Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASA 5515X Design

 

Introduction

This document describes the issue faced by an user while implementing his new ASA 5515 in existing network.

Prerequisites

ASA 5515

Configured 3 VLANS.

ADSL Connection.

Leased Line Connection

Problem

Network setup, is mentioned by user and he is going to get the ASA 5515x device .

User have 3 different local network and 2 WAN connections.

 

LAN 1 -- 10.1.1.0/24 --local users
LAN2 -- 10.1.2.0 /24 --  servers
LAN3 -- 10.1.3.0/24--guest internet
WAN1 - ADSL Line with dynamic ip (Internet fot the local Users and Guest)
WAN2 -- Lease Line with Static ip (For Email and web applications)

 

  • User want to pass all the internet traffic using ADSL line (Users and guest users)
  • For servers like email and Application the internet traffic has to go with ADSL but the port forwarding for email and web apps through leased line and only email server the internet traffic also need to pass with leased line.
  • User know by default in ASA 5500 series he can't add 2 default routes.

is there any changes in the 5515X series or otherwise we can achieve this by NAT & Global Commnads.

  • The server and local network should communicate as he don't have any L3 device so he need to allow traffic between different zones.

Scenario 2:

I configure using ASDM.I need to assign a different certificate to my inside interface.
Can I do this without changing the certificate on the outside interface?

If So, please tell me how this is done. My attempts so far have led to the certificate on the outside interface also being changed.

Configuration

 

ASA Version 9.1(1)

!

hostname ALAIN-FW

enable password ZYx9xaV1.cM.IUcY encrypted

passwd M5Z8qN9wxh2rt.Wo encrypted


names

!

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 192.168.45.2 255.255.255.248


!

interface GigabitEthernet0/1

nameif LL

security-level 0

ip address X.X.X.X 255.255.255.252

!


interface GigabitEthernet0/2

nameif inside

security-level 100

ip address 10.10.10.213 255.255.255.0

!


interface GigabitEthernet0/3

nameif Server

security-level 100

ip address 10.25.31.1 255.255.255.224

!


interface GigabitEthernet0/4

nameif dmz

security-level 100

ip address 172.16.0.1 255.255.255.240

!


interface GigabitEthernet0/5

nameif Guest

security-level 10

ip address 192.168.74.129 255.255.255.0

!


interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

boot system disk0:/asa911-smp-k8.bin

ftp mode passive

same-security-traffic permit inter-interface


object network LAN-NW

subnet 10.10.10.0 255.255.255.0


object network Server_NW

subnet 10.25.31.0 255.255.255.224


object network Guest_NW

subnet 192.168.74.0 255.255.255.0


object network DMZ_NW

subnet 172.16.0.0 255.255.255.240


object network Email_Srv

host 10.25.31.16


object network Edge_Email

host 172.16.0.2


object service Eamil-993

service tcp source eq 993


object service Email-143

service tcp source eq imap4


object service Email-465

service tcp source eq 465


object service Email_443

service tcp source eq https


object service Edge_25

service tcp source eq smtp


object service Edge_80

service tcp source eq www


object network Email-Pub

host 83.111.102.180


object network All

subnet 0.0.0.0 0.0.0.0


object service Email-443

service tcp source eq https


object-group service Email_Service_Srv

service-object object Email-143


service-object object Eamil-993

service-object object Email-465

service-object object Email_443

object-group service Edge_Email_DMZ

service-object object Edge_25

service-object object Edge_80


access-list DMZ-In extended permit ip 172.16.0.0 255.255.255.240 10.25.31.0 255.255.255.224

access-list DMZ-In extended permit ip 172.16.0.0 255.255.255.240 10.10.10.0 255.255.255.0

access-list DMZ-In extended permit ip host 172.16.0.2 any log

access-list LL-Server extended permit tcp any object Email_Srv eq 993

access-list LL-Server extended permit tcp any object Email_Srv eq 465

access-list LL-Server extended permit tcp any object Email_Srv eq https

access-list LL-Server extended permit tcp any object Edge_Email eq smtp log errors

access-list LL-Server extended permit tcp any object Email_Srv eq imap4

access-list LL-Server extended permit tcp any object Edge_Email eq www


pager lines 24

logging enable

logging asdm informational


mtu Outside 1500

mtu LL 1500

mtu inside 1500

mtu Server 1500

mtu dmz 1500

mtu Guest 1500

mtu management 1500


no failover


icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected


nat (Server,LL) source static Email_Srv Email-Pub service Email_443 Email_443

nat (Server,LL) source static Email_Srv Email-Pub service Email-143 Email-143

nat (Server,LL) source static Email_Srv Email-Pub service Email-465 Email-465

nat (Server,LL) source static Email_Srv Email-Pub service Eamil-993 Eamil-993

nat (dmz,LL) source static Edge_Email Email-Pub service Edge_25 Edge_25

nat (dmz,LL) source static Edge_Email Email-Pub service Edge_80 Edge_80

nat (Server,any) source static Email_Srv Email-Pub

nat (dmz,any) source static Edge_Email Email-Pub

!

object network LAN-NW

nat (inside,Outside) dynamic interface dns


object network Guest_NW

nat (Guest,Outside) dynamic interface dns


!


nat (dmz,Outside) after-auto source dynamic DMZ_NW interface

nat (Server,Outside) after-auto source dynamic Server_NW interface dns

access-group LL-Server in interface LL


route Outside 0.0.0.0 0.0.0.0 192.168.45.1 1

route LL 0.0.0.0 0.0.0.0 Y.Y.Y.Y 2

timeout xlate 3:00:00

timeout pat-xlate 0:00:30


timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00


dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.10.10.0 255.255.255.0 inside

http 10.25.31.0 255.255.255.224 Server


no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart


crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy


telnet 10.10.10.0 255.255.255.0 inside

telnet 10.25.31.0 255.255.255.224 Server

telnet timeout 5


ssh X.X.X.X 255.255.255.255 LL

ssh X.X.X.X 255.255.255.255 LL

ssh 10.10.10.0 255.255.255.0 inside

ssh timeout 5


console timeout 0


dhcpd address 192.168.74.21-192.168.74.125 Guest

dhcpd dns X.X.X.X X.X.X.X interface Guest

dhcpd lease 14400 interface Guest

dhcpd enable Guest


!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management


!


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept


username ****** password ******************** encrypted privilege 15


!


class-map inspection_default

match default-inspection-traffic


!


policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options


!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous


Cryptochecksum:61d21cd299674d078a2f81b6aa88855d

: end

ALAIN-FW#

Solution

Explanation

The "global" and "nat" configurations you mention above dont exist anymore on the newer ASA firewalls and new software levels. The NAT configuration format and operation were totally overhauled in the 8.3 software and the minimum software level for your new ASA5500-X Series unit is 8.6(1)

Here are some basic configurations which I assume you would need. Most of them are very basic but when we are talking about manipulating the WAN interface chosen for some hosts then we need a bit unordinary NAT configurations.

 

 

interface GigabitEthernet0/0

description ASDL

nameif ASDL

security-level 0

ip address dhcp setroute

 

interface GigabitEthernet0/1

description LEASED

nameif LEASED

security-level 0

ip address 1.1.1.2 255.255.255.248

 

route LEASED 0.0.0.0 0.0.0.0 1.1.1.1 254

 

interface GigabitEthernet0/2

description LOCAL USERS

nameif LAN

security-level 100

ip address 10.1.1.1 255.255.255.0

 

interface GigabitEthernet0/3

description SERVERS

nameif SERVER

security-level 50

ip address 10.1.2.1 255.255.255.0

 

interface GigabitEthernet0/4

description GUEST

nameif GUEST

security-level 10

ip address 10.1.3.1 255.255.255.0

 

object network LAN

subnet 10.1.1.0 255.255.255.0

 

object network SERVERS

subnet 10.1.2.0 255.255.255.0

 

object network GUEST

subnet 10.1.3.0 255.255.255.0

 

object network MAIL-SERVER

host 10.1.2.100

 

object service SMTP-IN

service tcp source eq 25

 

object network ANY-0.0.0.0-1

subnet 0.0.0.0 128.0.0.0

object network ANY-128.0.0.0-1

subnet 128.0.0.0 128.0.0.0

object-group network ALL

network-object object ANY-0.0.0.0-1

network-object object ANY-128.0.0.0-1

 

(Section 1 Manual NAT)

 

nat (LAN,SERVERS) source static LAN LAN destination static SERVERS SERVERS

nat (SERVERS,LEASED) source static MAIL-SERVER interface service SMTP-IN SMTP-IN

nat (SERVERS,LEASED) source dynamic MAIL-SERVER interface destination static ALL ALL

 

(No Section 2 Auto NAT Used)

 

Section 3 Manual NAT

nat (LAN,ADSL) after-auto source dynamic LAN interface

nat (SERVERS,ADSL) after-auto source dynamic SERVERS interface

nat (GUEST,ASDL) after-auto souce dynamic GUEST interface

 

The idea with the above configurations is that we

  • Create interfaces for all the networks (you mentioned you dont have any additional routers in the network), though you could naturally also configure a trunk to some switch you may have to save on actual physical interface.
  • Create "object network" and "object service" that we are going to use in the NAT configurations
  • Create the actual NAT configurations

I would imagine its a bit hard to explain why the above NAT configurations looks like that so I probably best go through them in order from top to bottom (in the process they are processed by the ASA) to try to clear things up. Again I have to note though that this is not a tested configurations.

nat (LAN,SERVERS) source static LAN LAN destination static SERVERS SERVERS

The above configurations is inserted first into the configurations to make sure that local traffic between the LAN and SERVERS network will work and wont be affected by the later coming NAT rules.

nat (SERVERS,LEASED) source static MAIL-SERVER interface service SMTP-IN SMTP-IN

The above configurations is inserted next to basically configure Static PAT (Port Forward) so that the MAIL-SERVER can be contacted through the LEASED connection. Again the ordering of the NAT rule like this is key so that the following rule doesnt interfere with its operation.

nat (SERVERS,LEASED) source dynamic MAIL-SERVER interface destination static ALL ALL

The above configurations is probably the most unusual one. This essentially specifies that the MAIL-SERVER should be Dynamic PATed to the LEASED interface IP address when its destination is ANY destination IP address. This will essentially mean that the traffic from the MAIL-SERVER will be forwarded out through LEASED interface (EXCEPT for the first mentioned traffic between LAN and SERVERS interfaces)

nat (LAN,ADSL) after-auto source dynamic LAN interface

nat (SERVERS,ADSL) after-auto source dynamic SERVERS interface

nat (GUEST,ASDL) after-auto souce dynamic GUEST interface

The above configurations are just normal Dynamic PAT configurations for all the local networks and they use the ADSL interface. There is no default route in the above configurations for the ADSL interface because the interface is configured to get the default route automatically though the DHCP process with the parameter "set route"

Naturally you will have to take into account that the above configurations just enable one server to use the LEASED interface and only forward a single service through the LEASED interface. So judging from your original post you would probably need Static PAT (Port Forward) configurations for other services and servers even. You might also need NAT configurations that forward other servers traffic also through only the LEASED interface.

It seems though that one problem might have been with the "Edge_email" server. This is because you seem to use the same public IP address for servers behind 2 different interfaces and you had those special Dynamic PAT configurations I suggest in between Static PAT (Port Forward) configurations. There Dynamic PAT configuration might have stopped a couple of the last Static PAT configurations from working.

If I would have to guess on the basis of the attached configuration what the problem was then I would have to guess that it was the following

 

nat (inside,Server) source static LAN-NW LAN-NW destination static Server_NW Server_NW

nat (dmz,Server) source static DMZ_NW DMZ_NW destination static Server_NW Server_NW

nat (Server,LL) source static Email_Srv Email-Pub service Email_443 Email_443

nat (Server,LL) source static Email_Srv Email-Pub service Email-143 Email-143

nat (Server,LL) source static Email_Srv Email-Pub service Email-465 Email-465

nat (Server,LL) source static Email_Srv Email-Pub service Eamil-993 Eamil-993

nat (dmz,LL) source static Edge_Email Email-Pub service Edge_25 Edge_25

nat (dmz,LL) source static Edge_Email Email-Pub service Edge_80 Edge_80

nat (dmz,LL) source dynamic Edge_Email Email-Pub destination static ALL ALL

nat (Server,LL) source dynamic Email_Srv Email-Pub destination static ALL ALL

 

Scenario 2

Go to Configuration > Device Management > Advanced > SSL Settings. there you should be able to choose the inside interface and associate a secondary certificate to that interface only.

You will have had to create (or import from a CA) a new certificate already. (Configuration > Device Management > Identity Certificates > Add)

Source Discussion

This document was generated from the following discussion: ASA 5515X Design

https://supportforums.cisco.com/discussion/12188446/cisco-asa-individual-certificate-each-interface-possible

Version history
Revision #:
2 of 2
Last update:
‎08-29-2017 03:33 AM
Updated by:
 
Labels (1)
Contributors
Comments
Super Bronze

Hi,

I am slightly interested to know why has Cisco created a document by basically copy/paste my replies to a poster on the Firewall discussion section of the CSC? (even though the discussion has been linked at the bottom)

I would expect if you create a document you explain it in your own words even if you use a previous discussion as an example and not directly copy paste something that I have written?

The document also contains public IP addresses that I wouldnt consider a good practice to include in this document.

- Jouni

Silver

Thanks Jouni i will edit the required part.

Regards,

Anim Saxena