Soldato
- Joined
- 17 Oct 2002
- Posts
- 3,941
- Location
- West Midlands
Greetings, we have an MPLS network configured, the head office has a 10Mbit Ethernet circuit comming into the HQ which is split into two dot1q vlans. This link terminates on a 3825 ISR.
The internet vlan is bridged from the router onto the outside interface of the firewall which isnt a problem...however the ISP has provided two address blocks
A /30 for the dot1q Vlan internet link and a /28 for external business services such as SMTP.
Now currently i have the /30 terminated on the outside of the firewall, if i setup NAT statements on the firewall for the /28 range and get the ISP to route to the /28 network through the /30 network would this work ok.
If configs are needed please let me know.
We were going to use a common gateway initially but the customer wants both the firewall and router connected to the internal network, at present the /30 is bridged onto f0/0/0 which connects to the outside of the asa.
The other options i was considering was to assign the /30 address to g0/1.1001 being 193.***.***.170 255.255.255.252 and then assign the first avaliable address in the /28 range to vlan 1 then the next address in the /28 range to the outside of the firewall.
Regards
The internet vlan is bridged from the router onto the outside interface of the firewall which isnt a problem...however the ISP has provided two address blocks
A /30 for the dot1q Vlan internet link and a /28 for external business services such as SMTP.
Now currently i have the /30 terminated on the outside of the firewall, if i setup NAT statements on the firewall for the /28 range and get the ISP to route to the /28 network through the /30 network would this work ok.
If configs are needed please let me know.
We were going to use a common gateway initially but the customer wants both the firewall and router connected to the internal network, at present the /30 is bridged onto f0/0/0 which connects to the outside of the asa.
The other options i was considering was to assign the /30 address to g0/1.1001 being 193.***.***.170 255.255.255.252 and then assign the first avaliable address in the /28 range to vlan 1 then the next address in the /28 range to the outside of the firewall.
Code:
ASA
interface ethernet 0/0
ip address 193.***.***.170 255.255.255.252
nameif outside
security-level 0
!
interface ethernet 0/1
ip address 10.171.41.252 255.255.255.0
nameif inside
security-level 90
!
route inside 10.170.0.0 255.255.255.0 10.171.41.1
route inside 10.171.0.0 255.255.255.0 10.171.41.1
route outside 0.0.0.0 0.0.0.0 195.***.***.169
ISR
bridge irb
bridge 1 protocol ieee
!
interface GigabitEthernet0/0
no ip address
media-type rj45
negotiation auto
speed auto
duplex auto
!
interface GigabitEthernet0/0.1 - Connection to Customer Internal Lan
ip address 10.171.40.1 255.255.255.0
encapsulation dot1q 1
!
interface GigabitEthernet0/0.50 - Connection to Customer Internal Lan
ip address 10.170.40.1 255.255.255.0
encapsulation dot1q 50
!
interface GigabitEthernet0/1 - Connection to MPLS Circuit
no ip address
media-type rj45
negotiation auto
speed 10
duplex full
!
interface GigabitEthernet0/1.1000 - Connection to MPLS Network
ip address 172.18.255.2 255.255.255.252
encapsulation dot1q 1000
!
interface GigabitEthernet0/1.1001 - Connection to Internet
no ip address
encapsulation dot1q 1001
bridge-group 1
!
interface FastEthernet0/0/0 - Connection to ASA Outside interface
speed 100
duplex full
!
interface FastEthernet0/0/1
speed 100
duplex full
!
interface FastEthernet0/0/2
speed 100
duplex full
!
interface FastEthernet0/0/3
!
interface vlan 1
no ip address
bridge-group 1
!
ip route 0.0.0.0 0.0.0.0 10.171.40.252 - ASA Inside interface for MPLS Remote site to Internet Traffic
ip route 10.171.0.0 255.255.255.0 172.18.255.1 - Route to all other remote sites via PE
ip route 10.170.0.0 255.255.255.0 172.18.255.1 - Route to all other remote sites via PE
Last edited: