Newbie: Basic setup/configuration help with ASA5510 (1 Data, 1 VOIP Subnet)

Unanswered Question
May 17th, 2008

Hello all,

WARNING: I'm a newbie, first exposure to Cisco 3524 POE switches 1 month ago. Got an ASA5510 w/spyware last week and I'm clueless about configuration.

view my topology at:

http://mitechnologiesinc.com/mit-network-diagram.pdf

data machines on 192.168.0.xxx network

VOIP phones on 192.168.1.xxx network

First of all, I need help creating an efficient network topology, then secondly,

I need help configuring the ASA for:

1) PAT using one external IP. I need certain devices such as SMTP/Asterisk/Accounting Servers accessible from the outside. Do I use one port as my external interface and only 1 port as for my private network, or is it better to define three private ports (one for each switch)

2) QOS - traffic is *almost* completely segmented w/ exception of data and voice through cisco switch 192.168.0.87. I guess through the cisco switches I can prioritize the voip traffic with tags, but what is the role of the ASA or the proper way to do it (remember I know very little about all this). I have Cisco 7460 phones powered by the POE Cisco 3524 switches and every computer/phone has its own cat5e running to the switches.

3) Network topology suggestion and general ASA setup tips.

The ASA5510 is my only security appliance and it's going to be my firewall (including url filtering and spyware protection), router, workstation dhcp server

Networking is not my forte, and I am happy to pay someone to configure my network. Its very difficult finding qualified personnel locally.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
samuellthomasjr Sun, 05/18/2008 - 11:50

1. Static NAT works for various tcp ports. This is the one for your mail server:

access-list 101 permit tcp any host eq smtp

static (inside,outside) tcp smtp 192.168.0.93 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp smtp 192.168.0.93 pop3 netmask 255.255.255.255 0 0

static (inside,outside) tcp smtp 192.168.0.93 http netmask 255.255.255.255 0 0

access-group 101 in interface outside

Use the access-list to restrict traffic to a particular server [TCP/UPD/ICMP/etc]. If you need direct access to the server from outsite substitute "3389" for Remote Desktop Connection. Just remember to enable RDC on the server and permit the particular user to use RDC.

With what I have provided about, you should be able to setup the ASA5510 to permit access to all of your servers.

mitechnologies Mon, 05/19/2008 - 07:29

Thanks you, samuellthomasjr.

The example accesslist is a very good start for the routing.

What you think about the network in itself? How should the ASA5510 interfaces be configured as far as design and best practices?

Actions

This Discussion