1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Cisco 2811 + DSL to ASA 5520

Discussion in 'Networking' started by CiscoNewb, Sep 20, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. CiscoNewb

    CiscoNewb Thread Starter

    Joined:
    Nov 8, 2007
    Messages:
    6
    Hello All!

    I'm in the process of configuring some Cisco gear and learning as I go.
    I have a pair of ASA 5520's configured for Active/Standby configuration
    with an inside, DMZ and outside using a single context.

    Hosts in the DMZ are using private addresses. I've got the inside
    working fine and hosts in the DMZ can access those hosts at the
    inside interface they require.

    I'm now ready to work my way up to the outside interface and my 2811
    routers. I picked the DSL to start on first but what I thought was going
    to be straightforward isn't looking that way. I'm a wee bit confused
    and I'm hoping someone can point me in the right direction.

    I have a DSL connection setup on the 2811 and I can establish a
    link to the ISP with no problem. Once up, I am able to ping outside
    hosts from within the router.

    I was given the following info from the ISP (addresses masked to
    protect the innocent):

    Gateway: xxx.yyy.126.137
    IPs: xxx.yyy.126.138 - xxx.yyy.126.142 (five total)
    Subnet: 255.255.255.248

    Note: dialer1 interface in 2811 has the gateway address as it's IP address
    statically defined.

    I found an example on Cisco for a PIX/ASA setup using a single ISP
    which made me think the solution would be to:

    1) Assign one of the IP addresses (lets pick xxx.yyy.126.138) to the
    inside interface of the 2811 (FA0/0 in this case).

    2) Create sub-interfaces on the ASA interface, assigning each one of the
    remaining public ip addresses from above.

    3) Then setup NAT to translate between the Inside, DMZ and these public
    addresses.

    Unfortunately I'm getting stuck at #1. When I try to assign that address
    to FA0/0 (2811) it spits out an error:

    "% xxx.yyy.126.136 overlaps with Dialer1"

    I can see the IP address on the interface with show run but it will not
    allow me to "no shutdown" the interface... So clearly I'm doing something
    stupid here but I can't find any examples in my books or online to
    get me pointed the right way.

    I know in the past when I played with this router I was able to configure things
    if I had NAT configured on it but I was hoping to avoid that and keep it on
    the ASA only. The final goal is to connect my three 2811's to the ASA's and configure the 2811's for GLBP which from what I read is messy with NAT on the
    router.

    Any help would be greatly appreciated!!!

    Terry

    P.S. -> I didn't include the router config since it only has a basic DSL setup
    and an attempt at configuring FA0/0 - didn't think I needed to post it. If
    needed, I can.
     
  2. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    6,271
    If you assign another public IP address in the pool you have to the inside interface of the 2811, it's not going to like and is behaving correctly as you've described. The reason is that the 2811 is a router. To have two interfaces on the same subnet violates the 2811's core function which is to be a router. You need to assign a private or some other IP address to the inside interface of the 2811. Just becareful if you choose to use a routeable address for the inside interface.

    Why are you creating sub-interfaces? There's absolutely no need to use sub-interfaces here.
     
  3. CiscoNewb

    CiscoNewb Thread Starter

    Joined:
    Nov 8, 2007
    Messages:
    6
    Hi zx10guy!

    Thanks for the response! The explanation makes sense, I can see now that what I was
    trying was wrong and why it's wrong.

    What I have is this:

    - 3 connections from different ISPs: DSL, Microwave [DOCSIS] and a T1.
    Each has 5 different IP addresses allocated to us for a total of 15.
    - 3 2811 Routers with appropriate interfaces for previously mentioned connections
    - 2 ASA 5520's with optional 4 port Gig Switch modules
    - 4 2960 Switches - 2 for DMZ, 2 for Inside... Note: 2 switches each in
    order to allow each host to have dual connections (teaming/bonding).

    In the DMZ I have web servers in one VLAN, application servers for wireless mobile
    devices in another VLAN.

    In the "INSIDE" I have databases, other hosts as well as desktops. These are
    all segregated into their own VLANs.

    There are more VLANs in both the INSIDE and DMZ that I'm leaving out in the interests
    of simplicity. If I can get the setup to work for the ones I mentioned, the others
    will follow the same pattern.

    I have everything configured and working well with the switches and the ASA's as
    far as failover and controlling/routing traffic between INSIDE & DMZ are concerned.
    Last hurdle is the OUTSIDE (from ASA's perspective).

    What I'm trying to do is this:

    1) Allow the application servers (DMZ) to be reachable from the Internet. One address
    from each of the three ISP pools is reserved for this.

    2) Allow the web servers to be reachable from one of the other IP addresses from
    the T1's pool. In the future, perhaps allow access from an IP address on each
    of the other interfaces as well. Set them up as additional records under our
    domain name.

    3) Allow the office computers to have outbound access to the internet that is made
    redundant and load balanced across the three ISP connections by using
    GLBP (Gateway Load Balancing Protocol) on the 2811's. One IP address from
    each of the three pools will be set aside to be used.

    4) Allow all other INSIDE hosts to have redundant outbound connections
    to the Internet using GLBP (as in #3 above) on a different set of IP addresses from
    the three pools.

    It's probably not necessary to designate that outbound traffic from the Office and
    other hosts be on separate IP addresses but I'd like to segregate it.

    5) Keep all address translations on the ASA's (they are capable of this and routing)
    and have the 2811's use public addresses only. From what I read on GLBP, as soon
    as you have address translation running on the router itself, you lose the load-balancing
    part of GLBP - you keep the virtual router redundancy aspect though.

    Keeping in mind # 5 above I then figured that I had to create sub-interfaces on the
    ASA and assign a public address to each one. I need someway of routing traffic
    back to the 2811's inside interface so I figured I had to assign it one of the public
    addresses which would then in effect become the "gateway" address for the ASA.
    In the ASA I'd setup the address translation to map the traffic to the appropriate
    addresses. This setup was intended just as a test to make sure I could get at least one
    router going with my config. After that I'd have to rework it a bit because GLBP would be
    added in the mix.

    Sorry for the long-winded explanation, just wanted to make sure you had as much
    info as possible to understand what I'm trying to accomplish...

    Running your suggestion through my limited pool of experience with Cisco translates
    into the following actions:

    1) Throw out the sub-interfaces, not going to work. Done.

    2) Configure the inside interface of the 2811 to have a private IP.

    3) Configure the corresponding outside interface of the ASA 5520 to have
    an address within the same subnet... e.g. 2811->FA0/0->1.2.3.4 and
    ASA 5520->G0/0->1.2.3.5.

    4) Setup static routing within the ASA 5520 for each subnet that requires it so that an
    an outbound connection to the Internet is routed to the 2811's inside interface
    (1.2.3.4) from above.

    5) On the 2811, configure NAT such that an address from the Office subnet is mapped
    to my desired public IP address, for example. Repeat for Hosts on other subnets
    that I want on an alternate public IP address.

    6) For inbound connections to the DMZ I again setup a translation from the public
    IP address to the private IP address of the DMZ host. Since I'm not using any
    routing protocols I'm guessing that I would then have to build static routes that
    would direct traffic to the ASA's OUTSIDE interface (1.2.3.5 from #3 above).

    I hope that's right or at least close to the right answer... Does it sound right to you?

    Although it's not a show-stopper, I would like to avoid NAT on the 2811 if it's at
    all possible so as to keep the full load-balancing capability of GLBP. Is there
    a simple alternative that would allow me to keep NAT on the ASA and public only
    on the 2811?

    Two things that come to mind are:

    A) Configure the 2811 as a bridge (if that's possible), stick a pub IP on the OUTSIDE
    ASA interface, setup a static route so that Internet bound packets are sent out
    this interface and then use address translation on the ASA to map internal to
    public addresses?

    B) Have each of my ISPs provided me with a next-hop address that is outside of the
    subnets provided to me... Then take one of the pub addresses I have, assign it
    to the INSIDE interface of the 2811, take another and assign to the OUTSIDE of the
    ASA and then use address translation in the ASA to access the remaining 3?

    (A) Sounds like it might work... Do you see a downside to this way?

    (B) Assuming I could get the ISP's to do this, it feels clunky to me...

    Some additional things that might really impact the stuff above:

    A) Each router is connected to both ASA's... So FA0/0 from each of the three
    routers is connected to g0/0-g0/2 of ASA #1 respectively and FA0/1 is connected
    to g0/0-g0/2 of ASA #2 respectively.

    The ASA's allow for configuring redundant interface pairs. I have used this with
    the IN and DMZ sides. If one interface, it's connection to it's corresponding switch,
    or the switch itself go poof, the secondary interface comes up on the alternate
    switch.

    I can't use this feature to address the routers... If there's a similar feature on the
    2811 (I have to check, but doubt it) I guess I could make FA0/0 and FA1/1 a
    redundant pair on each...?

    If not, how would someone go about insuring redundancy on the outside links so
    that each ASA has a connection to all three routers. If I remember correctly,
    I think the ASA allows you to configure a redundant "gateway", up to 3 or maybe
    more. So barring some other solution, I'm guessing I would have to configure the
    INSIDE addresses for each of the routers using this feature?

    B) I intend to use GLBP for outbound connection fault-tolerance and load-balancing. I
    have to re-read all the docs on it but I believe it can work with points 1 - 6 above.

    I'm sorry if all of this stuff is really basic, it probably is. I'm a part owner in a company and
    my primary hat is software development, there's about 50 other hats thrown into that
    mix too. ;) We could certainly bring in a Cisco certified consultant to get it all setup
    but I'd prefer to learn this stuff from the ground up and know how it works so that
    when something breaks, I know how to fix it. Eventually I plan to take some
    courses and work up to a certification but right now there isn't time for that. :(

    I appreciate the help!
     
  4. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    6,271
    I'll have to sift through the additional information you've provided to address all the points you've presented. But one thing which is sticking out with me is your use of GLBP. GLBP is not going to do what you're thinking it's going to do for you. If I may, let me give a quick talk about GLBP.

    GLBP stands for gateway load balance protocol. GLBP is an enhancement/evolution over other router redundancy protocols like HSRP and VRRP. GLBP in a nutshell allows the ability to have router/gateway redundancy but also allow an active/active scenario instead of an active/standby situation which HSRP operates under. What this allows you to do is to utilize equipment resources which otherwise would sit idle waiting for a failure of the primary router. GLBP allows you to have redundancy but also load balancing through the use of available routers configured as part of the group.

    So how does GLBP work? GLBP works by creating a VIP for the default gateway. Each member router will also have an associated real IP and real MAC. In a standard GLBP scenario, there is an AVG and a VF. The AVG (or active virtual gateway) listens for arp requests to the default gateway address....in this case the VIP assigned to the GLBP group. The AVG then hands off the MAC address (which is also a virtual MAC assigned to the member router) to the requesting device. At this point the client then talks directly to the router who's virtual MAC the client has. The router servicing this traffic is known as a VF or virtual forwarder. The AVG can also be a VF. There can only be one active AVG in a GLBP group. If you don't manually assign a router to be the AVG, the AVG is determined by group election. A standby AVG is also set either by manual configuration or election. You can have more than 2 routers in a GLBP group. The others will just be VFs which will only be in the listening mode when you do a show glbp brief command to see the status of the GLBP group(s). The way VFs are assigned to clients can be done in three ways. First is round robin which is the default configuration. Second is by weighting. You can weight the router's preference so traffic will more likely go to those routers which have a higher priority. Lastly, you can do VF assignments based on pinning the traffic between a router and the client.

    So basically, GLBP will not load balance against multiple WAN connections. To get load balancing on WAN links you'll have to utilize a routing protocol like BGP.

    Oh, and the reason why I know so much about GLBP is because I've configured GLBP setups at my job using Catalyst 6500 switches.

    Give me some time to sift through the rest of your information. I just wanted to shoot off an immediate reply on what I saw was already a misunderstanding which would lead you down the wrong path and waste your time unnecessarily. Also, it's going to change your model of your network design.
     
  5. potatoboy

    potatoboy

    Joined:
    Oct 1, 2008
    Messages:
    1
    hello,

    did anyone got this working? i have a similar setup , I am trying to get asa and 2811 to talk using multiple security contexts, one context is below

    interface prod_outside
    nameif outside
    security-level 0
    ip address xxx.yyy.135.133 255.255.255.224
    asr-group 1

    interface FastEthernet0/0
    description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
    ip address xxx.yyy.135.149 255.255.255.224
    duplex auto
    speed auto

    I am using security contexts on the ASA and the interfaces are in up
    up but I cant ping 1 address from the other
    thanks
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Cisco 2811 5520
  1. willymwangi
    Replies:
    2
    Views:
    235
  2. nitehawk645
    Replies:
    3
    Views:
    481
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/751809

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice