Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
ASA 5510 firewall
- Thread starter Carpua
- Start date
- Thread starter
- #2
VinceWhirlwind
Technical User
To make it easier to understand, add a switch to your layout:
You have three routers.
Each router has one interface in subnet 10.1.1.0/24: ROUTER1: 10.1.1.10, ROUTER2: 10.1.1.20, ROUTER3: 10.1.1.30
These interfaces are all patched into ports in VLAN 10 in a 2950.
The 2950 has a port in VLAN 10 patched into the firewall with IP address 10.1.1.1/24.
The firewall has routes, eg,
192.168.16.0/24 --> 10.1.1.10
192.168.17.0/24 --> 10.1.1.20
192.168.18.0/24 --> 10.1.1.30
Does that make more sense?
You have three routers.
Each router has one interface in subnet 10.1.1.0/24: ROUTER1: 10.1.1.10, ROUTER2: 10.1.1.20, ROUTER3: 10.1.1.30
These interfaces are all patched into ports in VLAN 10 in a 2950.
The 2950 has a port in VLAN 10 patched into the firewall with IP address 10.1.1.1/24.
The firewall has routes, eg,
192.168.16.0/24 --> 10.1.1.10
192.168.17.0/24 --> 10.1.1.20
192.168.18.0/24 --> 10.1.1.30
Does that make more sense?
- Thread starter
- #4
hi Vince
the routers interface are on a different subnet. for example 196.40.172.1/30, 10.50.100.1/30, 10.59.8.1/30 and they are all looking for the .2 address as the next hop. please bear in mind that this routers are operationsl and are the third-party so changing the interface ip is out of option. and at the moment this routers are in operation
the routers interface are on a different subnet. for example 196.40.172.1/30, 10.50.100.1/30, 10.59.8.1/30 and they are all looking for the .2 address as the next hop. please bear in mind that this routers are operationsl and are the third-party so changing the interface ip is out of option. and at the moment this routers are in operation
VinceWhirlwind
Technical User
I seem to have misunderstood what you meant by "... the ports on the firewall are configured with the ip on the same subnet."
You mean you have three different routers, each with an interface in a different subnet, patching into the ASA?
If that's the case, what's the question?
You mean you have three different routers, each with an interface in a different subnet, patching into the ASA?
If that's the case, what's the question?
- Thread starter
- #6
VinceWhirlwind
Technical User
No. You need a design before you start just "plugging things in". Sit down and draw up a logical layer3 representation of how it's going to work.
The ASA represents a new Layer-3 hop between the routers and the internal hosts. This means you will need to remove the existing addresses from the routers and put those addresses on the "inside" interfaces of the ASA, and create 3 new point-to-point subnets linking the routers to the ASA "Outside" interfaces.
The ASA represents a new Layer-3 hop between the routers and the internal hosts. This means you will need to remove the existing addresses from the routers and put those addresses on the "inside" interfaces of the ASA, and create 3 new point-to-point subnets linking the routers to the ASA "Outside" interfaces.
- Thread starter
- #8
VinceWhirlwind
Technical User
If you got it working with nothing more than my very summary advice then you *are* a network engineer in my books!
I've never actually used Skype, but I'll be sure to fire it up to say G'Day to you.
I've never actually used Skype, but I'll be sure to fire it up to say G'Day to you.
VinceWhirlwind
Technical User
I agree with ADB - when you draw up a design for your "gateway", it's good to have a few switches in there for physical connectivity.
- Status
Similar threads