ASA 5510 and 5505 Setup

Unanswered Question
Aug 17th, 2010
User Badges:

I am new to CISCO!


I currently use MS ISA Server 2006 to protect a windows internal network, where there is also an MS Exchange server. I have acquired a Cisco 5510 to enhance security at main office. Later I will have ASA 5505 for branches, including VPN-ning. Please help in: 

  1. to have firewall at main office. I have several public IPs and would like to setup DMZ for Web, Exchange server and FTP. How do I setup interface and sub-interface for the DMZ?
  2. Can I continue using ISA Server connecting to Cisco 5510 on the perimeter? If so, How do I set the interfaces (and sub-interfaces) as well as NAT-ting and access configuration between the inside and outside?


I will appreciate some sample code lines.


Thanks,

Andrew

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.3 (4 ratings)
Loading.
Jitendriya Athavale Tue, 08/17/2010 - 08:05
User Badges:
  • Cisco Employee,

some basics of nat


https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml


other than that configuring interfaces for firewall is simple


example


int e0/0


ip address x.x.x.x y.y.y.y

nameif

no shut


security level can be inside outside or dmz

inside being most secure and outside being least secure


if you need to know more here is a link


http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intro.html


this should give you what you need


please let us know if this resolves your issue

andrew kwayu Tue, 08/17/2010 - 22:18
User Badges:

Dear Jathaval, Kusankar,


I have an internal DNS which and DHCP assigning addresses internally. Do I still  need to have ASA 5510 run DHCP? I also currently have ISA server 2006 on  which I had a stub copy of DNS, which forwards queries to external DNSs. How will I assign ASA 5510 to do this?

If  I wanted to continue using ISA server with ASA 5510, the latter at the perimeter, how could I accommodate both? Also, I have several  global IPs and I do not know how to define sub-interfaces to assign  several global IPs to a single physical interface, i.e. can I for example assign several global IPs on physical interface 0/0? How? Can a subinterface also acomodate a VPN? Please help with some example code if possible!


Thanks

Andrew

andrew kwayu Tue, 08/31/2010 - 23:10
User Badges:

Dear Jathavar,


Is it possible to assign more that vlan to one physical interface? I was thinking of assigning two public IPs to two different VLANs but all going through one physical interface, say interface 0/0. If thats possible how do I start?

Thanks
andrew

mirober2 Wed, 09/01/2010 - 05:40
User Badges:
  • Cisco Employee,

Hi Andrew,


On the 5505, you can do something like this:

interface Ethernet0/0

  switchport mode trunk

  switchport trunk allowed vlan 10,20

!

interface vlan 10

  nameif outside1

  security-level 0

  ip address 1.1.1.1 255.255.255.0

!

interface vlan 20

  nameif outside2

  security-level 0

  ip address 2.2.2.2 255.255.255.0


Likewise, on the 5510, you can do this:


interface Ethernet0/0.10

  vlan 10

  nameif outside1

  security-level 0

  ip address 1.1.1.1 255.255.255.0

!

interface Ethernet0/0.20

  vlan 20

  nameif outside2

  security-level 0

  ip address 2.2.2.2 255.255.255.0


Hope that helps.


-Mike

andrew kwayu Wed, 09/01/2010 - 10:02
User Badges:

Dear Mirober2


Thanks, it helps, but I am told the physical interface, which has been split into sub-intefaces must be connected to a Trunk Port.  ...Just what does this mean in real world?. My plan was to just connect this port to a router and on to ISP. Will this work for a sub-interfaces


thanks

mirober2 Wed, 09/01/2010 - 10:14
User Badges:
  • Cisco Employee,

Hi Andrew,


Subinterfaces will automatically configure the ASA's physical interface to be an 802.1q trunk. There is no way around this, since the ASA depends on the .1q tag on the packets to determine which subinterface the packet should be processed by.


Hope that helps.


-Mike

andrew kwayu Wed, 09/01/2010 - 22:20
User Badges:

Dear mirober2


My ISP have given me IPs that are in Mask 255.255.255.248. When i enter subinterfaces to combine some of these public IPs on one physical interface, I get a conflict.


inteface ethernet0/0

no nameif

no security-level

no ip address

!

interface ethernet0/0.1

description outside1

vlan 1

security level 0

ip address x.x.x.90 255.255.255.248


interface ethernet0/0.2

description outside2

vlan 2

security level 0

ip address x.x.x.91 255.255.255.248    --------- Conflict with interface 0/0.1


Help

mirober2 Thu, 09/02/2010 - 05:06
User Badges:
  • Cisco Employee,

Hi Andrew,


The behavior you see there is correct. Since the addresses are in the same subnet, you cannot apply them to 2 different interfaces.


What are you requirements for the use of the two public IPs? One use case might be to assign 1 of the addresses to the outside interface and then use the other address for translating a certain host or hosts. You could do something like this:


interface ethernet0/0

   nameif outside

   security-level 0

   ip address x.x.x.90 255.255.255.248

!

nat (inside) 1 0 0

global (outside) 1 x.x.x.91


That configuration would use .90 for the ASA's external address and use PAT to translate all of the hosts on your inside interface to .91 when they go out to the Internet. Let us know what you're trying to accomplish with the use of 2 external IPs and we might be able to suggest a better solution.


Hope that helps.


-Mike

andrew kwayu Thu, 09/02/2010 - 23:47
User Badges:

Dear Mike,


Thanks for this response. In a nutshell, this is broadly what I want to do:

  • I want public IP x.x.x.90 to be for the web, which i would like to be placed in DMZ. In DMZ to add other servers, eg ftp
  • public IP x.x.x.91 to be assigned as outside role. Also this same public IP for Exchange server mail, which will be in the internal LAN with internal IP 192.168.x.x.
  • I will place ISA 2006 in the DMZ for proxy, and would like to force all internal clients to internet through ISA server 2006 (back to back configuration with ASA 5510.
  • I also have plans to a VPN connection with branch office with an ASA5505.


Please help

mirober2 Fri, 09/03/2010 - 05:19
User Badges:
  • Cisco Employee,

Hi Andrew,


In that case, you can setup static PAT to achieve this:


interface ethernet0/0

  nameif outside

  security-level 0

  ip address  x.x.x.91 255.255.255.0

!

static (dmz,outside) tcp x.x.x.90 www www

static (dmz,outside) tcp x.x.x.90 ftp ftp

static (inside,outside) tcp interface smtp smtp


You can also setup a simple PAT so the hosts on the inside network can get out to the Internet:


nat (inside) 1 0 0

global (outside) 1 interface


Hope that helps.


-Mike

andrew kwayu Tue, 08/23/2011 - 07:23
User Badges:

Dear Mirober,


This seem to be neering what I need. But can you please place the ISA server somewhere in you presentation?


Thanks

Actions

This Discussion