Cisco 2811 + DSL to ASA 5520

[CiscoNewb]

Hello All!

I'm in the process of configuring some Cisco gear and learning as I go.
I have a pair of ASA 5520's configured for Active/Standby configuration
with an inside, DMZ and outside using a single context.

Hosts in the DMZ are using private addresses. I've got the inside
working fine and hosts in the DMZ can access those hosts at the
inside interface they require.

I'm now ready to work my way up to the outside interface and my 2811
routers. I picked the DSL to start on first but what I thought was going
to be straightforward isn't looking that way. I'm a wee bit confused
and I'm hoping someone can point me in the right direction.

I have a DSL connection setup on the 2811 and I can establish a
link to the ISP with no problem. Once up, I am able to ping outside
hosts from within the router.

I was given the following info from the ISP (addresses masked to
protect the innocent):

Gateway: xxx.yyy.126.137
IPs: xxx.yyy.126.138 - xxx.yyy.126.142 (five total)
Subnet: 255.255.255.248

Note: dialer1 interface in 2811 has the gateway address as it's IP address
statically defined.

I found an example on Cisco for a PIX/ASA setup using a single ISP
which made me think the solution would be to:

1) Assign one of the IP addresses (lets pick xxx.yyy.126.138) to the
inside interface of the 2811 (FA0/0 in this case).

2) Create sub-interfaces on the ASA interface, assigning each one of the
remaining public ip addresses from above.

3) Then setup NAT to translate between the Inside, DMZ and these public
addresses.

Unfortunately I'm getting stuck at #1. When I try to assign that address
to FA0/0 (2811) it spits out an error:

"% xxx.yyy.126.136 overlaps with Dialer1"

I can see the IP address on the interface with show run but it will not
allow me to "no shutdown" the interface... So clearly I'm doing something
stupid here but I can't find any examples in my books or online to
get me pointed the right way.

I know in the past when I played with this router I was able to configure things
if I had NAT configured on it but I was hoping to avoid that and keep it on
the ASA only. The final goal is to connect my three 2811's to the ASA's and configure the 2811's for GLBP which from what I read is messy with NAT on the
router.

Any help would be greatly appreciated!!!

Terry

P.S. -> I didn't include the router config since it only has a basic DSL setup
and an attempt at configuring FA0/0 - didn't think I needed to post it. If
needed, I can.

 

[zx10guy]

If you assign another public IP address in the pool you have to the inside interface of the 2811, it's not going to like and is behaving correctly as you've described. The reason is that the 2811 is a router. To have two interfaces on the same subnet violates the 2811's core function which is to be a router. You need to assign a private or some other IP address to the inside interface of the 2811. Just becareful if you choose to use a routeable address for the inside interface.

Why are you creating sub-interfaces? There's absolutely no need to use sub-interfaces here.

 

[CiscoNewb]

Hi zx10guy!

Thanks for the response! The explanation makes sense, I can see now that what I was
trying was wrong and why it's wrong.

What I have is this:

- 3 connections from different ISPs: DSL, Microwave [DOCSIS] and a T1.
Each has 5 different IP addresses allocated to us for a total of 15.
- 3 2811 Routers with appropriate interfaces for previously mentioned connections
- 2 ASA 5520's with optional 4 port Gig Switch modules
- 4 2960 Switches - 2 for DMZ, 2 for Inside... Note: 2 switches each in
order to allow each host to have dual connections (teaming/bonding).

In the DMZ I have web servers in one VLAN, application servers for wireless mobile
devices in another VLAN.

In the "INSIDE" I have databases, other hosts as well as desktops. These are
all segregated into their own VLANs.

There are more VLANs in both the INSIDE and DMZ that I'm leaving out in the interests
of simplicity. If I can get the setup to work for the ones I mentioned, the others
will follow the same pattern.

I have everything configured and working well with the switches and the ASA's as
far as failover and controlling/routing traffic between INSIDE & DMZ are concerned.
Last hurdle is the OUTSIDE (from ASA's perspective).

What I'm trying to do is this:

1) Allow the application servers (DMZ) to be reachable from the Internet. One address
from each of the three ISP pools is reserved for this.

2) Allow the web servers to be reachable from one of the other IP addresses from
the T1's pool. In the future, perhaps allow access from an IP address on each
of the other interfaces as well. Set them up as additional records under our
domain name.

3) Allow the office computers to have outbound access to the internet that is made
redundant and load balanced across the three ISP connections by using
GLBP (Gateway Load Balancing Protocol) on the 2811's. One IP address from
each of the three pools will be set aside to be used.

4) Allow all other INSIDE hosts to have redundant outbound connections
to the Internet using GLBP (as in #3 above) on a different set of IP addresses from
the three pools.

It's probably not necessary to designate that outbound traffic from the Office and
other hosts be on separate IP addresses but I'd like to segregate it.

5) Keep all address translations on the ASA's (they are capable of this and routing)
and have the 2811's use public addresses only. From what I read on GLBP, as soon
as you have address translation running on the router itself, you lose the load-balancing
part of GLBP - you keep the virtual router redundancy aspect though.

Keeping in mind # 5 above I then figured that I had to create sub-interfaces on the
ASA and assign a public address to each one. I need someway of routing traffic
back to the 2811's inside interface so I figured I had to assign it one of the public
addresses which would then in effect become the "gateway" address for the ASA.
In the ASA I'd setup the address translation to map the traffic to the appropriate
addresses. This setup was intended just as a test to make sure I could get at least one
router going with my config. After that I'd have to rework it a bit because GLBP would be
added in the mix.

Sorry for the long-winded explanation, just wanted to make sure you had as much
info as possible to understand what I'm trying to accomplish...

Running your suggestion through my limited pool of experience with Cisco translates
into the following actions:

1) Throw out the sub-interfaces, not going to work. Done.

2) Configure the inside interface of the 2811 to have a private IP.

3) Configure the corresponding outside interface of the ASA 5520 to have
an address within the same subnet... e.g. 2811->FA0/0->1.2.3.4 and
ASA 5520->G0/0->1.2.3.5.

4) Setup static routing within the ASA 5520 for each subnet that requires it so that an
an outbound connection to the Internet is routed to the 2811's inside interface
(1.2.3.4) from above.

5) On the 2811, configure NAT such that an address from the Office subnet is mapped
to my desired public IP address, for example. Repeat for Hosts on other subnets
that I want on an alternate public IP address.

6) For inbound connections to the DMZ I again setup a translation from the public
IP address to the private IP address of the DMZ host. Since I'm not using any
routing protocols I'm guessing that I would then have to build static routes that
would direct traffic to the ASA's OUTSIDE interface (1.2.3.5 from #3 above).

I hope that's right or at least close to the right answer... Does it sound right to you?

Although it's not a show-stopper, I would like to avoid NAT on the 2811 if it's at
all possible so as to keep the full load-balancing capability of GLBP. Is there
a simple alternative that would allow me to keep NAT on the ASA and public only
on the 2811?

Two things that come to mind are:

A) Configure the 2811 as a bridge (if that's possible), stick a pub IP on the OUTSIDE
ASA interface, setup a static route so that Internet bound packets are sent out
this interface and then use address translation on the ASA to map internal to
public addresses?

B) Have each of my ISPs provided me with a next-hop address that is outside of the
subnets provided to me... Then take one of the pub addresses I have, assign it
to the INSIDE interface of the 2811, take another and assign to the OUTSIDE of the
ASA and then use address translation in the ASA to access the remaining 3?

(A) Sounds like it might work... Do you see a downside to this way?

(B) Assuming I could get the ISP's to do this, it feels clunky to me...

Some additional things that might really impact the stuff above:

A) Each router is connected to both ASA's... So FA0/0 from each of the three
routers is connected to g0/0-g0/2 of ASA #1 respectively and FA0/1 is connected
to g0/0-g0/2 of ASA #2 respectively.

The ASA's allow for configuring redundant interface pairs. I have used this with
the IN and DMZ sides. If one interface, it's connection to it's corresponding switch,
or the switch itself go poof, the secondary interface comes up on the alternate
switch.

I can't use this feature to address the routers... If there's a similar feature on the
2811 (I have to check, but doubt it) I guess I could make FA0/0 and FA1/1 a
redundant pair on each...?

If not, how would someone go about insuring redundancy on the outside links so
that each ASA has a connection to all three routers. If I remember correctly,
I think the ASA allows you to configure a redundant "gateway", up to 3 or maybe
more. So barring some other solution, I'm guessing I would have to configure the
INSIDE addresses for each of the routers using this feature?

B) I intend to use GLBP for outbound connection fault-tolerance and load-balancing. I
have to re-read all the docs on it but I believe it can work with points 1 - 6 above.

I'm sorry if all of this stuff is really basic, it probably is. I'm a part owner in a company and
my primary hat is software development, there's about 50 other hats thrown into that
mix too. We could certainly bring in a Cisco certified consultant to get it all setup
but I'd prefer to learn this stuff from the ground up and know how it works so that
when something breaks, I know how to fix it. Eventually I plan to take some
courses and work up to a certification but right now there isn't time for that.

I appreciate the help!

 

[zx10guy]

I'll have to sift through the additional information you've provided to address all the points you've presented. But one thing which is sticking out with me is your use of GLBP. GLBP is not going to do what you're thinking it's going to do for you. If I may, let me give a quick talk about GLBP.

GLBP stands for gateway load balance protocol. GLBP is an enhancement/evolution over other router redundancy protocols like HSRP and VRRP. GLBP in a nutshell allows the ability to have router/gateway redundancy but also allow an active/active scenario instead of an active/standby situation which HSRP operates under. What this allows you to do is to utilize equipment resources which otherwise would sit idle waiting for a failure of the primary router. GLBP allows you to have redundancy but also load balancing through the use of available routers configured as part of the group.

So how does GLBP work? GLBP works by creating a VIP for the default gateway. Each member router will also have an associated real IP and real MAC. In a standard GLBP scenario, there is an AVG and a VF. The AVG (or active virtual gateway) listens for arp requests to the default gateway address....in this case the VIP assigned to the GLBP group. The AVG then hands off the MAC address (which is also a virtual MAC assigned to the member router) to the requesting device. At this point the client then talks directly to the router who's virtual MAC the client has. The router servicing this traffic is known as a VF or virtual forwarder. The AVG can also be a VF. There can only be one active AVG in a GLBP group. If you don't manually assign a router to be the AVG, the AVG is determined by group election. A standby AVG is also set either by manual configuration or election. You can have more than 2 routers in a GLBP group. The others will just be VFs which will only be in the listening mode when you do a show glbp brief command to see the status of the GLBP group(s). The way VFs are assigned to clients can be done in three ways. First is round robin which is the default configuration. Second is by weighting. You can weight the router's preference so traffic will more likely go to those routers which have a higher priority. Lastly, you can do VF assignments based on pinning the traffic between a router and the client.

So basically, GLBP will not load balance against multiple WAN connections. To get load balancing on WAN links you'll have to utilize a routing protocol like BGP.

Oh, and the reason why I know so much about GLBP is because I've configured GLBP setups at my job using Catalyst 6500 switches.

Give me some time to sift through the rest of your information. I just wanted to shoot off an immediate reply on what I saw was already a misunderstanding which would lead you down the wrong path and waste your time unnecessarily. Also, it's going to change your model of your network design.

 

[potatoboy]

hello,

did anyone got this working? i have a similar setup , I am trying to get asa and 2811 to talk using multiple security contexts, one context is below

interface prod_outside
nameif outside
security-level 0
ip address xxx.yyy.135.133 255.255.255.224
asr-group 1

interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
ip address xxx.yyy.135.149 255.255.255.224
duplex auto
speed auto

I am using security contexts on the ASA and the interfaces are in up
up but I cant ping 1 address from the other
thanks