Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASA vpn to pix

Status
Not open for further replies.

prince78

Technical User
Dec 8, 2006
21
Hi

I am new to firewalls and I am trying to do a setup as below. Can anyone advise me if this is the right setup.

switch-->ASA-->router -->internet-----> pix --> switch.
local remote

I am confused to have the router between ASA and PIX. Is this really necessary? A T1 is terminated on this router to remote end. I heard I cant terminate T1 directly from ASA.

thanks very much
 
Your setup sounds about right. PIX firewalls do not understand T1 framing, clocking etc. So yeh a router would be necessary.
 
Hi

Thanks very much for your reply. As I would be doing the Natting on the firewall, I believe the router should be configured with basic configuration and will be passing all the traffic from the firewall to the internet right?

thank you
 
Yes that's right. The router should be configured for default routing to the internet and have knowledge of all your LAN subnets by having routes pointing to the PIX's outside address for those subnets.
 
Hi, thanks for that. What about the traffic coming from internet accessing internal servers, should I do the natting on the router or on ASA?

My requirement is anything coming from internet to wan interface on router (e1-3.3.3.1) should be natted to ASA outside interface (2.2.2.1) and communicate with internal servers (1.1.1.0)


switch------>ASA----------->(e0)router(e1)-->internet->pix
| | | | |
| | | | |
1.1.1.0 1.1.1.2 2.2.2.1 2.2.2.2 (3.3.3.1)
ASA in ASA out routerlan router WAN


I think I can configure this in 3 steps

1. Anything coming from internet to 3.3.3.1 to nat to ASA outside (2.2.2.1) - I dont understand how can I configure this though.

2. Configure route to ASA on router
ip route 2.2.2.1 255.255.255.255 e0 -- from router to ASA

3. specific rules on ASA to reach internal servers

static (Inside,Outside) tcp 2.2.2.1 80 1.1.1.1 80 netmask 255.255.255.255
static (Inside,Outside) tcp 2.2.2.1 21 1.1.1.2 21 netmask 255.255.255.255
access-list outside_in extended permit tcp any host 2.2.2.1 eq ftp
access-list outside_in extended permit tcp any host 2.2.2.1 eq http
access-group outside_in in interface outside

Any better way to configure this? please advise
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top