed, 02/26/2014 - 18:40
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Vincent


If PC1 and PC2 are in the same vlan then there is no need to go via the ASA and it won't do so the ASA is not limiting the traffic here.


They would only need to go to the ASA if they are in different vlans because then the traffic would need to be routed.


So devices in the same vlan connected to your switches only have to go to the ASA for internet access. This is basically the difference between L2 and L3 ie.


each device in the internal vlan will have an IP address from the same subnet and a default gateway. Presumably the default gateway is the ASA inside interface IP address. They only send traffic to this default gateway if the destination IP address is in a different subnet.


If the destination IP is in the same subnet then there is no need to send it to the defaultl gateway, they simply send it direct via the switch.


So a router will make no difference for traffic between devices in the same vlan because this traffic is not L3 routed.


Does this make sense ?


Jon

mynet4lab Wed, 02/26/2014 - 19:07
User Badges:

Whew Whew! thank you so much for your explanation and kindnes. You've save me for the cost of eBay


You have a great day Jon



Vincent

Jon Marshall Wed, 02/26/2014 - 19:09
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Vincent


No problem. glad to have helped.


Jon

Actions

This Discussion

Related Content