Router--switch--asa

So we have an edge router that is doing everything your can possibly think (NAT, Firewall, VPN, MPLS Traffic, Internet traffic etc).
We bought some ASA's and want to offload the Firewall and VPN stuff to it.
From initial talks the physical layout will be router, switch and then ASA.

I always thought the ASA was inline to the router and swtich.

The idea is that we want to tag the various interfaces on the edge router (i guess by encapsulation dot1q VLAN_NUM), and then send somehow all that traffic through the switch and onto the ASA and back out to switch again.

Im having trouble understanding how i get the traffic from the router to the ASA.

Help! lol.

Find more posts tagged with

Comments

Ahriakin

Can you clarify a bit? Will your router still be providing your WAN connectivity or will the ASA be directly connected to the net?

mattsthe2

Thanks for the reply.

Basically we have a DS3 coming into the main edge router.
There are sub-interfaces configured under that DS3 for our WAN traffic and also a DIA (internet circuit). Both of these are physically coming in on the same circuit.

We also have another T3 for Internet from another provider, again coming into the same edge router.

So to answer your question yes the edge router will still be providing WAN connectivity.

dtlokee

You either need to use L3 routes to forward the traffic to the ASA and configure same security traffic permit-intra interface (or inter-interface if using subinterfaces at the same security level), NAT rules (if needed) access-lists (if needed). If using different VLANs you also have the option of using transparent mode but you can only have 2 interfaces and it will wipe out the configuration so don't do this on your existing production ASA.

When you say subinterfaces under the T3 I am assuming you mean different channel-groups?

mattsthe2

ok dt you made me think of something.

This "encapsulation dot1q VLAN" on the different circuits on the edge router will not work.
You can't tag encapsulation on sub interfaces.

How do i distinguish between Inside traffic (coming from the wan) to Internet traffic?

The T3 is configued as follows:

interface Serial1/0
description *** DS-3 Connection ***
bandwidth 44210
no ip address
encapsulation frame-relay IETF
ip route-cache flow
dsu bandwidth 44210
service-policy input Inbound
service-policy output Outbound
hold-queue 250 in
hold-queue 2000 out
!
interface Serial1/0.16 point-to-point
description *** MPLS Network ***
ip address BLAH
ip wccp 61 redirect out
ip wccp 62 redirect in
ip pim sparse-mode
ip nat inside
no ip virtual-reassembly
zone-member security inside
snmp trap link-status
frame-relay interface-dlci 16
!
interface Serial1/0.618 point-to-point
description *** DIA ***
ip address BLAH 255.255.255.252
ip information-reply
ip nbar protocol-discovery
ip nat outside
no ip virtual-reassembly
zone-member security outside
snmp trap link-status
frame-relay interface-dlci 618
crypto map CRYMAP

dtlokee

I am not completely sure what you mean by inside traffic vs Internet traffic. I see you have the encapsulation set to frame relay and multiple point to point subinterfaces, is one the termination of the Internet circuit and the other is the MPLS network? If that is the case you should look into VRF lite wich will allow you to put each into it's own VRF (along with a aub interface on the ethernet side) which will prevent traffic from leaking between the different connections due to seperate routing traffic.

mattsthe2

What i mean by Inside is basically WAN traffic from our remote sites that we would deem a trusted interface vs the other sub-interface which an internet interface. The encapsulation frame-relay is a requirement for us to set from the ISP.

I'll look into the VRF-lite. Sounds complicated.

A few questions on this VRF:

1) our edge router is 3845, is VRF supported on the 3845
2) With currently only one ethernet cable running from the 3845 to the switch, would we have use an additional ethernet cable.

So Sub-interface MPLS tied to gi0/1 port on the 3845
and
Sub-interface DIA tied to gi0/1 port on the 3845

Last question:

What about passing all traffic into the ASA (inside and outisde) would that design work?

thanks,

dtlokee

I have done somthing like this:

ip vrf INTERNET
 
ip vrf INSIDE
 
interface serial 0/0.100 point-to-point
 ip vrf forwarding INTERNET
 ip address 1.1.1.1 255.255.255.252
 
 
interface serial 0/0.200 point-to-point
 ip vrf forwarding INSIDE 
 ip address 2.2.1.1 255.255.255.252
 
 
int fa0/0.100
 encapsulation dot1q 100
 ip vrf forwarding INTERNET
 ip address 1.1.2.1 255.255.255.0
 
 
int fa0/0.200
 encapsulation dot1q 200
 ip vrf fprwarding INSIDE
 ip address 2.2.2.1 255.255.255.0

now for some static routes to forward all traffic to the firewall behind the edge router.

ip route vrf INSIDE 0.0.0.0 0.0.0.0 2.2.2.2  ! -- assuming 2.2.2.2 is the firewall.
 
ip route vrf INTERNET 2.2.2.0 255.255.255.0 1.1.2.2 ! -- assuming 1.1.2.1 is the firewall.

You need to add an additional static route for each inside network, or if everything is NAT translated by the ASA then you just need a route to the translated address (which should be connected anyhow). This will force any traffic received on the INSIDE connection on the T3 to hairpin through the ASA.

mattsthe2

DT i bow down to your Cisco boots. The VRF solution does sound pretty niffty.

However i just got advise from another guru about implementing a traditional (inline) deployment.

ROUTER----ASA

6K_Switch

In this design model all traffic (Inside or Outside) from the edge router will pass through the ASA and out the relevant ASA interface.

No encapsulation will be required on the edge.

our BGP Public netblock will just have a static route on the edge route with a next hop ip of the outside ASA interface, then NAT0(for WAN traffic) or NAT will occur as well as inspection and routing and finally egressing to the Switch.

For VPN access (which will now move from the edge to the ASA) we will have a static nat on the edge which will basically NAT the public vpn address to the outside ASA interface.

Again this is very much in the early design phase, and we're not sure if that design will even work.

I'll put together a diagram and post shortly which will explain this more clearly.

Just putting the ideas out there.