cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2367
Views
5
Helpful
23
Replies

Pre-sale question regarding ASA 5520

gareth_r52
Level 1
Level 1

We are looking to deploy an ASA 5520, but I need to know if it is possible for it to work in this environment.

We have colo space, with two IP ranges. They provide two network drops, one from each switch connected to different routers. One in which has 4 usable IP's for management purposes. This address range will be used only for remote access to the ASA and VPN into the management VLAN. The management VLAN will have all internal devices such as the switches, etc. The second range is for the servers, of which will be assigned directly to the hosts and the ASA will need to act as just a firewall. I can do this on IOS, but not sure about the ASA.

I need to answer the following questions:

  1. Does the ASA support dual network drops, and would this be a failover port configuration in order for it to work?
  2. A management VLAN with outbound internet access only, and VPN/RA capability. NAT will need to be used I'm guessing.
  3. Can we have a DMZ VLAN which has defined ports, say 80, 443 and 25 inbound and outbound. I need the hosts to have the public IP assigned to them with no NAT configuration.

I know there are some advantaged to using NAT, but I really can't use it because the applications behind prefer public IP's being assigned to them.

Any ideas on if this can be done would be good. I just don't want to purchase an ASA without checking the above is fully possible.

1 Accepted Solution

Accepted Solutions

Gareth

There shouldn't be an issue with the DMZ and NAT because you can disable it for those addresses eg.

DMZ address - 195.10.77.0 255.255.255.248

access-list NONAT permit ip 195.10.77.0 255.255.255.248 any

nat (dmz) 0 access-list NONAT

the above actually tells the ASA not to run NAT on those addresses.

However if you couldn't get it to run on IOS i suspect it is not a NAT issue. I say this because with the ASA you have to do something with NAT whether that be -

1) present the same addressing to the outside as it actually eg.

static (dmz, outside) 195.10.77.0 195.77.0 netmask 255.255.255.248

but this makes NAT entries on the router

2) use nat exemption as above which tells the ASA not to NAT these addresses

3) turn off NAT altogether on the firewall but you may need NAT for VPNs as mentioned

With IOS there is no such requirement to do something with NAT ie. you only use NAT when you want to present one set of addresses as a different set of addresses. If you just want to use the same addressing there is nothing NAT related to do on a router.  So it may well have been something else.

As for ASDM, i've never really got on with. You can configure the firewall with ASDM but i prefer the CLI.

Jon

View solution in original post

23 Replies 23

Jon Marshall
Hall of Fame
Hall of Fame

Gareth

1) Depends what you mean. You can certainly have 2 interfaces connected to separate connections eg. outside1 and outside2. They would need to have addressing from separate subnets though.

What you cannot do as far as i know is have multiple default-routes pointing out of different interfaces. The ASA does not support this. You can have multiple default-routes if they point out of the same interface.

In addition the ASA does not support PBR (Policy Based Routing) so you cannot send some traffic out of interface and some out of another based on source IP.

So what does all that mean. It means if you wanted to use one interface for general inbound and outbound internet traffic you could point the default-route out of that interface. If you then wanted to send some specific traffic out of the other interface you would need to know the destination IPs so you could enter more specific routes ie.

route outside1 0.0.0.0 0.0.0.0    would take care of all internet IPs ie. generally unknown IPs

route outside2 172.16.5.0 255.255.255.0   

the above would work and it would mean that any traffic for 172.16.5.0/24 was sent via outside2 - these could be your VPN clients for example. 

If you had a pair of ASAs you could also consider running 2 contexts (virtual firewalls). Each virtual firewall has it's own routing table so you could then have a default-route for one context different from the default-route for the other context.

Having said all that still wouldn't want to say for sure it meets you requirements because they are a little bit vague. Perhaps some more details ?

2) Again not completely sure what you are asking. If you simply mean a management vlan internally on all your switches then yes because the ASA doesn't know what kind of vlan it is it is simply a subnet as far as the ASA is concerned. And you could lock down the RA VPN to just that vlan if that is what you want.

3) Yes, you can have a DMZ and you can use public IPs on the actual machines. Bear in mind though that if you have been allocated a /28 for example eg. 195.77.10.0/28 then you cannot assign the outside1 or outside2 from this subnet and then also use the same subnet on the DMZ. Each interface on the ASA would need a separate subnet.

So if you had 195.77.10.0/28 purely for a DMZ then yes you can assign the DMZ interface on the ASA one of these addresses and use the rest for assigning to physical servers. As long as that subnet is routed to one of your outside interfaces (presumably outside1 in this sceanario) it will work fine.

You would need to do a nat exemption for these addresses.

Jon

Thank you for your response. Appreciate your assistance.

The two network drops will just be connected to the same backbone network, effectivly via different network routes. If one were to fail it would automatically use the other connection. Is this okay? The two network drops are perceived as one connection from my side, both having the same gateway (which is provided by the colo provider).

I have two ranges, one for the ASA which would be NAT'd and used for management, etc and one for the DMZ (dedicated to that purpose).

To break it down this is what the scope of the implementation is:

  1. VLANS/Virtual Interfaces:   DMZ (1GbE connection to switch VLAN10), Outside (2 GigE connections to backbone), Inside (1GbE connection to switch VLAN20).
  2. DMZ network will be assigned say a /26 and the hosts themselves will be firewalled but have direct IP assignments of the public IP addresses. The ASA will become the gateway for those devices.
  3. Inside network is our internal LAN for management of KVM over IP and switches, etc. It will require VPN access on one of the IP addresses and ASDM management. This has a seperate external IP range which is a /29. This network holds the default gateway for both subnets including the /26.


Not sure if that helps?

So for example GbE 0 - 1 will be outside connections, 1 being the failover one. They will both be connected directly to the same backbone network onto different switches connected to a pair of failover cisco routers (this is all done by the colo) and assigned on the /29 subnet. The /28 is routed through this too IIRC.


Gareth

If i understand correctly you want to assign the 2 connections addresses from the same IP subnet ? This won't work on the ASA or at least it won't if the ASA is running in single context mode.

It wouldn't work on a Cisco router either unless you bridged the 2 interfaces together so it's not just the ASA.

Is this what you want to do ? 

Jon

This is exactly the problem. The colo is using HSRP and provides the two eithernet cables connected to their network.

Ideally i'd like to use this with a single ASA. The colo suggested to take them into the switch on a port based VLAN and then from there take a single cable back out into WAN port on the ASA. Would this be a way of doing that?

I have not tried it with IOS, but I expect they are similar too.

Gareth

If you only want to use one ASA then the suggestion above is pretty much the only way to do it.

So there would be a common vlan eg. vlan 10 between the 2 WAN routers and the ASA. The LAN interfaces of the routers and the ASA outside interface would all be in vlan 10 and there would be a L2 switch to which the router LAN interfaces and the ASA outside interface connect to.

You do have a single point of failure with the switch but then as you have only one ASA you have a single point of failure there as well.

Jon

Gareth

Just to clarify.

If you had a pair of ASA firewalls and you ran them in active/standby (active/active does not support VPNs) with 2 contexts (virtual firewalls ) you could share the same IP subnet on each contexts outside interface.

So you would have an outside interface for each context and these outside interfaces could use addresses from the same IP subnet (though not the actual same address obviously).

Jon

Okay, I understand now. Yes the switch is a failure point but then designing networks for no SPOF is not exactly cost effective for small environments.

With regards to the DMZ, is there any issue with having the DMZ and can you give any tips/pointers on how to configure that? Is it something that can be done with ASDM?

The DMZ must be a true firewall, no NAT involved at all. I'm not sure if it will work as we had problems getting this to work on the IOS device.

I am an IOS guy really the ASA's have always been a grey area for me.

Gareth

There shouldn't be an issue with the DMZ and NAT because you can disable it for those addresses eg.

DMZ address - 195.10.77.0 255.255.255.248

access-list NONAT permit ip 195.10.77.0 255.255.255.248 any

nat (dmz) 0 access-list NONAT

the above actually tells the ASA not to run NAT on those addresses.

However if you couldn't get it to run on IOS i suspect it is not a NAT issue. I say this because with the ASA you have to do something with NAT whether that be -

1) present the same addressing to the outside as it actually eg.

static (dmz, outside) 195.10.77.0 195.77.0 netmask 255.255.255.248

but this makes NAT entries on the router

2) use nat exemption as above which tells the ASA not to NAT these addresses

3) turn off NAT altogether on the firewall but you may need NAT for VPNs as mentioned

With IOS there is no such requirement to do something with NAT ie. you only use NAT when you want to present one set of addresses as a different set of addresses. If you just want to use the same addressing there is nothing NAT related to do on a router.  So it may well have been something else.

As for ASDM, i've never really got on with. You can configure the firewall with ASDM but i prefer the CLI.

Jon

On the IOS device we configured just a VLAN with the external DMZ /28 allocation and didnt assign a nat inside or nat outside command. This worked... the issue with IOS appeared to be routing between the /29 and /28, since the colo didnt do this so we had two default gateways!

I will give this a go anyway and see how we get on. Thank you very much for your assistance.

Gareth

No problem with the assistance.

Just to clarify on the IOS thing. As long as the colo route the /28 to the outside interface of your ASA (using a /29) you should be fine as far as that problem is concerned.

Jon

Gareth

Apologies for carrying this on but i just want to make sure the IOS issue won't be an issue on the ASA because i'm not sure how the IOS issue occured.

On the ASA your outside interface will have an IP from the /29 subnet. The dmz interface will have an IP from the /28. Your servers in the dmz will have a default-gateway of the DMZ interface.

Your colo will route the /28 subnet traffic to the outside interface of your ASA which will then route it to the dmz.

As long as the above is what you expect to happen then it should work.

Jon

That's correct

If I remember correctly the IOS device talks to the colo routers though the /29 subnet which has the /28 routed to the /29 interface on the router on our side.

Just a quick one regarding that, is the DMZ a seperate physical interface or is this a VLAN? You can probably do it both ways am I right?

At the moment the IOS device just has a DMZ vlan with the /28 public IP assigned to it, the WAN connection has the /29 on the physical port config.

The ASA 5520 has 4x 1Gbps interfaces and 1 FE port. So seeing as you just need an inside/dmz/outside you can use physical interfaces.

You can use 802.1q subinterfaces on the physical interfaces if you need to do but you don't really have that requirement.

Still not sure why the IOS didn't work. It should be a simple matter of routing i would have thought. Like i say as long as the /28 is routed to the /29 interface it should all work.

I only wanted to follow up on it because i don't want you to go off and purchase an ASA device only to hit the same problem.

Seems strange to me. Could it have been the actual firewall config itself, which i must admit i have never really got on with on IOS ?

Jon

Yes it was the colo that made the mistake of creating to subnets but not routing the /28 to the /29 on our router. It got sorted in the end but wanted to check it's possible to do it on the ASA.

So am I right in thinking that I will have...

3 ports on the switch in VLAN 10 say, this VLAN is a public VLAN and will take the two network drops and send it to the 1 WAN port on the ASA (outside).

Then I would have a 1 LAN port (inside) on the ASA with a internal IP range with NAT enabled, connected to VLAN 20 say... this would be 192.168.20.0/24 for example and contain all switches, KVM over IP and other devices for management.

I'd also like a seperate VLAN30 for shared storage, backups, etc. Is that possible to add to this config? I expect it's not a good idea to allow this onto the management VLAN.

And VLAN 40 for DMZ for example, which would be a physical interface connecting to the switch?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: