Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

ASA5505 instead of a router?

  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA5505 instead of a router?

    Verizon is activating a line for us today they call a "10 meg" or a "LAN".
    They said the only requirement is a regular fastethernet interface.
    Instead of using the Cisco 1841 we currently use (T1), i thought of using a clean factory default ASA 5505.

    1. Will this idea of using an ASA and skipping the Router alltogether work?
    2. never worked with an ASA before, what other points do i need in order to make the test work?

    by test i mean getting an Internet access by connecting an internal LAN switch to one of the ASA ports and having a PC get online access.
    once this test works, i will obvisouly need to recreate the various NATs and CALs i currently have on the 1841.

    any advice would be appreciated.

    this is what Verizon provided:

    NOTICE: This Ethernet Order (MUST) be assigned a /30 Address to be used
    on your WAN Side Interface. All CIDR allocations will be routed
    statically or via BGP.

    * Ethernet: II
    * Ethertype: 0x0800 (IP), 0x0806 (ARP)
    * CRC: 32-bit
    * MTU: 1500 bytes
    * ARP: Enabled
    * Proxy ARP: Disabled
    * IP WAN interface: /30 subnet

    WAN IP:
    Subnet Mask:
    VZ side IP:

    Sample Config Ethernet: II VLAN TAGGED:
    (Note the VLAN Tag will be available at the end of the install process.
    We will provide it as soon as we receive it from telco. Thanks.)

    interface FastEthernet0/0
    description WAN
    no ip address
    duplex full
    speed 100
    no shutdown
    interface FastEthernet0/0.1
    encapsulation dot1Q xxx !!(MANDATORY vlan tagging ID)
    ip address x.x.x.x !!Verizon provided WAN IP
    no shutdown
    interface FastEthernet0/1
    description LAN
    ip address LAN IPs
    no shutdown
    duplex full
    speed 100
    ip route WAN IP VZ side

  • #2
    Re: ASA5505 instead of a router?

    Yes, the ASA can be a complete replacement for your 1841. The name 'adaptive security appliance' means it can & does perform functions previously relegated as stand-alone functions. The ASA is a firewall, a proxy, a router, a VPN endpoint, a switch; this list goes on.

    You really should take the time to read the Config Guide for your ASA to get the most info, but in a nutshell the biggest thing to consider is:
    *-the ASA uses 'security contexts' as part of it's rule set for blocking or allowing traffic. Think of a 3-story building. Bottom floor is for the WAN traffic port (internet). Middle floor can be a DMZ or Perimeter LAN network. And the top floor is the trusted internal LAN. It takes more effort to start an upward path than it does to go down. To get from any higher-level network to a lower-level, no changes are needed. Traffic is permitted from higher security context to lower and back again out-of-the-box (stateful firewall). To allow traffic to START from a lower floor and go to a higher one, specific rules must allow the beginning traffic.

    Use the GUI to set up NAT, the Guide instructions are pretty clear. The downloads can be found at:

    There are a lot of entries on that page, look under either the version of IOS installed in your ASA, or the version of ASDM that comes on the CD with the device.
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **