Cisco Router with Cisco ASA for Internet Access
A classic network scenario for many enterprises is to have a Cisco border router for internet access and a Cisco ASA firewall behind this router for protection of the internal LAN or for building a DMZ network. This scenario is shown in the figure below:
Assume that our enterprise is assigned a public IP address range of 50.50.50.0/27 (that is a 32 address subnet). The usable addresses in this subnet range between 50.50.50.1 and 50.50.50.30. In our example we assign 50.50.50.1 to the outside interface of the Cisco router and 50.50.50.2 is the ISP gateway router. Also, we need to use address 50.50.50.3 for accessing a DMZ web server which has a real private address of 10.10.10.1.
Between the Cisco Router and the outside interface of the Cisco ASA we have a private subnet 10.0.0.0/24. Also, the inside internal LAN subnet is 192.168.1.0/24. The inside IP address of the ASA is 192.168.1.1.
Traffic Flow:
We need to achieve the following traffic flow:
1) All Internal LAN hosts (192.168.1.0) should be able to access the Internet (outbound communication). No access initiated from the Internet should be allowed towards the Internal LAN network.
2) Also, we need to allow access from the Internet towards our DMZ Web Server (inbound communication).
Implementation:
There are a few ways you can follow to achieve the functionality above. For sure we need to perform NAT on the border Cisco Router to translate our internal private addresses to public addresses assigned by our ISP. We have the option also to perform additional NAT on the ASA firewall, which however I wouldn’t recommend.
The way I would configure such a scenario is the following:
- 1) For outbound communication (Internal LAN towards the Internet), do not translate the network 192.168.1.0/24 on the Cisco ASA. Rather create a static mapping of 192.168.1.0 to itself (will see this below) and configure NAT overload on the Cisco Router for the network 192.168.1.0/24.
- 2) For inbound communication (Internet towards Web Server), create again a static mapping on the ASA for address 10.10.10.1 to itself, and perform static NAT on the Cisco Router to map 10.10.10.1 to 50.50.50.3
Configuration:
Below I will show you snapshots of the configuration for both the Cisco Router and the Cisco ASA that will achieve the functionality above.
Cisco ASA:
ciscoasa(config)# interface GigabitEthernet0/0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# ip address 10.0.0.2 255.255.255.0
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# no shutdown
ciscoasa(config)# interface GigabitEthernet0/1
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown
ciscoasa(config)# interface GigabitEthernet0/3
ciscoasa(config-if)# nameif DMZ
ciscoasa(config-if)# ip address 10.10.10.2 255.255.255.0
ciscoasa(config-if)# security-level 50
ciscoasa(config-if)# no shutdown
! Now create a static NAT mapping of 192.168.1.0 to itself
ciscoasa(config)# static (inside , outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
! Create also a static NAT mapping of 10.10.10.1 Web Server to itself
ciscoasa(config)# static (DMZ , outside) 10.10.10.1 10.10.10.1 netmask 255.255.255.255
! Create an access-list to allow Inbound traffic to Web server only
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp any host 10.10.10.1 eq 80
ciscoasa(config)# access-group OUTSIDE-IN in interface outside
ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 10.0.0.1
Cisco Router:
interface ethernet 0
ip address 50.50.50.1 255.255.255.224
ip nat outside
!
interface ethernet 1
ip address 10.0.0.1 255.255.255.0
ip nat inside
!Assume the router uses address 50.50.50.4 for all outbound communication
ip nat pool IP-POOL 50.50.50.4 50.50.50.4 netmask 255.255.255.255
ip nat inside source list 1 pool IP-POOL overload
access-list 1 permit 192.168.1.0 0.0.0.255
!Configure Static NAT to map 10.10.10.1 to 50.50.50.3
ip nat inside source static 10.10.10.1 50.50.50.3
ip route 0.0.0.0 0.0.0.0 50.50.50.2
ip route 192.168.1.0 255.255.255.0 10.0.0.2
ip route 10.10.10.0 255.255.255.0 10.0.0.2
Related posts:
- Access Lists and NAT on Cisco ASA Firewalls. Some Clarifications
- Access To Hosts from Outside a Cisco ASA
- Configure Static Routing on Cisco ASA Firewall
- Permitting traffic to enter and exit the same interface
- Allowing Microsoft PPTP through Cisco ASA
Tagged with: asa dmz web server • cisco asa internet access • cisco router with asa
Filed under: Cisco ASA Configuration
Like this post? Subscribe to my RSS feed and get loads more!
I see the configuration here, but wonder why you would not put the ASA between the border router and the ISP? The only scenario I can envision the router in front of the firewall is where you are running BGP because of multiple links to the Internet.
Can you elaborate on this?
Thanks!
Hello Chris, thanks for stopping by and for commenting.
Your point is valid as long as the physical connection to the ISP is Ethernet (the ASA supports ONLY ethernet network interfaces). Having a router in front gives you the flexibility to have various types of WAN network interfaces such as T1/E1, Frame Relay, ATM etc. There are still several countries in the world that have not yet adopted Ethernet as a WAN connectivity, so they still use the legacy WAN technologies. That is why I suggested to have a border router in front of the ASA. Another advantage of having a front end router is the flexibility you can get in terms of link-redundancy and routing protocols supported. You could have for example a T1 as a main line and a Frame Relay as a backup line to the ISP.
Anyhow, it all depends to the specific network needs, budget etc. If the ISP provides full Ethernet connectivity you could go with just an ASA firewall only without even using a router. There is nothing wrong with this approach either.
if i want to put video conference in inside private network is there any extra configuration other than static nat from inside to outside.
can u say about bidirectional nat?
By default, Cisco ASA inspects H323 H225 to allow multimedia traffic. You should configure an access-list which will allow all required ports to pass from outside to inside. Then, apply this ACL on the outside interface. Depending on the video conferencing brand and model, the ports needed to open are different.
Hi,
Nice work. Is there a possibility to ‘enhance’ the Cisco ASA with router functionality with an additional card? So that the ASA does both firewalling and routing?
Hello Peter,
The limitation of ASA compared with a router is that the ASA ONLY supports Ethernet network interfaces (with either UTP cables or Fiber optic cables), so if your WAN connection towards the ISP is a different Layer 2 technology (e.g ATM, Frame Relay, T1,E1 etc) then you can not use a firewall in place of the router.
However if the connection towards the ISP is Ethernet, then yes you can go ahead and get rid of the border router and have only the ASA in place.
The border router also adds an extra layer of security. And with multiple WAN links, load balancing, and using BGP, I find a border router/s work best.
I don’t like having unauthorized users stress testing my ASA outside interface. They need to get through the edge router first.
What do you recommend the best way to ssh into the router from inside the of the network? Currently, I have multiple public address subnets on one border router and I’m using subinterfaces on the “inside” interface of the border router.
Hello Chris,
I agree with you regarding the border router in front of the firewall. It is your first line of defense. For ssh into the router, just pick one inside subinterface and use that one for CLI management. Since your communication using SSH is encrypted you don’t have any problems to ssh anywhere on an inside IP address of the router. Just make sure to use an access-class on the vty lines of the router to allow only the internal management station