Putting Cisco 2911 behind ASA

browe-tfx · ‎12-30-2011

Today I'm going to be re-organzing my network, kind of and I just wanted to get a second opinon. Right now I have an ASA 5510 and a Cisco 2911 and a Cisco 2960 (and I have two more 2911s and 2960s that handles our phone network).

How the network is setup now........

Router 2911 is on the edge Gi0/0 has the public IP and Gi0/1 is not used and then I have 5 individual VLANs (Gi0/1.100, 1.200, 1.300, 1.400, 1.500)

VLAN100 is our internal network 10.10.18.1/24 (router is 10.10.18.1)

And the 2960 is used for swichport access, the ASA is on the side and only used as a VPN.

What I want to do is put the ASA on the edge so I can dump all the access-lists and everything then 2911 will only be used to route the traffic. Now I know I will have to reconfigure the VPN, which isn't a problem. My question is when putting the ASA on the edge do I just put the public IP on the ASA's e0/0 and then plug the 2911 into the e0/1 of the ASA and give the Gi0/0 of the 2911 the ip address of 10.10.18.1 or do I just shut it down? The reason behind this is because I would actually like to use the ASA for more than just the VPN passthrough.

Jeff Van Houten · ‎12-30-2011

If the Internet connection comes to you as Ethernet I don't see that you need the router at all. There may be some license and/or model limitations but the Asa can certainly handle 5 internal Vlans and a single external port.

Sent from Cisco Technical Support iPad App

browe-tfx · ‎12-30-2011

Thanks Jeff,

So pretty much I should just keep the ASA on the side and just use it for a VPN (in the next few weeks I will be setting it up for a site to site vpn, the RA VPN is what I'm using it for now?

Jeff Van Houten · ‎12-30-2011

No put the router on the side and let the Asa do all of the work.

Thanks,

Jeff Van Houten

Vice President &

Chief Technology Officer

First Bank and Trust

909 Poydras St.

Suite 3300

New Orleans, LA 70112

www.fbtonline.com<>

"Your Goals Come First"

browe-tfx · ‎12-30-2011

Ah gotcha so ultimately I can do my new setup like this

ASA
e0/0 - Public IP

e0/1 - No Ip Address

e0/1.100 (with the 10.10.18.1 becoming new IP address for the ASA)

Router (plugged into e0/1 on the ASA)

gi0/0 - 10.10.18.2

2960 stays plugged into gi0/1 or if move the VLANs to ASA plugged the e0/1 of the ASA

Jeff Van Houten · ‎12-30-2011

Take the wire connecting the router to the switch today and plug the router end into the Asa internal interface. Configure all 5 Vlans on the Asa. Take the external wire connected to the router and plug into the external of the Asa. Configure external of Asa to external ip of the router. Move all acls to Asa. Turn off router.

Thanks,

Jeff Van Houten

Vice President &

Chief Technology Officer

First Bank and Trust

909 Poydras St.

Suite 3300

New Orleans, LA 70112

www.fbtonline.com<>

"Your Goals Come First"

Pawan Sharma · ‎12-30-2011

Hi,

If you just want to use the router coz you have one then I would recommend to keep it ahead of ASA i.e. your WAN side network boundary. Else you can keep router aside and use ASA as your WAN gateway with LAN side directly terminating onto the cisco 2960 Switch.

Regards,

Pawan Sharma

http://www.ebrahma.com

Regards,
Pawan Sharma
https://itgears.io