Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
605
Views
0
Helpful
7
Replies

Network Config Recommendations

mtehonica
Level 5
Level 5

‎04-15-2012 11:19 AM - edited ‎03-07-2019 06:08 AM

I am going to be replacing an old Cisco 800 series router with an ASA5505 in the next few weeks and am looking for some feedback on the best way to set things up. My network setup consists of 2 networks, 192.168.5.0/24 and 172.16.20.0/24. The 192 network has any servers that need Internet access and the 172 network is an internal only network for all the servers. Servers that don't need Internet access are on the 172 network for security. Currently only the 192 network is connected to the Cisco 800 router and the 172 is on a switch with no uplink to the router. My plan for the new router is to configure a VLAN for each network. Here is my question....

1) How do I make sure the internal only network can't access the Internet? I know I could just not put a default gateway on my servers but I'd like to block it from the router if possible.

2) Kind of related to the first, I need to configure a VPN so I can connect to the internal only network from outside the building. How would I go about this?

Is this possible? If so, any suggestions on implementing this?

Thanks in advance!

Sent from Cisco Technical Support iPad App

Labels:
0 Helpful
7 Replies 7

Reza Sharifi
Hall of Fame
Hall of Fame

‎04-15-2012 11:40 AM

Do you have a WAN circuit connected to your 800?  Remember, the ASA can only take Ethernet feed and not T1, T3, DSL, etc...So, if there is WAN circuit involved, you cannot replace the router with firewall.

1-As long as the 172 network resides on the switch and not router, you should be fine.

2) Kind of related to the first, I need to configure a VPN so I can  connect to the internal only network from outside the building. How  would I go about this?

you mentioned you don't want Internal network to connect to the outside.  Now, you are saying you want to connect to the internal network (172)  from outside?

HTH

0 Helpful

mtehonica
Level 5
Level 5
In response to Reza Sharifi

‎04-15-2012 11:48 AM

Thanks for the quick response. We have an Ethernet connection coming in for our WAN side so that won't be an issue.

I guess the main problem I have is that I need to be able to VPN in and connect to every server but every server isn't on the 192 network. Every server does have a 172 IP though. If I connect the 172 to the ASA and VPN in, then I'd essentially be on the same network and could connect to everything, correct?

Sent from Cisco Technical Support iPad App

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to mtehonica

‎04-15-2012 11:54 AM

Correct, the 172 network needs to present on the ASA, but if you terminate it on the switch, than the ASA has no way to get to the servers. There will not be any routes on the ASA route table pointing to 172 network.

HTH

0 Helpful

mtehonica
Level 5
Level 5
In response to Reza Sharifi

‎04-15-2012 02:05 PM

When I configure the VPN connection on the ASA, do I have the option of telling it what network/VLAN to VPN into? And do I assign the VPN client an IP from the 172 network?

Sent from Cisco Technical Support iPad App

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to mtehonica

‎04-15-2012 06:19 PM

One way to do it is to create a subnet just for for VPN (10.10.10.0/24). So when you make a connection to the ASA, the ASA would assign an IP address dynamically from the pool to you. From there, that subnet needs to be roued to the server subnet so you can access the servers.

HTH

0 Helpful

kamran_Roostaee
Level 1
Level 1

‎04-15-2012 11:57 PM

If you want to use ASA 5505 you can use DMZ feature. ASA5505 can support VLAN too, so you can define 3 zones (internal,DMZ and external) and connect internal network to internal zone, connect your servers to DMZ zone and connect WAN or ISP link to external and if use NAT for connecting internal network to you servers, this design help you to have a secure implementation for connecting you server to internet without any concern about internal network. you can define VPNservice on you asa and with an access list connect it to your internal network.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b7c939.shtml

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni

‎04-16-2012 12:02 AM

Hello Matt,

As you know the ASA is a  great an powerful device that performs stateful packet inspection and deep packet inspection..

I can see that you want to block inside users to innitiate connections to the outside.

On an ASA basis users on a higher security level (inside interface) are allowed by default to go to a lower security level (outside) unless you configure an Access-list denying the traffic. This is what you need for question number 1

Now related to the VPN stuff. You can allow VPN connections being innitated on the outside by doing a no-nat rule from the inside users to the outside and then using the sysopt permit-vpn command.

If you would like, you can post the configuration and I can help you on that.

Do rate all the helpful posts

Julio

Cisco Security Engineer

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card