Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
618
Views
0
Helpful
2
Replies

Newbie: Basic setup/configuration help with ASA5510 (1 Data, 1 VOIP Subnet)

mitechnologies
Level 1
Level 1

‎05-17-2008 09:35 AM - edited ‎03-10-2019 04:06 AM

Hello all,

WARNING: I'm a newbie, first exposure to Cisco 3524 POE switches 1 month ago. Got an ASA5510 w/spyware last week and I'm clueless about configuration.

view my topology at:

http://mitechnologiesinc.com/mit-network-diagram.pdf

data machines on 192.168.0.xxx network

VOIP phones on 192.168.1.xxx network

First of all, I need help creating an efficient network topology, then secondly,

I need help configuring the ASA for:

1) PAT using one external IP. I need certain devices such as SMTP/Asterisk/Accounting Servers accessible from the outside. Do I use one port as my external interface and only 1 port as for my private network, or is it better to define three private ports (one for each switch)

2) QOS - traffic is *almost* completely segmented w/ exception of data and voice through cisco switch 192.168.0.87. I guess through the cisco switches I can prioritize the voip traffic with tags, but what is the role of the ASA or the proper way to do it (remember I know very little about all this). I have Cisco 7460 phones powered by the POE Cisco 3524 switches and every computer/phone has its own cat5e running to the switches.

3) Network topology suggestion and general ASA setup tips.

The ASA5510 is my only security appliance and it's going to be my firewall (including url filtering and spyware protection), router, workstation dhcp server

Networking is not my forte, and I am happy to pay someone to configure my network. Its very difficult finding qualified personnel locally.

Labels:
0 Helpful
2 Replies 2

samuellthomasjr
Level 1
Level 1

‎05-18-2008 11:50 AM

1. Static NAT works for various tcp ports. This is the one for your mail server:

access-list 101 permit tcp any host eq smtp

static (inside,outside) tcp smtp 192.168.0.93 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp smtp 192.168.0.93 pop3 netmask 255.255.255.255 0 0

static (inside,outside) tcp smtp 192.168.0.93 http netmask 255.255.255.255 0 0

access-group 101 in interface outside

Use the access-list to restrict traffic to a particular server [TCP/UPD/ICMP/etc]. If you need direct access to the server from outsite substitute "3389" for Remote Desktop Connection. Just remember to enable RDC on the server and permit the particular user to use RDC.

With what I have provided about, you should be able to setup the ASA5510 to permit access to all of your servers.

0 Helpful

mitechnologies
Level 1
Level 1
In response to samuellthomasjr

‎05-19-2008 07:29 AM

Thanks you, samuellthomasjr.

The example accesslist is a very good start for the routing.

What you think about the network in itself? How should the ASA5510 interfaces be configured as far as design and best practices?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card