ASA Topology

irfanpgill · March 27, 2020, 3:43pm

Hi,
I have an ASA 5512 that i want to connect to my cisco Router and then the router to my cisco switch, so basically.
ASA–>Router–>Switch.
My question is, can this be done with just one subnet or do i need 2 subnets for this to work, for instance.
ASA (10.1.0.0) —> router g0/0 (10.1.0.0)…g0/1(no ip) --> Switch (vlan int, 192.168.0.0)—> LAN (192.168.0.0).

What’s the ideal config for this kind of setup.

Thanks,

lagapidis · March 28, 2020, 3:18pm

Hello Irfan

Routers by design are devices that have Layer 3 interfaces. They route traffic between different subnets connected to those interfaces. So implementing your topology, and requiring that multiple ports on the router be on the same subnet is defeating the purpose of the router. If you want everything on the same subnet, simply get rid of the router and connect the ASA directly to the switch.

Now having said that, there are situations where you would want to set up a router to function this way. This is a technology that goes by various names such as pseudowire, or xconnect, but officially, it uses what is known as Layer 2 Tunneling Protocol (L2TP). It essentially allows you to connect two or more hosts on the same subnet over a connection that consists of one or more routers. In a sense, it makes router ports function as switch ports. You can find out more about L2TP at the following lesson:

This is a feature that is supported only by certain routers, so you have to make sure that your platform and IOS allows it.

In addition, some lower end routers, such as the 800 series, have a built in switch. This means that four ports on that router actually function as a switch. So you can use those ports to achieve the topology you want.

You have to ask yourself, why do you want a router in there if you want only one subnet, if you don’t actually want routing capabilities and features? Ideally the ASA should connect directly to the switch in this case.

If however it’s absolutely necessary, the way to do it is using the L2TP protocol if your platform supports it.

I hope this has been helpful!

Laz

irfanpgill · March 28, 2020, 5:26pm

Hi Laz,
Thanks for your explanation, so i would say scratch my first question and my 2nd question would be, is the below topology doable, i’m just trying to experiment with different typologies. I already tried going from ASA–> Switch and it worked great.

ASA (10.1.0.0) —> router g0/0 (10.1.0.0)…g0/1(192.168.0.0) --> Switch (vlan int, 192.168.0.0)—> LAN (192.168.0.0).

Thanks,
Irfan

lagapidis · March 29, 2020, 8:41am

Hello Irfan

Yes, that’s perfect. Assuming /24 subnets, you would have:

the 10.1.0.0/24 subnet between the ASA and the g0/0 interface of the router
the 192.168.0.0/24 subnet between the g0/1 interface and the switch interface X
this second subnet would be available to all ports on the switch that are on the same VLAN as the switch interface X

Note that any hosts connected to the switch would have to have an IP address in the subnet of 192.168.0.0/24 and would have to have the IP address of the G0/1 interface of the router as the default gateway, in order to reach other subnets, such as those connected to the ASA.

Also, in order to reach the 192.168.0.0/24 network, the ASA would have to be configured with the appropriate static routes, or be configured with a dynamic routing protocol along with the router.

I hope this has been helpful! Stay safe and healthy!

Laz

irfanpgill · March 29, 2020, 5:04pm

Laz,
Thanks for your help, everything worked great.

Irfan