Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
834
Views
0
Helpful
3
Replies

ASA5510 Setup Layout - Does this work?

Go to solution
kakados2000
Level 1
Level 1

‎04-10-2012 01:04 AM - edited ‎03-11-2019 03:52 PM

Hello Cisco'ers

I am planing to implement an ASA55100 in our network.

I've never worked with an ASA5510 device, so i am not quiet sure how to place it correctly.

The idea is the following:

Current Situation

Network with wireless access, everybody who's connected to the Wifi can access the resources.

SSID = JUFCorp

Desired Situation

Network with only internet access, separate SSID -> JUFGuest

Is this possible with this layout?

Image and video hosting by TinyPic

PS: when i configure the ASA, i couldn't find an option where i can enter a default gateway. Is this supposed to be like this?

So right now i can only access the management port when i'm in the same subnet. Is there an other way around that?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
sean_evershed
Level 7
Level 7

‎04-10-2012 02:29 AM

Hi,

My suggestion would be to terminate the Internet directly on your ASA. That way you would save one of your public IP addresses.

If it is a small network it also means potentially that you could retire the router from your network. The firewall can perform routing functions in it's place.

Move the DMZ switch off to the side of the ASA so it is not directly connected to the Internet.

See below a quick start guide for the ASA that will help you configure it.

http://www.cisco.com/en/US/docs/security/asa/quick_start/5500/5500_quick_start.html

You can configure ACLs on the WLC to restrict guest access to the Internet only. See below an example guide to help you get started.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807810d1.shtml

Alternatively you could sit the WLC behind the DMZ switch and control access to the Internet via the firewall.

Don't forget to rate posts that are helpful.

Cheers

Sean

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-10-2012 02:31 AM

Hi,

I can't really comment on the network layout much as I dont deal with wireless networks (at all)

Though my first instinct would be to place the ASA behind the router. In your current setup I guess it would only serve the wireless networks?

Regarding the default route though

You can enter it from the CLI in the following way

route 0.0.0.0 0.0.0.0

for example

route outside 0.0.0.0 0.0.0.0 1.2.3.4

This can be done on ASDM also with either of these 2 ways:

Tools -> Command Line Interface -> insert the above command in a form modified to suite your purpose

OR

Configuration -> Device Setup -> Routing -> Static Routes -> Add

and add a route for 0.0.0.0/0 with the gateway address and destination interface of your choice

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
sean_evershed
Level 7
Level 7

‎04-10-2012 02:29 AM

Hi,

My suggestion would be to terminate the Internet directly on your ASA. That way you would save one of your public IP addresses.

If it is a small network it also means potentially that you could retire the router from your network. The firewall can perform routing functions in it's place.

Move the DMZ switch off to the side of the ASA so it is not directly connected to the Internet.

See below a quick start guide for the ASA that will help you configure it.

http://www.cisco.com/en/US/docs/security/asa/quick_start/5500/5500_quick_start.html

You can configure ACLs on the WLC to restrict guest access to the Internet only. See below an example guide to help you get started.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807810d1.shtml

Alternatively you could sit the WLC behind the DMZ switch and control access to the Internet via the firewall.

Don't forget to rate posts that are helpful.

Cheers

Sean

0 Helpful

Go to solution
kakados2000
Level 1
Level 1
In response to sean_evershed

‎04-10-2012 02:34 AM

Hi Sean,

thanks, makes sense.

There was just one more thing that's bugging me->

when i configure the ASA, i couldn't find an option where i can enter a default gateway. Is this supposed to be like this?

So right now i can only access the management port when i'm in the same subnet. Is there an other way around that?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-10-2012 02:31 AM

Hi,

I can't really comment on the network layout much as I dont deal with wireless networks (at all)

Though my first instinct would be to place the ASA behind the router. In your current setup I guess it would only serve the wireless networks?

Regarding the default route though

You can enter it from the CLI in the following way

route 0.0.0.0 0.0.0.0

for example

route outside 0.0.0.0 0.0.0.0 1.2.3.4

This can be done on ASDM also with either of these 2 ways:

Tools -> Command Line Interface -> insert the above command in a form modified to suite your purpose

OR

Configuration -> Device Setup -> Routing -> Static Routes -> Add

and add a route for 0.0.0.0/0 with the gateway address and destination interface of your choice

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card