Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

New ASA5510 in office network

Am attempting to place an ASA5510 in front of an existing Cisco 2821 router. This 5510 will replace the VPN and firewall modules currently in place on the 2821.

After placing the new firewall in place and changing the routes and paths, I was unsuccessful in getting a route out to the Internet. Spent quite some time debugging but to no avail.

As this is a production network, I cannot test during the day. Am hoping that perhaps someone can take a look at the two existing configs on the 2821 and the 5510, my proposed network diagram, and the changes I added, along with the errors I saw once I placed the changes in place.

I can provide more information if needed.

Any help is much appreciated.


Re: New ASA5510 in office network


for one I am confused on what you are trying to do - do you want the outside ASA interface to have a public IP or internal - both config's conflict.

If the current ASA config (attached) is the way you want to go, the reason why it does not work out to the internet is you are controlling NAT - but not NATTing outbound traffic. From the c2821 config, you have changed your mind, and you are trying to do something compeltely different, your NAT statements are wrong.


New Member

Re: New ASA5510 in office network

My apologies. The problem may lie with the fact that the 2821 is currently doing both routing and firewalling at the present time.

My objective is to ha ethe outside ASA interface to have a public IP (, but then when users connect via VPN they hairpin and receive a routeable IP address within my outside IP address block, i.e. through That way I am forcing them through my Internet connection.

If this does not make sense, let me know.

I am including a Visio with how I want the network to work.

I figured my NAT statements are incorrect. It has been too long since I have worked with Cisco equipment.

Re: New ASA5510 in office network

I have not read the initial configs other than the new config 2821, it will be helpful to see vertical configs for the current 2821 device and asa5500, the configs attached are in horizontal format..makes it harder to read them. I think I understand what are you trying to do, but I must agree with Andrew, at first is a bit confusing, looking at the diagram is better.

From what you are discribing it seems the 2821 router is doing firewalling and Im sure is probably doing NATing as well. I think the best way to go about this is to plan the implementation and move those tasks off the router onto the firewall, that is, NATing and firewalling etc.. and perhaps do some basic internet edge filtering on the router for another layer of protection, otherwise you will run into problems and end up troubleshooting two devices.

Enable NAT control on the ASA5500 firewall and as you have in your plan assign ASA5500 outside interface with public IP address, also your Router ethernet interface facing ASA5500 should have public IP, you don't mention what you have for routing facing ISP, static defaul route? BGP? either or configure ASA5500 defaul route pointing to router 2821 ethernet interface etc..

Best is probably start fresh on the 2821 router simple routing and as I said before move the NATing and Firewalling to the ASA.

Plan it for a weekend, save all config for roll back in case problems.

For the VPN tunnels I supoose you have them configured on the router, I would also move those to the ASA5500 full tunnel and nat the VPN pool network hairpining to use internet via outside interface of firewall.



Re: New ASA5510 in office network


Ahh OK - I( understand, questions:-

1) Are you going to use the 2821 as a second layer firewall?

2) Are you going to remove the 2821 firewalling completely?

3) If yes to #2 is the 2821 going to be the primary layer3 routing device?

As for the remote access - this is simple, all you need to is:-

1) In the current tunnel profile, disable split-tunneling and tunnel-all

2) Enable "same-security-traffic permit intra-interface"

This means that all traffic from the VPn client will be encrypted and sent to the ASA. When internet traffic reaches the ASA - it will leave via the outside interface - using whatever NAT statements you have configured for the VPN subnet.


P.S - nice visio cisco icons - where did you get them from?

New Member

Re: New ASA5510 in office network

As this router is still in production I am very limited in terms of time. I will plan on migrating this some weekend.

To answer your questions:

1) I want the 2821 to ONLY be a router. I want to rip all ACLs and Zone rules and VPNs rules off the router. Is there a simple CLI command to do this?

2) Yes, for the time being, I will remove firewalling on the router and let the 2821 do all the firewalling. Once everything is working, then I'll place some simple rules on the router to act as a secondary defense.

3) Yes, the 2821 will be the rpimary routing device.

I have already placed the VPN rules you mentioned on the 5510. Once I get the routing between the two cleared up and NAT and ACLs removed from the 2821, then I'll focus on VPN connections.

I got the Cisco Visio icons form the following locations:

Thanks for the help.

CreatePlease to create content