Solved: Network Design with Router and firewall

jamesallen36 · ‎12-05-2011

Hi all,

I am working on getting a new network setup that will replace our old one and I had a couple conceptual questions that I was hoping for help on. First let me detail what I am trying to do and then pose my questions which mainly are to do with physical cabling and where stuff goes in line internally to the network.

Equipment -

Routers - 2 x Cisco 2921 with BGP configured externally and EIGRP internally. Running HSRP for redundancy.

Firewalls - 2 x ASA 5510

Public Switch - Cisco 2950

VLANs on public switch - <101 for Comcast Router network> <102 for Comcast assigned usable external IPs>

ISP - Comcast fiber internet connection terminated into an proprietary ethernet switch.

Please let me know if any of these steps sounds incorrect. (IPs are just examples)

1. Plug the Comcast delivered ethernet cable into VLAN 101 on public switch. For this example, the IP will be 107.10.79.104.

2. Configure default route on both of my routers pointing to 107.10.79.104.

3. Configure GI0/0 on both routers with one of the usable IP ranges that were given to me from Comcast which for this example will be 107.10.79.105 and 107.10.79.106. These would be on VLAN 101 of the public switch.

4. Configure HSRP on the two routers with another usable public IP which I will make 107.10.79.107.

5. Plug router interfaces GI0/1 into the public switch on VLAN 102 and assign our customer usable IPs which I will make 107.1.217.128 and 107.1.217.129.

6. Configure router HSRP interface with IP 107.1.217.129 as the IP that floats between routers for redundancy.

7. Plug both firewall interfaces 0/0 into the public switch on VLAN 102 and configure the external interface with another customer usable IP that Comcast has assigned which in this case will be 107.1.217.130 and 107.1.217.131.

8. Configure firewall HSRP interface with IP 107.1.217.132 as the IP that floats between firewalls for redundancy.

9. Assign IP block of usable addresses to the firewalls.

10. Configure interface 0/1 on both firewalls as internal LAN addresses that the layer 3 switch points to for its default route.

Questions -

1. Do I need to configure HSRP within the Comcast network (107.10.79.x) or within my customer usable IPs network of 10.1.217.x?

2. Does the use of the public switch appear to be correct since I need more that one connection between my equipment?

3. Does the customer usable IP range get assigned to the routers or the firewalls?

4. Are there any concepts that I appear to be missing on how this all strings together?

Thanks in advance for any helpful input!

tony.henry_2 · ‎12-05-2011

James,

Q1, I'm not sure how HSRP on your side for the firewall assuming that no routing protocols are going on between your firewall and the 2921's

Q2, I think so in drawing for myself it looks ok, but you might want to put it on paper so that you can show other people what your planning. My interpretation may differ from what you are planning.

Q3, I'd personally move the real ip addresses back to the firewall and have address the local subnet vlan 102 from some private addresses. The routers would then have a static for the real addresses to the firewall, and have the firewall NAT them.

Q4, A topology diagram won't hurt. I would say that you're probably ok with what you have planned. The internal network will point to the firewalls, the firewalls will point to the 2921's HSRP address, the 2921 will utilise BGP to route out. Is that the way you saw it.

HTH

Tony

View solution in original post

tony.henry_2 · ‎12-05-2011