topic Re: Cisco ASA 5510 config with SSM in Network Security

Cisco ASA 5510 config with SSM

kmacdonald — Mon, 11 Mar 2019 17:45:22 GMT

I've been tasked to replace our old sonicwall tz170 firewall with an ASA 5510 and configure it (which I've never done, only routers and switches) and I have a few questions. I'm inside the ASDM and I'm trying to setup my outside interface... The 5510 came with an SSM card, and I assumed this would be my outside interface, but I'm guessing I'm wrong since it isn't an option when running through the wizard. I know what the SSM card is for, I just don't understand why it isn't an outside interface. Where does this connect (just to my LAN??)?

Currently I set up the management interface to our ip and subnet and am connected through that. I see the management interface and eth0 - eth 3.

This is as simple as it can get, I just need the outside interface to be our public ip, setup the access rules to match my sonicwall.

Also on the version, its running ASA 8.2.1. Should I upgrade to 8.3.1? What is the ED after the version (not familiar with it).

Thanks!

Re: Cisco ASA 5510 config with SSM

Kelvin Willacey — Thu, 13 May 2010 17:57:24 GMT

Hi,

The SSM is not an outside interface and how it works depends on the type of module it is. Is it a CSC-SSM or an AIP-SSM? The configuration differs some what when using these modules but it's almost the same and yes it will connect to your LAN. Your outside interface should be one of the ports you select and like wise for the inside interface. Typically though the outside interface is Ethernet0/0. The following link may help with a basic setup.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094768.shtml

You can upgrade to the latest version if you so desire but you may require a memory upgrade so I would stick with 8.2, see link below.

http://www.cisco.com/en/US/partner/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_bulletin_c25-586414.html

The ED means early deployment by the way.

Re: Cisco ASA 5510 config with SSM

kmacdonald — Thu, 13 May 2010 18:08:01 GMT

It is a CSC SSM. Not sure the difference but that is what it is.

Thank you! I'll configure the eth0 as my outside int. I'll keep you updated!

Re: Cisco ASA 5510 config with SSM

Kelvin Willacey — Thu, 13 May 2010 18:29:00 GMT

The CSC-SSM is for content filtering smtp, ftp, http, the AIP-SSM is for Intrusion Prevention. So with the module you have you will be able to block websites, block downloads have time of day restrictions and all that stuff.

Re: Cisco ASA 5510 config with SSM

kmacdonald — Thu, 13 May 2010 20:51:02 GMT

Yea I ordered all those features. It makes sense now. I'm having an issue with subnetting (I admit I dont know as much about it as I should).

My management interface has a static ip and is on the same subnet as my network (255.255.255.0) so I can hit the http server. My eth0 is my outside interface. I'm trying to make eth1 my inside interface and have it on the same subnet as everyone else (including my management interface) but it doesn't like it. It tells me that it can't overlap with the management interface subnet.

!
interface Management0/0
nameif management
security-level 100
ip address 192.168.200.4 255.255.255.0
management-only
!

!
interface Ethernet0/0
description Outside Interface
shutdown
nameif outside
security-level 0
ip address xx.xxx.xx.xxx 255.255.255.248
!

I would really like my eth1 int on the same subnet as management since my because my entire network is on the 255.255.255.0 subnet. Here's what I woudl LIKE to do with Eth1 but it errors out:

!
interface Ethernet0/1
description Inside LAN Interface
shutdown
nameif inside

security-level 100
ip address 192.168.200.4 255.255.255.0

How can I make this work? Thank you!

Re: Cisco ASA 5510 config with SSM

Kelvin Willacey — Thu, 13 May 2010 20:59:39 GMT

Hey that's right you can't have two interfaces on the same device in the same network, worst of all with the same IP address. If you don't need out of band mangement which is what that management interface provides for I would suggest shutting down the port and removing the IP address so that it can be used on the inside interface and you will still be able to manage the device from this interface, with the following commands

telnet 192.168.200.0 255.255.255.0 inside

http 192.168.200.0 255.255.255.0 inside

ssh 192.168.200.0 255.255.255.0 inside

You can also configure a different network on the management interface all together if you still need the out of band management. Example

interface Management0/0
nameif management
security-level 100
ip address 192.168.2.1 255.255.255.0
management-only

telnet 192.168.2.0 255.255.255.0 management

http 192.168.2.0 255.255.255.0 management

ssh 192.168.2.0 255.255.255.0 management

Let me know if that helps.

Re: Cisco ASA 5510 config with SSM

kmacdonald — Thu, 13 May 2010 21:03:41 GMT

Sorry I was incorrect about the ip addresses, I want my management on 192.168.200.4 and my eth1 on 192.168.200.2 and have them on the same subnet. Thats what I'm having problems with.

Re: Cisco ASA 5510 config with SSM

kmacdonald — Thu, 13 May 2010 21:04:50 GMT

reading again, I'll do exactly that. I'll do out of band management on the management port and manage from the eth0.

Re: Cisco ASA 5510 config with SSM

kmacdonald — Thu, 13 May 2010 22:11:07 GMT

Yay I got the interfaces setup:

!
interface Ethernet0/0
description Outside WAN Interface
shutdown
nameif outside
security-level 0
ip address xx.xxx.xx.xx 255.255.255.248
!
interface Ethernet0/1
description Inside LAN interface
nameif inside
security-level 100
ip address 192.168.200.2 255.255.255.0
!

My ASA also setup these access rules automatically, are they ok? Screen

Now in my old firewall (Sonicwall), it has route policies that were auto added. Screen I'm assuming I setup the ASA the same way vertabum right?

Also in my sonicwall, it used address objects to map aliases to hosts and IP's, Screen. This would also be wise to do right?

The sonicall also has NAT Policies (SCREEN) and ACCESS RULES (SCREEN). To me, these are exactly the same. Or are the NAT policies the actual rule, and the access rule tell whether to ALLOW OR DENY the nat policy?

Sorry for all the questions, I just want to make sure this is done right. THANKS!!

Re: Cisco ASA 5510 config with SSM

Kelvin Willacey — Fri, 14 May 2010 16:31:58 GMT

Those rules on the ASA are default rules, it is saying anything initiated from the inside is allowed out but nothing initiated from the outside is allowed in. Sorry but I am not familiar with SonicWall at all to give you any tips on the rules you will need to setup. However if all you have is an outside and inside interface then you will need a nat.pat to ensure that internal addresses can get out and access list to restrict those internal networks if needed. If you have inbound traffic ie to mail, web server etc then you will again a nat and a access list to allow the traffic in.

The attached document (you can ignore the router configs) should hopefully give you a better idea of how inbound traffic works and how to apply access lists to interface.

Let me know if this helps.

Re: Cisco ASA 5510 config with SSM

kmacdonald — Fri, 14 May 2010 21:09:10 GMT

Ok that helps immensly.

All we have is an outside and inside, so a nat 2 pat is required (once I figure it out ).

We do have incoming traffic that I need to route (webserver, mailserver, etc..). I've already created all my network objects and service groups.

I'm stuck now on routes. The sonicwall (sorry I know you don't work with them) created some routes automatically. My ASA currently has no routes. Should I create the routes in the Sonicwall in the ASA? Here's a screen of the routes automatically created by sonicwall device screen

Re: Cisco ASA 5510 config with SSM

Kelvin Willacey — Fri, 14 May 2010 21:29:36 GMT

Yes, you will need to create the routes.

For instance to get to the Internet you will need: route outside 0.0.0.0 0.0.0.0 1.1.1.1 (internet gateway)

Also if you have a L3 switch on the LAN that provides for multiple networks then you will need routes on the ASA to get to those internal networks

route inside 172.18.10.0 255.255.255.0 172.17.10.1

route inside 172.19.10.0 255.255.255.0 172.17.10.1 and so on and so on.

I am not a fan of ASDM if that's what you are using so I can't really help there but I believe you will select the interface the traffic will be routed out, add the destination network and then the next hop address.

For natting you can pat, or use a pool or static nat, but just for browsing you can do the following:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 (this allows all networks to be natted as long as a route exists)

The document should help with the inbound traffic and the natting for the Internet as well. You can always post your config if you need anymore help.

Re: Cisco ASA 5510 config with SSM

kmacdonald — Fri, 14 May 2010 21:31:56 GMT

I'll be having fun this weekend! I just configured my pat and my route to my gateway. I'm working on the

rest now. Thank you so much! If I have issues I'll post my config.

Re: Cisco ASA 5510 config with SSM

kmacdonald — Sun, 23 May 2010 16:10:18 GMT

Ok I got the firewall up and running, internet traffic works great. Problem is I'm having an issue with my NATs I

think. I setup access rules for my servers inside my network. For example I have an access list that allows any outside traffic coming in on mail ports to forward to my mail server, however its not working. I ran a packet trace and it gets blocked by the final entry of my nat list:

nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (WAN-Primary-IP [Interface PAT])

Not sure why though. It seems all my access lists get blocked by this final nat entry. Any idea why? Thank you!

Re: Cisco ASA 5510 config with SSM

Kelvin Willacey — Sun, 23 May 2010 16:21:02 GMT

Can you post your config?

Re: Cisco ASA 5510 config with SSM

kmacdonald — Sun, 23 May 2010 18:45:55 GMT

I got it fixed! I had the nat for it going (inside,inside) instead of (inside,outside).

I do have another quick question about the SSM card though. Does the port have to be on the network for it to work? I know to manage it I have to connect to it and give it an IP address, but does it have to be on the network in order to filter, scan, etc.. ?

Thank you for everything!

Re: Cisco ASA 5510 config with SSM

Kelvin Willacey — Sun, 23 May 2010 19:01:57 GMT

I'm glad you got it working.

You do need it to connect to the network for management purposes as it is managed through asdm and asdm will need to be able to reach the IP address assigned to the CSC's management port and also to ensure that it can connect to the Internet to pull real time updates.