Comments on: Cisco Router with Cisco ASA for Internet Access http://www.tech21century.com/cisco-router-with-cisco-asa-for-internet-access/ Technology in the 21st Century Sat, 06 Mar 2010 17:45:51 +0000 http://wordpress.org/?v=2.9.1 hourly 1 By: BlogAdmin http://www.tech21century.com/cisco-router-with-cisco-asa-for-internet-access/comment-page-1/#comment-997 BlogAdmin Tue, 26 Jan 2010 13:15:31 +0000 http://www.tech21century.com/?p=240#comment-997 Hello Chris, I agree with you regarding the border router in front of the firewall. It is your first line of defense. For ssh into the router, just pick one inside subinterface and use that one for CLI management. Since your communication using SSH is encrypted you don't have any problems to ssh anywhere on an inside IP address of the router. Just make sure to use an access-class on the vty lines of the router to allow only the internal management station Hello Chris,

I agree with you regarding the border router in front of the firewall. It is your first line of defense. For ssh into the router, just pick one inside subinterface and use that one for CLI management. Since your communication using SSH is encrypted you don’t have any problems to ssh anywhere on an inside IP address of the router. Just make sure to use an access-class on the vty lines of the router to allow only the internal management station

]]> By: Chris http://www.tech21century.com/cisco-router-with-cisco-asa-for-internet-access/comment-page-1/#comment-996 Chris Tue, 26 Jan 2010 12:33:51 +0000 http://www.tech21century.com/?p=240#comment-996 The border router also adds an extra layer of security. And with multiple WAN links, load balancing, and using BGP, I find a border router/s work best. I don't like having unauthorized users stress testing my ASA outside interface. They need to get through the edge router first. What do you recommend the best way to ssh into the router from inside the of the network? Currently, I have multiple public address subnets on one border router and I'm using subinterfaces on the "inside" interface of the border router. The border router also adds an extra layer of security. And with multiple WAN links, load balancing, and using BGP, I find a border router/s work best.

I don’t like having unauthorized users stress testing my ASA outside interface. They need to get through the edge router first.

What do you recommend the best way to ssh into the router from inside the of the network? Currently, I have multiple public address subnets on one border router and I’m using subinterfaces on the “inside” interface of the border router.

]]> By: How do I properly configure my Linux to connect through my home router? | Linux Application Server http://www.tech21century.com/cisco-router-with-cisco-asa-for-internet-access/comment-page-1/#comment-34 How do I properly configure my Linux to connect through my home router? | Linux Application Server Mon, 24 Aug 2009 00:52:39 +0000 http://www.tech21century.com/?p=240#comment-34 [...] Cisco Router with Cisco ASA for cyberspace Access | Tech 21 Century [...] [...] Cisco Router with Cisco ASA for cyberspace Access | Tech 21 Century [...]

]]> By: BlogAdmin http://www.tech21century.com/cisco-router-with-cisco-asa-for-internet-access/comment-page-1/#comment-19 BlogAdmin Sat, 11 Jul 2009 07:38:50 +0000 http://www.tech21century.com/?p=240#comment-19 Hello Peter, The limitation of ASA compared with a router is that the ASA ONLY supports Ethernet network interfaces (with either UTP cables or Fiber optic cables), so if your WAN connection towards the ISP is a different Layer 2 technology (e.g ATM, Frame Relay, T1,E1 etc) then you can not use a firewall in place of the router. However if the connection towards the ISP is Ethernet, then yes you can go ahead and get rid of the border router and have only the ASA in place. Hello Peter,

The limitation of ASA compared with a router is that the ASA ONLY supports Ethernet network interfaces (with either UTP cables or Fiber optic cables), so if your WAN connection towards the ISP is a different Layer 2 technology (e.g ATM, Frame Relay, T1,E1 etc) then you can not use a firewall in place of the router.

However if the connection towards the ISP is Ethernet, then yes you can go ahead and get rid of the border router and have only the ASA in place.

]]> By: Peter http://www.tech21century.com/cisco-router-with-cisco-asa-for-internet-access/comment-page-1/#comment-18 Peter Sat, 11 Jul 2009 06:26:48 +0000 http://www.tech21century.com/?p=240#comment-18 Hi, Nice work. Is there a possibility to 'enhance' the Cisco ASA with router functionality with an additional card? So that the ASA does both firewalling and routing? Hi,

Nice work. Is there a possibility to ‘enhance’ the Cisco ASA with router functionality with an additional card? So that the ASA does both firewalling and routing?

]]> By: BlogAdmin http://www.tech21century.com/cisco-router-with-cisco-asa-for-internet-access/comment-page-1/#comment-17 BlogAdmin Mon, 15 Jun 2009 13:33:28 +0000 http://www.tech21century.com/?p=240#comment-17 By default, Cisco ASA inspects H323 H225 to allow multimedia traffic. You should configure an access-list which will allow all required ports to pass from outside to inside. Then, apply this ACL on the outside interface. Depending on the video conferencing brand and model, the ports needed to open are different. By default, Cisco ASA inspects H323 H225 to allow multimedia traffic. You should configure an access-list which will allow all required ports to pass from outside to inside. Then, apply this ACL on the outside interface. Depending on the video conferencing brand and model, the ports needed to open are different.

]]> By: harindra http://www.tech21century.com/cisco-router-with-cisco-asa-for-internet-access/comment-page-1/#comment-16 harindra Mon, 15 Jun 2009 06:41:25 +0000 http://www.tech21century.com/?p=240#comment-16 can u say about bidirectional nat? can u say about bidirectional nat?

]]> By: harindra http://www.tech21century.com/cisco-router-with-cisco-asa-for-internet-access/comment-page-1/#comment-15 harindra Mon, 15 Jun 2009 06:39:42 +0000 http://www.tech21century.com/?p=240#comment-15 if i want to put video conference in inside private network is there any extra configuration other than static nat from inside to outside. if i want to put video conference in inside private network is there any extra configuration other than static nat from inside to outside.

]]> By: BlogAdmin http://www.tech21century.com/cisco-router-with-cisco-asa-for-internet-access/comment-page-1/#comment-14 BlogAdmin Wed, 03 Jun 2009 05:06:40 +0000 http://www.tech21century.com/?p=240#comment-14 Hello Chris, thanks for stopping by and for commenting. Your point is valid as long as the physical connection to the ISP is Ethernet (the ASA supports ONLY ethernet network interfaces). Having a router in front gives you the flexibility to have various types of WAN network interfaces such as T1/E1, Frame Relay, ATM etc. There are still several countries in the world that have not yet adopted Ethernet as a WAN connectivity, so they still use the legacy WAN technologies. That is why I suggested to have a border router in front of the ASA. Another advantage of having a front end router is the flexibility you can get in terms of link-redundancy and routing protocols supported. You could have for example a T1 as a main line and a Frame Relay as a backup line to the ISP. Anyhow, it all depends to the specific network needs, budget etc. If the ISP provides full Ethernet connectivity you could go with just an ASA firewall only without even using a router. There is nothing wrong with this approach either. Hello Chris, thanks for stopping by and for commenting.
Your point is valid as long as the physical connection to the ISP is Ethernet (the ASA supports ONLY ethernet network interfaces). Having a router in front gives you the flexibility to have various types of WAN network interfaces such as T1/E1, Frame Relay, ATM etc. There are still several countries in the world that have not yet adopted Ethernet as a WAN connectivity, so they still use the legacy WAN technologies. That is why I suggested to have a border router in front of the ASA. Another advantage of having a front end router is the flexibility you can get in terms of link-redundancy and routing protocols supported. You could have for example a T1 as a main line and a Frame Relay as a backup line to the ISP.

Anyhow, it all depends to the specific network needs, budget etc. If the ISP provides full Ethernet connectivity you could go with just an ASA firewall only without even using a router. There is nothing wrong with this approach either.

]]> By: Chris Gauthier http://www.tech21century.com/cisco-router-with-cisco-asa-for-internet-access/comment-page-1/#comment-13 Chris Gauthier Tue, 02 Jun 2009 19:14:19 +0000 http://www.tech21century.com/?p=240#comment-13 I see the configuration here, but wonder why you would not put the ASA between the border router and the ISP? The only scenario I can envision the router in front of the firewall is where you are running BGP because of multiple links to the Internet. Can you elaborate on this? Thanks! I see the configuration here, but wonder why you would not put the ASA between the border router and the ISP? The only scenario I can envision the router in front of the firewall is where you are running BGP because of multiple links to the Internet.

Can you elaborate on this?

Thanks!

]]>