My question is mutli-faceted. I apologize for the lengthy intro here but i think the info is necessary to understand where I am headed in this.
I am new to the cisco 5505. I have had very limited exposure to a 5510 that was preset. I have managed to make modifications to it here and there, but dont completely understand how it was put together. I learn by watching, listening, and gleaning what I can from others. I have had no formal training in CLI, but I have learned some of the commands. I know enough to be dangerous, but I respect my limitations.
That being said, I have been charged with setting up a 5505 at a remote site. I need to accomplish several things. Our ultimate goal is to use this device as a site to site with the 5510 at the corporate office. However, I need to accomplish this in baby steps, test, test real users and then maybe convert in full. Where I could outsource this in its entirety, that would preclude me from learning so I can address this in the future on my own.
We need to have this in place by the end of February 2013.
Currently the remote site is connected via a very slow (by todays standards) T1 line on a MPLS. Stable. Works, but slow. All internet traffic as well as work traffic is routed through that connection. We have added a 50mb cable connection (with static ips) to the office. First we want to set up the 5505 so that it can be used as follows:
1, Internet traffic can be routed out through this device and all other "work" traffic routed through the MPLS.
2, Test using this connection as a route out to the internet AND use it as a site to site VPN connection to the home office. (or anyconnect vpn)
I need to be able to have users in both environments. IE, some still using step 1 and some starting to use and test step 2.
3, long term, use this as the main connection per number 2, but add the IP address so that if the cable connection drops, the office can access internet via the VoIP T1 line as a life line.
In all cases, I dont want internet going through the home office as it currently is traveling.
I have done a lot of searching but so far have come up empty with answers.
Question 1: (This one probalby shows my ignorance the worst) - in using the 5505 firewall, will it segregate normal internet traffic from the VPN traffic when used by the workstation? Using the Gui, I didnt see where this was necessarily happening. Do I need to use CLI language (and what) to make this happen? Or is that a basic function that happens during the setup of the firewall using the GUI. Do I need to do some sort of "split tunneling"?
Question 2: Do I use this device as the Default gateway for both step 1 and 2/3) for normal use and then change the gateway on the Pcs to the VoIP network during emergency use,(that would bypass the firewall though or is there a way to have it route to that router if there is no connection through the Outside port? Or as long as I have some access to the device, can I make a change remotely to help accomplish this failsafe?
Question 3: We have 25 Anyconnect VPN licenses. Should we use these and not the Static site to site, if so, why or why not? They dont need to be used at all.
Question 4: In setting up the VoIP line for backup, would using that on the "DMZ" connection help in making this viable so that the device could still ultimately control the internet traffic?
Question 5: In setting up the VPN connections, unless i am getting the two methods confused, I will need the 5505 to hand out IP addresses for the vpn connection. I see in using a class c schema that i can use 126.96.36.199 to 192.168.255.0. So for instance, I could use 188.8.131.52 for the inside network Vpn addresses?? I need to stay away from 192.168.0.0 networks as we use that in our normal structure.
Reasons for setting this up:
Slow speeds over the T1.
increasing demand for Skype, Video conferencing etc that the T1 pipe couldnt adequately handle
Lack of backup pathways for downed connections - ie, backhoe chopping through wire at a construction site).
I read through the Getting started guides on both the 5510 and the 5505 and feel I can likely get the site to site setup (I have a list of all the Ip addresses i need for inside networks and outside networks etc.
I have to email ATT anytime I want a change made on the MPLS router, so doing as little to that as possible would be good.
I will be onsite for testing at the end of February and will have direct access to the home office via other methods to work on the asa5510 if any additional work needs to be done on it once i am onsite.
Thanks for taking the time to read through all of this. please forgive my lack of knowledge...
ALL above things possible in ASA
1) You want to separte the Internet traffic and VPN traffic on firewall... That one is possible throught the CRYPTO ACL of Tunnel.., Please mention the ACL and Detination POOL which you want to access throough the Site to Site tunnel.
This option is available in Cisco ASDM also.
2) Route SLA concept is available in Cisco.. if Primary default gateawy fails in your case..it will automatically divert your traffic to Secondary default gateway...
3) user Any connect.. in this case you dont need to bother about the cisco client and pcf file on user machine , it will be automatically configured through the URL access.
4) Thats your choice,,, you can use DMZ or OUTSIDE2 ,,everything depend on the securoty level of interface..
5) you can use any pool thats upto you...
do let me know if you have any query...
Thanks for getting back to me and so quickly!
1) I am not sure if I understand the “ACL” portion of your question, but this is how I want to access info via the VPN tunnel:
192.168.D.0 inside(NJ) to outside 5505 - 12.175.X.X to outside 5510 - 12.200.X.X to inside network (HQ)192.168.X.0. Routes are needed to find subnets 192.168.A.0, 192.168.B.0 and 192.168.C.0. The default gateway to those subnets right now is: 192.168.X.XX4 inside of HQ. This would be so that the NJ office could find resources of the other offices if needed. This will change as we wean off the MPLS. Inside the ASA 5505, the IP addresses are 192.168.D.0 for data, 10.X.X.0 for the Phone system. All other traffic would be sent out through the internet. Phone system uses the XOcomm conection to route phone traffic.
2) I did some reading on SLA. Thanks for pointing that out. For purposes of learning here, I am showing this as 12.175.XXX.XXX for Comcast and 12.200.XXX.XXX for XO comm.
4) I guess I would use an Outside 2 as that makes sense, in description, I would label them “ComCast” for outside 1 and “XOcomm” for outside 2.
5) I am still not sure I understand this part. Are additional IP addresses needed for the Site to site VPN to talk to the local hosts, or will it use the IP addresses assigned by the local server?
1- Configure the ASA5510 for the 5505 connection
2- Configure the ASA5505 for the 5510 connection
3- Configure SLA for Comcast and XOcomm outside connections
4- For this I need help….I think this is from step 1, but I need help to configure the internet to be segregated via my question from #1. Have I given enough information to do so? Please advise on ACL entries, and route statements needed so that NJ can talk to all the offices when using this connection, not just the Headquarters.