• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Cisco ASA, Cisco Router, T1 and I want to add a cable modem.

L

Lash444

Golden Member
If anyone can shed some light on this, it would be much appreciated.

Here is the problem, the 1841 router doesnt have VPN capability. The ASA currently uses NAT to translate the internal IP addresses to externals IPs on the T1. The ASA is also handling the VPN.

I want to add a cable modem to the mix, and either have all the user traffic or just port 80 ride this pipe.

The problem of course, is that I can't do PBR on the router because the route coming in from the lan is the external address from the ASA. You can't send the IP from the T1 out the cable modem. I can't do PBR on the ASA because it doesnt support it.

The only way I know how to get this to work, is to put the VPN and NAT on the 1841, turn on PBR within the router, and then turn the ASA into a transparent firewall. That way all traffic up and until the 1841 is coming over an INTERNAL ip on the same pipe and then use PBR to route that traffic out either the T1 or the cable modem, but my 1841 doesnt support VPN so id have to buy that capability or do it somewhere else. Not to mention I want to use more than 2 interfaces on the ASA.

I'm hoping someone with a bit more experience could direct me on what they thing would be the best way to do this. Any help would be grealy appreciated.
 
I would upgrade the 1841 to Advanced Security and do away with the ASA, assuming it's an ASA5505. If it's a 5510 or higher, you could get another interface and do WAN failover that way.

However, if you want PBR, you'll have to do that on a router. An ASA in transparent firewall mode cannot terminate a VPN.

An 1841 certainly can act as a VPN endpoint as long as it's running the appropriate software image.

Things you need to be aware of, though, if you try to implement other solutions: an ASA does not do ICMP redirect or PBR. This limits your options as far as choosing a router to employ a dual gateway environment (basically, it needs to support inside static routing and ICMP redirect).
 
Last edited:
you want an edimaxusa or xincom dual-wan or 16-wan router. it will pass through vpn on both interfaces and provide nat - put your IPS in front of that.

cisco OER just can not compete with these old-azz crapbox routers that cost $200.

I just run a HA vm to terminate vpn's. I am looking at using a FT vm to run openbsd or freebsd for the entire router/vpn process soon.

IPS -> wan1 and wan2 -> dedicated nic on vm server -> *bsd router * rest of world.

*bsd can support dual-wan with failover and preferential routing based on class of service (80 goes to comcast).

so does the xincom. I soft bind 80 and ftp to comcast and put the SSL on the t-1 since they are more reliable. loving it. 50 meg down for non-ssl 😉
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top