Cisco ASA 5505 and Cisco 878 Configuration

Curiosityx · 16 Sep 2007 at 20:39

Greetings, currently i have the ASA behind the 878.

The router has an external address on the dialer interface and i have also assigned an external address to the outside interface of the ASA with the same subnet mask.

Is it possible using just the two external address's to route between the firewall and the router without assigning an address to Vlan 1 on the router or do i need a private subnet in between the two devices?

ISP - (Outside 80.1.1.1/24) Router (Inside) - (Outside 80.1.1.2 /24) ASA (Inside)

Regards

oddjob62 · 19 Sep 2007 at 20:07

Curiosityx said:
Is it possible using just the two external address's to route between the firewall

Yes that's how it should be set up, otherwise you would need NAT on the router then NAT again on the firewall (double NATing should be avoided).

Rich · 19 Sep 2007 at 23:24

You will not be able to pass traffic unless you un-number the dialer to present the public IP addresses to the ASA. For this you will need more than 1 public IP address.

So, in order for this to work, you would actually assign the "public" address to vlan1. You would then go to your public interface and issue the "ip unnumbered dialer0". Assuming your public interface is dialer0, that should work.

pdw8 · 20 Sep 2007 at 10:35

I find this slightly confusing, has your ISP allocated a public /24 for your company?

The way we do it is the WAN IP is usually a single /32 address and then we allocate a public range for the customer to use on their LAN side. This is anything from a /24 to the more common /28 or /29. The LAN range is then advertised from our core.

In the above instance all you need is a /30 range, one on the router(LAN) the other on the ASA. As long as you have
ip route 0.0.0.0 0.0.0.0 dialer0 and the ISP is advertising your LAN range it will work fine.

Curiosityx · 5 Oct 2007 at 00:11

Rich said:
You will not be able to pass traffic unless you un-number the dialer to present the public IP addresses to the ASA. For this you will need more than 1 public IP address.

So, in order for this to work, you would actually assign the "public" address to vlan1. You would then go to your public interface and issue the "ip unnumbered dialer0". Assuming your public interface is dialer0, that should work.

Indeed thats what im using now, thank you for the reply though

I find this slightly confusing, has your ISP allocated a public /24 for your company?

The way we do it is the WAN IP is usually a single /32 address and then we allocate a public range for the customer to use on their LAN side. This is anything from a /24 to the more common /28 or /29. The LAN range is then advertised from our core.

In the above instance all you need is a /30 range, one on the router(LAN) the other on the ASA. As long as you have
ip route 0.0.0.0 0.0.0.0 dialer0 and the ISP is advertising your LAN range it will work fine.

Indeed i would normally expect to either be issued a /30 address or a /29 address, for some reason single ip address allocations are now given with a /24 address, i was just as confused.

Chief Wiggum · 5 Oct 2007 at 09:12

Curiosityx said:
Indeed i would normally expect to either be issued a /30 address or a /29 address, for some reason single ip address allocations are now given with a /24 address, i was just as confused.

It's not unusual for this to happen, as your connection is unlikely to be point to point - I know my Telewest connection is a /24 and I've got one IP from this network. Really depends how the ISP has setup their network....