Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Configuring the Router to connect to ASA

                 We are planning to install a new ASA Firewall. Currently the Router is connected to the internet Gateway and to 3 switches which are in 3 different networks

image1.png

Router interfaces are 10.60.1.1 , 192.168.130.1, 172.16.2.1

Now it is going to be

               image2.png

ASA interfaces will be 192.168.30.1, 172.16.2.1 and Router interfaces will be 192.168.130.2 and 172.16.2.2

1. currently the defult gateway on the router is configured as 0.0.0.0 0.0.0.0 220.*.*.*

     I will be moving the default gateway to ASA

    How do I configure the route on the Router ?  will it be 0.0.0.0 0.0.0.0 192.168.130.1 OR  0.0.0.0 0.0.0.0 172.16.2.1

2. Currently the interfaces on the Router are configured as follows

       

interface GigabitEthernet0/0

description LAN

ip address 192.168.130.1 255.255.255.0

ip access-group col-in in

no ip redirects

no ip proxy-arp

ip accounting output-packets

ip nat inside

ip inspect SDM_L out

ip virtual-reassembly in

duplex auto

speed auto

media-type rj45

no mop enabled

service-policy output manage-gnet-bandwidth-out

!

interface GigabitEthernet0/1

description DMZ LAN

ip address 172.16.2.1 255.255.255.0

ip access-group dmz61in in

no ip redirects

no ip proxy-arp

ip accounting output-packets

ip nat inside

ip inspect SDM_L out

ip virtual-reassembly in

duplex auto

speed auto

media-type rj45

no mop enabled

                                    

After the Cutover will the configuration on the Router be

                                                        

         

interface GigabitEthernet0/0

description LAN

ip address 192.168.130.2 255.255.255.0

interface GigabitEthernet0/1

description DMZ LAN

ip address 172.16.2.2 255.255.255.0

Do I need to change anything else on the Router

  • LAN Switching and Routing
Everyone's tags (4)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

Configuring the Router to connect to ASA

Hello Purple tech,

on the router you  still need the default static route

ip route 0.0.0.0.0.0.0.0 192.168.130.1

it may be wise to use a different security level for DMZ because by default ASA doesn't allow communication between interfaces with same security level  for example use 80 instead of 100

Hope to help

Giuseppe

Hall of Fame Super Silver

Configuring the Router to connect to ASA

Hello Purple tech,

your inside is 192.168.130.0/24 so it becomes

http server enable

http 192.168.130.0 255.255.255.0 inside

try to see if you can add a second line like:

http 10.60.1.0 255.255.255.0 inside

note: if the second line overrides the first one means only one statement is supported and you need to make a choice

Hope to help

Giuseppe

12 REPLIES
Hall of Fame Super Silver

Configuring the Router to connect to ASA

Hello Purple Tech,

1)

It depends on ASA configuration, generally speaking being the ASA a firewall it works well with symmetric routing so you need to make a choice and be consistenf on all devices.

From the router point of view it could support to configure both default static routes.

But the ASA being a firewall can route the return traffic only down one of the two interfaces.

So the most safe move is to use only one for example the internal LAN 192.168.130. for both directions to achieve symmetric routing

2)

Yes you can remove the ip inspect statements as this becomes the job of the ASA and also you are changing the topology.

Hope to help

Giuseppe

New Member

Configuring the Router to connect to ASA

Thank you for for your help.

It is ASA 5525 Firewall.

So can I configure 2 static Routes on the router

ip route 192.168.130.0 255.255.255.0 192.168.130.1

ip route 172.16.2.0 255.255.255.0 192.168.130.1

New Member

Configuring the Router to connect to ASA

Please help me configuring the routes on ASA and the Router

Hall of Fame Super Silver

Re: Configuring the Router to connect to ASA

Hello Purple Tech,

the first one is not needed is the shared link between ASA and router you will NEVER need it

The second static route is needed only if you remove the connection of the router to the 172.16.2.0 network, that is if you disable gi0/1 on the router. But this is not required. So also the second static route may be not needed.

Note:

I'm not saying that the router cannot be connected to both IP subnets anymore, I mean that routing with ASA will work well with only one of them used.

Edit:

the only required static route is on ASA and is for the 10.60.1.0 subnet

I assume you will name the ASA interface inside

the command on ASA will be:

route inside 10.60.1.0 255.255.255.0 192.168.130.2

where the IP next-hop is the new IP address of router interface gi0/0

Edit2:

you can follow the example below for how to configure the ASA (note ASA SW version counts a lot  this for 8.3)

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b7c939.shtml

Hope to help

Giuseppe

New Member

Configuring the Router to connect to ASA

Thank you for your help Giuseppe

So the basic configuration (before adding ACLs and NAT) on the ASA is going to be

int gig0/0

nameif outside

security-level 0

ip address 220.*.*.* 255.255.255.0

int gig0/1

nameif inside

security-level 100

ip address 192.168.130.1

int gig0/2

nameif dmz

security-level 100

ip address 172.16.2.1

route outside 0 0 220.*.*.* 1

route inside 10.60.1.0 255.255.255.0 192.168.130.2

On the Router:

interface GigabitEthernet0/0

description LAN

ip address 192.168.130.2 255.255.255.0

interface GigabitEthernet0/1

description DMZ LAN

ip address 172.16.2.2 255.255.255.0

and no ip routes on the Router

Hall of Fame Super Silver

Configuring the Router to connect to ASA

Hello Purple tech,

on the router you  still need the default static route

ip route 0.0.0.0.0.0.0.0 192.168.130.1

it may be wise to use a different security level for DMZ because by default ASA doesn't allow communication between interfaces with same security level  for example use 80 instead of 100

Hope to help

Giuseppe

New Member

Configuring the Router to connect to ASA

Thank you so much Giuseppe

How do I configure for http server. In the example you had sent I saw the following

http server enable

http 192.168.0.0 255.255.254.0 inside

how do I configure http in this network

Thank you

Hall of Fame Super Silver

Configuring the Router to connect to ASA

Hello Purple tech,

your inside is 192.168.130.0/24 so it becomes

http server enable

http 192.168.130.0 255.255.255.0 inside

try to see if you can add a second line like:

http 10.60.1.0 255.255.255.0 inside

note: if the second line overrides the first one means only one statement is supported and you need to make a choice

Hope to help

Giuseppe

New Member

Configuring the Router to connect to ASA

Thank you Giuseppe

689
Views
0
Helpful
12
Replies
This widget could not be displayed.