Router--switch--asa

mattsthe2mattsthe2 Member Posts: 304
in CCNP Security
So we have an edge router that is doing everything your can possibly think (NAT, Firewall, VPN, MPLS Traffic, Internet traffic etc).
We bought some ASA's and want to offload the Firewall and VPN stuff to it.
From initial talks the physical layout will be router, switch and then ASA.

I always thought the ASA was inline to the router and swtich.

The idea is that we want to tag the various interfaces on the edge router (i guess by encapsulation dot1q VLAN_NUM), and then send somehow all that traffic through the switch and onto the ASA and back out to switch again.

Im having trouble understanding how i get the traffic from the router to the ASA.

Help! lol.
· Share on FacebookShare on Twitter

Comments

  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Can you clarify a bit? Will your router still be providing your WAN connectivity or will the ASA be directly connected to the net?
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
    · Share on FacebookShare on Twitter
  • mattsthe2mattsthe2 Member Posts: 304
    Thanks for the reply.

    Basically we have a DS3 coming into the main edge router.
    There are sub-interfaces configured under that DS3 for our WAN traffic and also a DIA (internet circuit). Both of these are physically coming in on the same circuit.

    We also have another T3 for Internet from another provider, again coming into the same edge router.

    So to answer your question yes the edge router will still be providing WAN connectivity.
    · Share on FacebookShare on Twitter
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    You either need to use L3 routes to forward the traffic to the ASA and configure same security traffic permit-intra interface (or inter-interface if using subinterfaces at the same security level), NAT rules (if needed) access-lists (if needed). If using different VLANs you also have the option of using transparent mode but you can only have 2 interfaces and it will wipe out the configuration so don't do this on your existing production ASA.

    When you say subinterfaces under the T3 I am assuming you mean different channel-groups?
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • mattsthe2mattsthe2 Member Posts: 304
    ok dt you made me think of something.

    This "encapsulation dot1q VLAN" on the different circuits on the edge router will not work.
    You can't tag encapsulation on sub interfaces. icon_sad.gif

    How do i distinguish between Inside traffic (coming from the wan) to Internet traffic?


    The T3 is configued as follows:

    interface Serial1/0
    description *** DS-3 Connection ***
    bandwidth 44210
    no ip address
    encapsulation frame-relay IETF
    ip route-cache flow
    dsu bandwidth 44210
    service-policy input Inbound
    service-policy output Outbound
    hold-queue 250 in
    hold-queue 2000 out
    !
    interface Serial1/0.16 point-to-point
    description *** MPLS Network ***
    ip address BLAH
    ip wccp 61 redirect out
    ip wccp 62 redirect in
    ip pim sparse-mode
    ip nat inside
    no ip virtual-reassembly
    zone-member security inside
    snmp trap link-status
    frame-relay interface-dlci 16
    !
    interface Serial1/0.618 point-to-point
    description *** DIA ***
    ip address BLAH 255.255.255.252
    ip information-reply
    ip nbar protocol-discovery
    ip nat outside
    no ip virtual-reassembly
    zone-member security outside
    snmp trap link-status
    frame-relay interface-dlci 618
    crypto map CRYMAP
    · Share on FacebookShare on Twitter
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    I am not completely sure what you mean by inside traffic vs Internet traffic. I see you have the encapsulation set to frame relay and multiple point to point subinterfaces, is one the termination of the Internet circuit and the other is the MPLS network? If that is the case you should look into VRF lite wich will allow you to put each into it's own VRF (along with a aub interface on the ethernet side) which will prevent traffic from leaking between the different connections due to seperate routing traffic.
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • mattsthe2mattsthe2 Member Posts: 304
    What i mean by Inside is basically WAN traffic from our remote sites that we would deem a trusted interface vs the other sub-interface which an internet interface. The encapsulation frame-relay is a requirement for us to set from the ISP.

    I'll look into the VRF-lite. Sounds complicated.

    A few questions on this VRF:

    1) our edge router is 3845, is VRF supported on the 3845
    2) With currently only one ethernet cable running from the 3845 to the switch, would we have use an additional ethernet cable.

    So Sub-interface MPLS tied to gi0/1 port on the 3845
    and
    Sub-interface DIA tied to gi0/1 port on the 3845


    Last question:

    What about passing all traffic into the ASA (inside and outisde) would that design work?

    thanks,
    · Share on FacebookShare on Twitter
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    I have done somthing like this:
    ip vrf INTERNET
 
ip vrf INSIDE
 
interface serial 0/0.100 point-to-point
 ip vrf forwarding INTERNET
 ip address 1.1.1.1 255.255.255.252
 
 
interface serial 0/0.200 point-to-point
 ip vrf forwarding INSIDE 
 ip address 2.2.1.1 255.255.255.252
 
 
int fa0/0.100
 encapsulation dot1q 100
 ip vrf forwarding INTERNET
 ip address 1.1.2.1 255.255.255.0
 
 
int fa0/0.200
 encapsulation dot1q 200
 ip vrf fprwarding INSIDE
 ip address 2.2.2.1 255.255.255.0

    now for some static routes to forward all traffic to the firewall behind the edge router.
    ip route vrf INSIDE 0.0.0.0 0.0.0.0 2.2.2.2  ! -- assuming 2.2.2.2 is the firewall.
 
ip route vrf INTERNET 2.2.2.0 255.255.255.0 1.1.2.2 ! -- assuming 1.1.2.1 is the firewall.
    You need to add an additional static route for each inside network, or if everything is NAT translated by the ASA then you just need a route to the translated address (which should be connected anyhow). This will force any traffic received on the INSIDE connection on the T3 to hairpin through the ASA.
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • mattsthe2mattsthe2 Member Posts: 304
    DT i bow down to your Cisco boots. The VRF solution does sound pretty niffty.

    However i just got advise from another guru about implementing a traditional (inline) deployment.

    ROUTER----ASA
    6K_Switch

    In this design model all traffic (Inside or Outside) from the edge router will pass through the ASA and out the relevant ASA interface.

    No encapsulation will be required on the edge.

    our BGP Public netblock will just have a static route on the edge route with a next hop ip of the outside ASA interface, then NAT0(for WAN traffic) or NAT will occur as well as inspection and routing and finally egressing to the Switch.

    For VPN access (which will now move from the edge to the ASA) we will have a static nat on the edge which will basically NAT the public vpn address to the outside ASA interface.


    Again this is very much in the early design phase, and we're not sure if that design will even work.


    I'll put together a diagram and post shortly which will explain this more clearly.

    Just putting the ideas out there.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.