[c-nsp] BGP/ASA/Internet Edge Design Question
jkrejci at usinternet.com
jkrejci at usinternet.com
Wed Sep 29 21:26:38 EDT 2010
The address on the asa does not control your source addresses of your protected hosts. Couple of options, you use your pi space behind the asa exclusively and not nat with "static (inside,outside) pi pi netmask 255.255.255.0" or use pi on the outside of asa and nat to inside private addresses. Using rfc 1918 on the outside interface of the asa means its not going to be able to be a vpn endpoint with remote internet hosts
Sent via BlackBerry from T-Mobile
-----Original Message-----
From: Donald Darko <donald.darko8 at gmail.com>
Date: Wed, 29 Sep 2010 20:51:27
To: <jkrejci at usinternet.com>
Cc: Ryan West<rwest at zyedge.com>; cisco-nsp at puck.nether.net<cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] BGP/ASA/Internet Edge Design Question
Sorry, just confused here...
So on the outside interface of the ASA...connecting into the Internet Router
I could use private addresses?
I'd think that I would want my outbound Internet web traffic to be sourced
from my Provider Independant IP subnet. How would that work?
On Wed, Sep 29, 2010 at 8:48 PM, <jkrejci at usinternet.com> wrote:
> The outside interface ip of the asa has no requirement to be on net with
> anything having to do with your pi addresses whether you are nat'ing on the
> asa or not. You could use rfc1918 addresses as suggested by others.
>
> Sent via BlackBerry from T-Mobile
>
> -----Original Message-----
> From: Donald Darko <donald.darko8 at gmail.com>
> Sender: cisco-nsp-bounces at puck.nether.net
> Date: Wed, 29 Sep 2010 20:27:03
> To: Ryan West<rwest at zyedge.com>
> Cc: cisco-nsp at puck.nether.net<cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] BGP/ASA/Internet Edge Design Question
>
> I guess what I'm looking at is this....If I bring another ISP into the
> mix.....
>
> ISP 1 connects to Router1 via a /30 assigned by ISP1
> ISP 2 connects to Router2 via a /30 assigned by ISP2
>
> Router1 would then need to connect to the ASA outside interface via a
> public
> IP subnet?
>
> The ASA outside interface is where outbound browsing traffic is NAT'd...so
> it would have to be on a public network. Correct?
>
> On Wed, Sep 29, 2010 at 8:23 PM, Ryan West <rwest at zyedge.com> wrote:
>
> > You can use private addressing if you like, but your provider can also
> > assign you a /29 for the segment between your ASA and edge. Try asking
> them
> > for the extra allocation.
> >
> > Sent from handheld
> >
> > On Sep 29, 2010, at 8:08 PM, "Donald Darko" <donald.darko8 at gmail.com>
> > wrote:
> >
> > > Hi All,
> > >
> > > I have a scenario where I would like to perform BGP with my current ISP
> > and
> > > am in need of a Internet Edge router; as currently my ASA connects
> > directly
> > > to them. The IP subnet assignment that I'm using from my provider in
> my
> > DMZ
> > > will be my provider independent addresses.
> > >
> > > My question is....I'll need to put a new subnet between my ASA and my
> new
> > > Internet router...it can't be a private subnet, because the Outside
> > > interface of the ASA is where my web traffic is coming from. What are
> my
> > > options here?...try to subnet the already in use /24 provider
> independent
> > > subnet in my DMZ and use a /29 as a connector subnet between the ASA
> > Outside
> > > interface and the Internet Edge router?
> > >
> > > Thanks
> > >
> > > Donald
> > > _______________________________________________
> > > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list