Cisco 2811 + DSL to ASA 5520

Hello All!

I'm in the process of configuring some Cisco gear and learning as I go.
I have a pair of ASA 5520's configured for Active/Standby configuration
with an inside, DMZ and outside using a single context.

Hosts in the DMZ are using private addresses. I've got the inside
working fine and hosts in the DMZ can access those hosts at the
inside interface they require.

I'm now ready to work my way up to the outside interface and my 2811
routers. I picked the DSL to start on first but what I thought was going
to be straightforward isn't looking that way. I'm a wee bit confused
and I'm hoping someone can point me in the right direction.

I have a DSL connection setup on the 2811 and I can establish a
link to the ISP with no problem. Once up, I am able to ping outside
hosts from within the router.

I was given the following info from the ISP (addresses masked to
protect the innocent):

Gateway: xxx.yyy.126.137
IPs: xxx.yyy.126.138 - xxx.yyy.126.142 (five total)
Subnet: 255.255.255.248

Note: dialer1 interface in 2811 has the gateway address as it's IP address
statically defined.

I found an example on Cisco for a PIX/ASA setup using a single ISP
which made me think the solution would be to:

1) Assign one of the IP addresses (lets pick xxx.yyy.126.138) to the
inside interface of the 2811 (FA0/0 in this case).

2) Create sub-interfaces on the ASA interface, assigning each one of the
remaining public ip addresses from above.

3) Then setup NAT to translate between the Inside, DMZ and these public
addresses.

Unfortunately I'm getting stuck at #1. When I try to assign that address
to FA0/0 (2811) it spits out an error:

"% xxx.yyy.126.136 overlaps with Dialer1"

I can see the IP address on the interface with show run but it will not
allow me to "no shutdown" the interface... So clearly I'm doing something
stupid here but I can't find any examples in my books or online to
get me pointed the right way.

I know in the past when I played with this router I was able to configure things
if I had NAT configured on it but I was hoping to avoid that and keep it on
the ASA only. The final goal is to connect my three 2811's to the ASA's and configure the 2811's for GLBP which from what I read is messy with NAT on the
router.

Any help would be greatly appreciated!!!

Terry

P.S. -> I didn't include the router config since it only has a basic DSL setup
and an attempt at configuring FA0/0 - didn't think I needed to post it. If
needed, I can.

 

Hi zx10guy!

Thanks for the response! The explanation makes sense, I can see now that what I was
trying was wrong and why it's wrong.

What I have is this:

- 3 connections from different ISPs: DSL, Microwave [DOCSIS] and a T1.
Each has 5 different IP addresses allocated to us for a total of 15.
- 3 2811 Routers with appropriate interfaces for previously mentioned connections
- 2 ASA 5520's with optional 4 port Gig Switch modules
- 4 2960 Switches - 2 for DMZ, 2 for Inside... Note: 2 switches each in
order to allow each host to have dual connections (teaming/bonding).

In the DMZ I have web servers in one VLAN, application servers for wireless mobile
devices in another VLAN.

In the "INSIDE" I have databases, other hosts as well as desktops. These are
all segregated into their own VLANs.

There are more VLANs in both the INSIDE and DMZ that I'm leaving out in the interests
of simplicity. If I can get the setup to work for the ones I mentioned, the others
will follow the same pattern.

I have everything configured and working well with the switches and the ASA's as
far as failover and controlling/routing traffic between INSIDE & DMZ are concerned.
Last hurdle is the OUTSIDE (from ASA's perspective).

What I'm trying to do is this:

1) Allow the application servers (DMZ) to be reachable from the Internet. One address
from each of the three ISP pools is reserved for this.

2) Allow the web servers to be reachable from one of the other IP addresses from
the T1's pool. In the future, perhaps allow access from an IP address on each
of the other interfaces as well. Set them up as additional records under our
domain name.

3) Allow the office computers to have outbound access to the internet that is made
redundant and load balanced across the three ISP connections by using
GLBP (Gateway Load Balancing Protocol) on the 2811's. One IP address from
each of the three pools will be set aside to be used.

4) Allow all other INSIDE hosts to have redundant outbound connections
to the Internet using GLBP (as in #3 above) on a different set of IP addresses from
the three pools.

It's probably not necessary to designate that outbound traffic from the Office and
other hosts be on separate IP addresses but I'd like to segregate it.

5) Keep all address translations on the ASA's (they are capable of this and routing)
and have the 2811's use public addresses only. From what I read on GLBP, as soon
as you have address translation running on the router itself, you lose the load-balancing
part of GLBP - you keep the virtual router redundancy aspect though.

Keeping in mind # 5 above I then figured that I had to create sub-interfaces on the
ASA and assign a public address to each one. I need someway of routing traffic
back to the 2811's inside interface so I figured I had to assign it one of the public
addresses which would then in effect become the "gateway" address for the ASA.
In the ASA I'd setup the address translation to map the traffic to the appropriate
addresses. This setup was intended just as a test to make sure I could get at least one
router going with my config. After that I'd have to rework it a bit because GLBP would be
added in the mix.

Sorry for the long-winded explanation, just wanted to make sure you had as much
info as possible to understand what I'm trying to accomplish...

Running your suggestion through my limited pool of experience with Cisco translates
into the following actions:

1) Throw out the sub-interfaces, not going to work. Done.

2) Configure the inside interface of the 2811 to have a private IP.

3) Configure the corresponding outside interface of the ASA 5520 to have
an address within the same subnet... e.g. 2811->FA0/0->1.2.3.4 and
ASA 5520->G0/0->1.2.3.5.

4) Setup static routing within the ASA 5520 for each subnet that requires it so that an
an outbound connection to the Internet is routed to the 2811's inside interface
(1.2.3.4) from above.

5) On the 2811, configure NAT such that an address from the Office subnet is mapped
to my desired public IP address, for example. Repeat for Hosts on other subnets
that I want on an alternate public IP address.

6) For inbound connections to the DMZ I again setup a translation from the public
IP address to the private IP address of the DMZ host. Since I'm not using any
routing protocols I'm guessing that I would then have to build static routes that
would direct traffic to the ASA's OUTSIDE interface (1.2.3.5 from #3 above).

I hope that's right or at least close to the right answer... Does it sound right to you?

Although it's not a show-stopper, I would like to avoid NAT on the 2811 if it's at
all possible so as to keep the full load-balancing capability of GLBP. Is there
a simple alternative that would allow me to keep NAT on the ASA and public only
on the 2811?

Two things that come to mind are:

A) Configure the 2811 as a bridge (if that's possible), stick a pub IP on the OUTSIDE
ASA interface, setup a static route so that Internet bound packets are sent out
this interface and then use address translation on the ASA to map internal to
public addresses?

B) Have each of my ISPs provided me with a next-hop address that is outside of the
subnets provided to me... Then take one of the pub addresses I have, assign it
to the INSIDE interface of the 2811, take another and assign to the OUTSIDE of the
ASA and then use address translation in the ASA to access the remaining 3?

(A) Sounds like it might work... Do you see a downside to this way?

(B) Assuming I could get the ISP's to do this, it feels clunky to me...

Some additional things that might really impact the stuff above:

A) Each router is connected to both ASA's... So FA0/0 from each of the three
routers is connected to g0/0-g0/2 of ASA #1 respectively and FA0/1 is connected
to g0/0-g0/2 of ASA #2 respectively.

The ASA's allow for configuring redundant interface pairs. I have used this with
the IN and DMZ sides. If one interface, it's connection to it's corresponding switch,
or the switch itself go poof, the secondary interface comes up on the alternate
switch.

I can't use this feature to address the routers... If there's a similar feature on the
2811 (I have to check, but doubt it) I guess I could make FA0/0 and FA1/1 a
redundant pair on each...?

If not, how would someone go about insuring redundancy on the outside links so
that each ASA has a connection to all three routers. If I remember correctly,
I think the ASA allows you to configure a redundant "gateway", up to 3 or maybe
more. So barring some other solution, I'm guessing I would have to configure the
INSIDE addresses for each of the routers using this feature?

B) I intend to use GLBP for outbound connection fault-tolerance and load-balancing. I
have to re-read all the docs on it but I believe it can work with points 1 - 6 above.

I'm sorry if all of this stuff is really basic, it probably is. I'm a part owner in a company and
my primary hat is software development, there's about 50 other hats thrown into that
mix too. We could certainly bring in a Cisco certified consultant to get it all setup
but I'd prefer to learn this stuff from the ground up and know how it works so that
when something breaks, I know how to fix it. Eventually I plan to take some
courses and work up to a certification but right now there isn't time for that.

I appreciate the help!

 

hello,

did anyone got this working? i have a similar setup , I am trying to get asa and 2811 to talk using multiple security contexts, one context is below

interface prod_outside
nameif outside
security-level 0
ip address xxx.yyy.135.133 255.255.255.224
asr-group 1

interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
ip address xxx.yyy.135.149 255.255.255.224
duplex auto
speed auto

I am using security contexts on the ASA and the interfaces are in up
up but I cant ping 1 address from the other
thanks