ASA 5510 and 5505 Setup

Unanswered Question
Aug 17th, 2010

I am new to CISCO!

I currently use MS ISA Server 2006 to protect a windows internal network, where there is also an MS Exchange server. I have acquired a Cisco 5510 to enhance security at main office. Later I will have ASA 5505 for branches, including VPN-ning. Please help in: 

  1. to have firewall at main office. I have several public IPs and would like to setup DMZ for Web, Exchange server and FTP. How do I setup interface and sub-interface for the DMZ?
  2. Can I continue using ISA Server connecting to Cisco 5510 on the perimeter? If so, How do I set the interfaces (and sub-interfaces) as well as NAT-ting and access configuration between the inside and outside?

I will appreciate some sample code lines.

Thanks,

Andrew

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.3 (4 ratings)
Loading.
Jitendriya Athavale Tue, 08/17/2010 - 08:05

some basics of nat

https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

other than that configuring interfaces for firewall is simple

example

int e0/0

ip address x.x.x.x y.y.y.y

nameif

no shut

security level can be inside outside or dmz

inside being most secure and outside being least secure

if you need to know more here is a link

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intro.html

this should give you what you need

please let us know if this resolves your issue

andrew kwayu Tue, 08/17/2010 - 22:18

Dear Jathaval, Kusankar,

I have an internal DNS which and DHCP assigning addresses internally. Do I still  need to have ASA 5510 run DHCP? I also currently have ISA server 2006 on  which I had a stub copy of DNS, which forwards queries to external DNSs. How will I assign ASA 5510 to do this?

If  I wanted to continue using ISA server with ASA 5510, the latter at the perimeter, how could I accommodate both? Also, I have several  global IPs and I do not know how to define sub-interfaces to assign  several global IPs to a single physical interface, i.e. can I for example assign several global IPs on physical interface 0/0? How? Can a subinterface also acomodate a VPN? Please help with some example code if possible!

Thanks

Andrew

andrew kwayu Tue, 08/31/2010 - 23:10

Dear Jathavar,


Is it possible to assign more that vlan to one physical interface? I was thinking of assigning two public IPs to two different VLANs but all going through one physical interface, say interface 0/0. If thats possible how do I start?

Thanks
andrew

mirober2 Wed, 09/01/2010 - 05:40

Hi Andrew,

On the 5505, you can do something like this:

interface Ethernet0/0

  switchport mode trunk

  switchport trunk allowed vlan 10,20

!

interface vlan 10

  nameif outside1

  security-level 0

  ip address 1.1.1.1 255.255.255.0

!

interface vlan 20

  nameif outside2

  security-level 0

  ip address 2.2.2.2 255.255.255.0

Likewise, on the 5510, you can do this:

interface Ethernet0/0.10

  vlan 10

  nameif outside1

  security-level 0

  ip address 1.1.1.1 255.255.255.0

!

interface Ethernet0/0.20

  vlan 20

  nameif outside2

  security-level 0

  ip address 2.2.2.2 255.255.255.0

Hope that helps.

-Mike

andrew kwayu Wed, 09/01/2010 - 10:02

Dear Mirober2

Thanks, it helps, but I am told the physical interface, which has been split into sub-intefaces must be connected to a Trunk Port.  ...Just what does this mean in real world?. My plan was to just connect this port to a router and on to ISP. Will this work for a sub-interfaces

thanks

mirober2 Wed, 09/01/2010 - 10:14

Hi Andrew,

Subinterfaces will automatically configure the ASA's physical interface to be an 802.1q trunk. There is no way around this, since the ASA depends on the .1q tag on the packets to determine which subinterface the packet should be processed by.

Hope that helps.

-Mike

andrew kwayu Wed, 09/01/2010 - 22:20

Dear mirober2

My ISP have given me IPs that are in Mask 255.255.255.248. When i enter subinterfaces to combine some of these public IPs on one physical interface, I get a conflict.

inteface ethernet0/0

no nameif

no security-level

no ip address

!

interface ethernet0/0.1

description outside1

vlan 1

security level 0

ip address x.x.x.90 255.255.255.248

interface ethernet0/0.2

description outside2

vlan 2

security level 0

ip address x.x.x.91 255.255.255.248    --------- Conflict with interface 0/0.1

Help

mirober2 Thu, 09/02/2010 - 05:06

Hi Andrew,

The behavior you see there is correct. Since the addresses are in the same subnet, you cannot apply them to 2 different interfaces.

What are you requirements for the use of the two public IPs? One use case might be to assign 1 of the addresses to the outside interface and then use the other address for translating a certain host or hosts. You could do something like this:

interface ethernet0/0

   nameif outside

   security-level 0

   ip address x.x.x.90 255.255.255.248

!

nat (inside) 1 0 0

global (outside) 1 x.x.x.91

That configuration would use .90 for the ASA's external address and use PAT to translate all of the hosts on your inside interface to .91 when they go out to the Internet. Let us know what you're trying to accomplish with the use of 2 external IPs and we might be able to suggest a better solution.

Hope that helps.

-Mike

andrew kwayu Thu, 09/02/2010 - 23:47

Dear Mike,

Thanks for this response. In a nutshell, this is broadly what I want to do:

  • I want public IP x.x.x.90 to be for the web, which i would like to be placed in DMZ. In DMZ to add other servers, eg ftp
  • public IP x.x.x.91 to be assigned as outside role. Also this same public IP for Exchange server mail, which will be in the internal LAN with internal IP 192.168.x.x.
  • I will place ISA 2006 in the DMZ for proxy, and would like to force all internal clients to internet through ISA server 2006 (back to back configuration with ASA 5510.
  • I also have plans to a VPN connection with branch office with an ASA5505.

Please help

mirober2 Fri, 09/03/2010 - 05:19

Hi Andrew,

In that case, you can setup static PAT to achieve this:

interface ethernet0/0

  nameif outside

  security-level 0

  ip address  x.x.x.91 255.255.255.0

!

static (dmz,outside) tcp x.x.x.90 www www

static (dmz,outside) tcp x.x.x.90 ftp ftp

static (inside,outside) tcp interface smtp smtp

You can also setup a simple PAT so the hosts on the inside network can get out to the Internet:

nat (inside) 1 0 0

global (outside) 1 interface

Hope that helps.

-Mike

andrew kwayu Tue, 08/23/2011 - 07:23

Dear Mirober,

This seem to be neering what I need. But can you please place the ISA server somewhere in you presentation?

Thanks

Actions

This Discussion