Cisco ASA 5510 config with SSM

Answered Question

I've been tasked to replace our old sonicwall tz170 firewall with an ASA 5510 and configure it (which I've never done, only routers and switches) and I have a few questions.  I'm inside the ASDM and I'm trying to setup my outside interface...  The 5510 came with an SSM card, and I assumed this would be my outside interface, but I'm guessing I'm wrong since it isn't an option when running through the wizard.  I know what the SSM card is for, I just don't understand why it isn't an outside interface.  Where does this connect (just to my LAN??)?


Currently I set up the management interface to our ip and subnet and am connected through that.  I see the management interface and eth0 - eth 3.


This is as simple as it can get, I just need the outside interface to be our public ip, setup the access rules to match my sonicwall.


Also on the version, its running ASA 8.2.1.  Should I upgrade to 8.3.1?  What is the ED after the version (not familiar with it).


Thanks!

Correct Answer by Kelvin Willacey about 7 years 1 week ago

Those rules on the ASA are default rules, it is saying anything initiated from the inside is allowed out but nothing initiated from the outside is allowed in. Sorry but I am not familiar with SonicWall at all to give you any tips on the rules you will need to setup. However if all you have is an outside and inside interface then you will need a nat.pat to ensure that internal addresses can get out and access list to restrict those internal networks if needed. If you have inbound traffic ie to mail, web server etc then you will again a nat and a access list to allow the traffic in.


The attached document (you can ignore the router configs) should hopefully give you a better idea of how inbound traffic works and how to apply access lists to interface.


Let me know if this helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Kelvin Willacey Thu, 05/13/2010 - 10:57
User Badges:
  • Bronze, 100 points or more

Hi,


The SSM is not an outside interface and how it works depends on the type of module it is. Is it a CSC-SSM or an AIP-SSM? The configuration differs some what when using these modules but it's almost the same and yes it will connect to your LAN. Your outside interface should be one of the ports you select and like wise for the inside interface. Typically though the outside interface is Ethernet0/0. The following link may help with a basic setup.


http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094768.shtml


You can upgrade to the latest version if you so desire but you may require a memory upgrade so I would stick with 8.2, see link below.


http://www.cisco.com/en/US/partner/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_bulletin_c25-586414.html


The ED means early deployment by the way.

Kelvin Willacey Thu, 05/13/2010 - 11:29
User Badges:
  • Bronze, 100 points or more

The CSC-SSM is for content filtering smtp, ftp, http, the AIP-SSM is for Intrusion Prevention. So with the module you have you will be able to block websites, block downloads have time of day restrictions and all that stuff.

Yea I ordered all those features.  It makes sense now.  I'm having an issue with subnetting (I admit I dont know as much about it as I should).


My management interface has a static ip and is on the same subnet as my network (255.255.255.0) so I can hit the http server.  My eth0 is my outside interface.  I'm trying to make eth1 my inside interface and have it on the same subnet as everyone else (including my management interface) but it doesn't like it.  It tells me that it can't overlap with the management interface subnet.

!
interface Management0/0
nameif management
security-level 100
ip address 192.168.200.4 255.255.255.0
management-only
!

!
interface Ethernet0/0
description Outside Interface
shutdown
nameif outside
security-level 0
ip address xx.xxx.xx.xxx 255.255.255.248
!


I would really like my eth1 int on the same subnet as management since my because my entire network is on the 255.255.255.0 subnet.  Here's what I woudl LIKE to do with Eth1 but it errors out:


!
interface Ethernet0/1
description Inside LAN Interface
shutdown
nameif inside

security-level 100
ip address 192.168.200.4 255.255.255.0

!


How can I make this work?  Thank you!

Kelvin Willacey Thu, 05/13/2010 - 13:59
User Badges:
  • Bronze, 100 points or more

Hey that's right you can't have two interfaces on the same device in the same network, worst of all with the same IP address. If you don't need out of band mangement which is what that management interface provides for I would suggest shutting down the port and removing the IP address so that it can be used on the inside interface and you will still be able to manage the device from this interface, with the following commands


telnet 192.168.200.0 255.255.255.0 inside

http 192.168.200.0 255.255.255.0 inside

ssh 192.168.200.0 255.255.255.0 inside


You can also configure a different network on the management interface all together if you still need the out of band management. Example


interface Management0/0
nameif management
security-level 100
ip address 192.168.2.1 255.255.255.0
management-only


telnet 192.168.2.0 255.255.255.0 management

http 192.168.2.0 255.255.255.0 management

ssh 192.168.2.0 255.255.255.0 management


Let me know if that helps.

Yay I got the interfaces setup:


!
interface Ethernet0/0
description Outside WAN Interface
shutdown
nameif outside
security-level 0
ip address xx.xxx.xx.xx 255.255.255.248
!
interface Ethernet0/1
description Inside LAN interface
nameif inside
security-level 100
ip address 192.168.200.2 255.255.255.0
!


My ASA also setup these access rules automatically, are they ok? Screen



Now in my old firewall (Sonicwall), it has route policies that were auto added. Screen I'm assuming I setup the ASA the same way vertabum right?


Also in my sonicwall, it used address objects to map aliases to hosts and IP's, Screen.  This would also be wise to do right?


The sonicall also has NAT Policies (SCREEN) and ACCESS RULES (SCREEN).  To me, these are exactly the same.  Or are the NAT policies the actual rule, and the access rule tell whether to ALLOW OR DENY the nat policy?


Sorry for all the questions, I just want to make sure this is done right.  THANKS!!

Correct Answer
Kelvin Willacey Fri, 05/14/2010 - 09:31
User Badges:
  • Bronze, 100 points or more

Those rules on the ASA are default rules, it is saying anything initiated from the inside is allowed out but nothing initiated from the outside is allowed in. Sorry but I am not familiar with SonicWall at all to give you any tips on the rules you will need to setup. However if all you have is an outside and inside interface then you will need a nat.pat to ensure that internal addresses can get out and access list to restrict those internal networks if needed. If you have inbound traffic ie to mail, web server etc then you will again a nat and a access list to allow the traffic in.


The attached document (you can ignore the router configs) should hopefully give you a better idea of how inbound traffic works and how to apply access lists to interface.


Let me know if this helps.

Ok that helps immensly.


All we have is an outside and inside, so a nat 2 pat is required (once I figure it out ).

We do have incoming traffic that I need to route (webserver, mailserver, etc..).  I've already created all my network objects and service groups.


I'm stuck now on routes.  The sonicwall (sorry I know you don't work with them) created some routes automatically.  My ASA currently has no routes.  Should I create the routes in the Sonicwall in the ASA?  Here's a screen of the routes automatically created by sonicwall device screen

Kelvin Willacey Fri, 05/14/2010 - 14:29
User Badges:
  • Bronze, 100 points or more

Yes, you will need to create the routes.


For instance to get to the Internet you will need: route outside 0.0.0.0 0.0.0.0 1.1.1.1 (internet gateway)


Also if you have a L3 switch on the LAN that provides for multiple networks then you will need routes on the ASA to get to those internal networks


route inside 172.18.10.0 255.255.255.0 172.17.10.1

route inside 172.19.10.0 255.255.255.0 172.17.10.1 and so on and so on.


I am not a fan of ASDM if that's what you are using so I can't really help there but I believe you will select the interface the traffic will be routed out, add the destination network and then the next hop address.


For natting you can pat, or use a pool or static nat, but just for browsing you can do the following:


global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 (this allows all networks to be natted as long as a route exists)


The document should help with the inbound traffic and the natting for the Internet as well. You can always post your config if you need anymore help.

Ok I got the firewall up and running, internet traffic works great.  Problem is I'm having an issue with my NATs I

think.  I setup access rules for my servers inside my network.  For example I have an access list that allows any outside traffic coming in on mail ports to forward to my mail server, however its not working.  I ran a packet trace and it gets blocked by the final entry of my nat list:


nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (WAN-Primary-IP [Interface PAT])



Not sure why though.  It seems all my access lists get blocked by this final nat entry.  Any idea why?  Thank you!

I got it fixed!  I had the nat for it going   (inside,inside) instead of (inside,outside).  


I do have another quick question about the SSM card though.  Does the port have to be on the network for it to work?  I know to manage it I have to connect to it and give it an IP address, but does it have to be on the network in order to filter, scan, etc.. ?


Thank you for everything!

Kelvin Willacey Sun, 05/23/2010 - 12:01
User Badges:
  • Bronze, 100 points or more

I'm glad you got it working.


You do need it to connect to the network for management purposes as it is managed through asdm and asdm will need to be able to reach the IP address assigned to the CSC's management port and also to ensure that it can connect to the Internet to pull real time updates.

Actions

This Discussion

Related Content