We are wanting to set up on old asa5510 we have to provide user VPN connectivity to our network. Currently we are connecting via VPN through our ISP's managed firewall but it doesn't work very well. So we want to try to provide it ourselves. The 5510 will not be used as a firewall, and will not be placed between a router and the internet. We want to plug it into our switch, give it an internal IP only, then use an external IP and nat forwarding from our ISP to that IP. I've started to build it but can't get any connectivity to it at all other than setting a static IP on a laptop plugged directly into it with the mgmt subnet, or via console cable. I'm no wiz at cisco configs so I definitely need some help on this. It's out of warranty so tac isn't an option. Any help would be appreciated.
First off I am wondering what your actual network edge setup is like. I gather that you have a separate firewall device on the edge but does it perhaps have a small public subnet configured on it external interface or does it perhaps only have a small /30 subnet to act as link network to the ISP?
If you have a /29 subnet or bigger you could perhaps consider attaching the WAN link of the WAN ASA directly to the ISP device (if that is even possible) and assigning a free public IP address from the same public subnet that the Firewall is attached to. This way you wouldnt need to do any NAT for the actual device.
Again all of the above depends on how your actual setup is.
With regards to the problem with management connections here are some reasons
Your "http" and "telnet" statements are wrong to use "0.0.0.0 255.255.255.255". It should be "0.0.0.0 0.0.0.0" if you want to allow everything. Though the "telnet" is not something you should use and it wont even work on an interface with "security-level 0" unless you are accessing it through VPN.
http 0.0.0.0 0.0.0.0 outside
If you want to manage it from behind "outside" though I would consider limiting the source IP address
Same for SSH if needed
ssh version 2
ssh 0.0.0.0 0.0.0.0 outside
crypto key generate rsa modulus 1024
Again I would limit the source address if possible
We are a 14 office company set up on an MPLS network through Level3. The firewall is controlled by a 3rd party vendor they use and I believe is located in LA, so definitely not a possibility to connect the asa to that.
Well its a pretty common setup where I work. We manage hundreds of customer firewalls that are located in our Datacenter and our MPLS network is used to connect the various customer locations to the customer firewall. We usually have separate firewall hardware to do the VPN for the customer.
Have you considered the option to setup this VPN device at the ISP premises? I gather at the moment you will be trying to add it at one of the offices? I am not sure if its an option to have it installed at the ISP location where the firewall probalby is. I do think though that you will still need help from the ISP with regards to routing if you want the VPN users to reach the other offices through this device located at one office.
So was your main problem at the moment establishing the management connection to the ASA? Or was the problem setting up the ASA at the office to be reachable from the public network or was the problem configuring the actual VPN on it?
Right now i'm just trying to get it reachable on the network so I can start working on the VPN stuff. I can't figure out why it's not. I get a "no route to host 10.2.50.1" when i'm trying to ping the gateway or anything past that. I know there's no static route entry in the config, just not sure if that's needed when there's no inside & outside interfaces. since right now it's just the 'outside' interface that's up.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :