cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2877
Views
0
Helpful
12
Replies

ASA 5505 Best Practice Guidance Requested

Clint Lambert
Level 1
Level 1

I am hoping to tap into the vast wealth of knowledge on this board in order to gain some "best practice" guidance to assist me with the overall setup using the ASA 5505 for a small business client.  I'm fairly new to the ASA 5505 so any help would be most appreciated!

My current client configuration is as follows:
a) business internet service (cable) with a fixed IP address
b) a Netgear N600 Wireless Dual Band router (currently setup as gateway and used for internet/WiFi access)
c) a Cisco SG-500-28 switch
d) one server running Windows Small Business Server 2011 Standard (primary Domain Controller)
     (This server is currently the DNS and DHCP server)
e) one server running Windows Server 2008 R2 (secondary Domain Controller)
f) approximately eight Windows 7 clients (connected via SG-500-28 switch)
g) approximately six printers connected via internal network (connected via SG-500-28 switch)

All the servers, clients, and printers are connected to the SG-500-28 switch.

The ISP provides the cable modem for the internet service.
The physical cable for internet is connected to the cable modem.
From the cable modem, a CAT 6 ethernet cable is connected to the internet (WAN) port of the Netgear N600 router.

A Cat 6 ethernet cable is connected from Port 1 of the local ethernet (LAN) port on the N600 router to the SG-500-28 switch.

cable modem -> WAN router port
LAN router port -> SG-500-28

The ASA 5505 will be setup with an "LAN" (inside) interface and a "WAN" (outside) interface.  Port e0/0 on the ASA 5505 will be used for the outside interface and the remaining ports will be used for the inside interface.

So my basic question is, given the information above of our setup, where should the ASA 5505 be "inserted" to maximize its performance?  Also, based on the answer to the previous question, can you provide some insight as to how the ethernet cables should be connected to achieve this?

Another concern I have is what device will be used as the default gateway.  Currently, the Netgear N600 is set as the default gateway on both Windows servers.  In your recommended best practice solution, does the ASA 5505 become the default gateway or does the router remain the default gateway?

And my final area of concern is with DHCP.  As I stated earlier, I am running DHCP on Windows Small Business Server 2011 Standard.  Most of the examples I have studied for the ASA 5505 utilize its DHCP functionality.  I also have done some research on the "dhcprelay server" command.  So I'm not quite sure which is the best way to go. First off, does the "dhcprelay server" even work with SBS 2011?  And secondly, if it does work, is the best practice to use the "dhcprelay" command or to let the ASA 5505 perform the DHCP server role?

All input/guidance/suggestions with these issues would be greatly appreciated!  I want to implement the ASA 5505 firewall solution following "best practices" recommendations in order to maximize its functionality and minimize the time to implement.

FYI, the information (from the "show version" command) for the ASA 5505 is shown below:

Cisco Adaptive Security Appliance Software Version 8.4(7)
Device Manager Version 7.1(5)100

Compiled on Fri 30-Aug-13 19:48 by builders
System image file is "disk0:/asa847-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 2 days 9 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
                             Number of accelerators: 1

0: Int: Internal-Data0/0    : address is a493.4c99.8c0b, irq 11
1: Ext: Ethernet0/0         : address is a493.4c99.8c03, irq 255
2: Ext: Ethernet0/1         : address is a493.4c99.8c04, irq 255
3: Ext: Ethernet0/2         : address is a493.4c99.8c05, irq 255
4: Ext: Ethernet0/3         : address is a493.4c99.8c06, irq 255
5: Ext: Ethernet0/4         : address is a493.4c99.8c07, irq 255
6: Ext: Ethernet0/5         : address is a493.4c99.8c08, irq 255
7: Ext: Ethernet0/6         : address is a493.4c99.8c09, irq 255
8: Ext: Ethernet0/7         : address is a493.4c99.8c0a, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual
VLAN Trunk Ports                  : 0              perpetual
Inside Hosts                      : 10             perpetual
Failover                          : Disabled       perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has a Base license.

                  

12 Replies 12

Jon Marshall
Hall of Fame
Hall of Fame

Clint

The simple answer is just replace the Netgear with the ASA and leave DHCP on the Windows server but there are a couple of questions  -

1) you say the servers are using the Netgear as a default gateway. What about the clients ?

2) more importantly do you use the WiFi on the Netgear because if you do then you cannot just replace the Netgear. If you do use the WiFi then it may make sense to simply move the Netgear onto your LAN and have it behind the ASA as well as the switch and end devices.

So can you clarify the above especially the WiFi bit and how you use and want to use it ?

Jon

Jon,

Thanks for the info!

To answer your first question, both the servers and the clients are using the Netgear as the default gateway.  The SBS 2011 server is setup both as a DHCP and DNS server, so the clients are using the address configuration data provided by SBS 2011.

The answer to your second question is a little more complex.  The short answer is "yes," they are using WiFi.  Most of the folks in this office have both iPhone's and iPads.  And all those devices are setup to receive e-mail (from Exchange 2010) both inside the office and outside the office.  In addition I have setup a secured Guest network so for clients to use when they are visiting their office.  The Guest network is on a different subnet to (hopefully) provide an extra layer of protection.

So if I'm understanding your response right, the cabling would be as follows:

  • ethernet cable from cable modem to ASA 5505 port e0/0 (Outside) interface

  • ethernet cable from ASA 5505 port e0/1 (Interface) to a port on the Cisco SG-500-28 switch

the Netgear would no longer be connected via the WAN port.  Instead one of the four LAN ports on the Netgear would be connected to the SG-500-28 switch.

I'm confused on DHCP ... if I leave it on the server do I need to use the dhcprelay command or just do nothing with DHCP?

Thanks again for your input... it is greatly appreciated!

Clint

Cabling wise yes, you have understood. The Netgear could be connected to the switch but i'm not sure how you are segregating the LAN subnet from the guest network. You would need something to route between them which the Netgear may be doing currently and if you are happy with that as it is then it should be fine.

If not and the guest network only needs internet access then you could use the restricted DMZ feature on your ASA and have a DMZ specifically for the guest network so they could only access internet. Depends on what you want the guest network to be able to access.

In terms of DHCP if you are assigning multiple subnets it may make sense to move it to the ASA.

How are you doing that at the moment ie. you have two subnets, one for your LAN and one for guest ?

Jon

Hey Jon,

Again, many thanks for the info!

I guess I left that minor detail out concerning the Guest network.  I have a second Netgear router that I am using for Guest netowrk access.  It is plugged in to one of the LAN network ports on the first Netgear router.

The second Netgear (Guest) router is setup on a different subnet and I am letting the router hand out IP addresses using DHCP.

Basic setup is the 192.168.1.x is the internal network and 192.168.11.x is the Guest network.  As far as the SBS 2011 server, it knows nothing about the Guest network in terms of the DHCP addresses it hands out.

Your assumption about the Guest network is correct, I only want to allow guest access to the internet and no access to anything internal.  I like your idea of using the restricted DMZ feature of the ASA for the Guest network.  (I don't know how to do it, but I like it!)  Perhaps you could share more of your knowledge on this?

One final thing, the (internal) Netgear router setup does provide the option for a separate Guest network, however it all hinges on the router being the DHCP server.  This is what led me to the second (Guest) Netgear router because I wanted the (internal) Netgear router NOT to use DHCP.  Instead I wanted SBS 2011 to be the DHCP server.  That's what led to the idea of a second (Guest) router with DHCP enabled.

The other factor in all this is SBS 2011.  Not sure what experience you've had with the Small Business Server OS's but they tend to get a little wonky if some of the server roles are disabled.  For instance, this is a small busines with a total of about 20 devices including servers, workstations and printers.  Early on I thought, "nah, I don't need this IPv6 stuff," so I found an article on how to disable it and did so.  The server performance almost immediately took a nose dive.  Rebooting the server went from a 5 minute process to a 20 minute process.  And this was after I followed the steps of an MSDN article on disabling IPv6 on SBS 2011!  Well, long story short, I enabled IPv6 again and the two preceeding issues cleared right up.  So, since SBS 2011 by "default" wants DHCP setup I want to try my best to accomodate it.  So, again, your opinion/experiece related to this is a tremendous help!

Thanks!

Clint

I don't think you need to change the DHCP server if the LAN clients already use it and the guest clients get theirs from the second Netgear. I would just leave it as it is.

However what has occured to me is the WiFi for your internal users ie. not the guest users.  What is their default gateway ie. is it the same as the wired clients ?

I am thinking that you may need to leave the Netgear as the default gateway because of it's wireless functionality. So if an internal user connects to WiFi what IP address do they get and what is their default gateway. Note this is internal users not guest users.

As far as the guest Netgear is concerned you could, if no access is needed to internal resources, simply put it into it's own vlan and then make this a DMZ on the ASA so they can only access the internet and nothing else. It would be more secure than what you currently have.

One proviso though. I am not familiar with the switch you are using (sorry only know about Catalyst switches) so i am making the assumption that you can create a new vlan on it.

So if you could clarify the WiFi questions and the vlan on your switch we should be able to go from there.

Jon

Jon,

Great info!

I've done some research on the Guest network using the the restricted DMZ and that is definitely the way to go.  It totally isolates the Guest clients from the internal network which is exactly what I want.  The only area of confusion I have on the Guest network is concerning DHCP.  Is it best to a) disable DHCP on the second Netgear router (Guest) and enable DHCP on the DMZ interface on the ASA or b) leave DHCP enabled on the second Netgear router and not do DHCP on the DMZ interface?

Okay, now on to the primary internal Netgear router...

This client uses Exchange 2010 with ActiveSync to allow their mobile devices secure access.  The majority of the devices are iPads and iPhones, with an occasional Android tablet or smart phone thrown in.  So, the internal mobile users need to access the internal network.  I have no issues at all with the client employees have internal access on their mobile devices, I just don't want any Guest users to have to join the internal network just so they can have internet access (which we resolved with the DMZ solution you recommended).

The swtch is a Cisco switch (designed for small business) and it does have a CLI and GUI interface similar to the ASA.  It certainly has the ability to create (up to) 4096 VLAN's (which is a bit like killing a bumblebee with an elephant gun).

The prmary internal Netgear router is the default gateway for all devices (including servers, workstations and mobile).  It also contains the port rules that allow access to Exchange, RDP, etc.  My assumption is that I will movel those rules from the Netgear to the ASA.

So from the way I'm looking at it, I would still have the two Netgear routers.  One would be used for the internal network to allow the client's employees to connect and the second Netgear router would continue to serve as the Guest network router, with the exception that it would be connected to the restricted DMZ.

So does that give you the information you need?

Clint

As far as the DHCP for the guest Netgear i'm not sure it really matters to be honest as long as the default gateway is set to the ASA DMZ interface IP. The Netgear may or may not be able to do this, don't know but i think it is up to.

The internal clients i suspect still need to have the other Netgear as the default gateway because of the WiFi. So what i think you need to do is -

1) connect internal LAN interface of Netgear to the switch in existing vlan

2) create a new vlan together with a new IP subnet for the Netgear WAN interface to the ASA inside interface connection. Note this IP subnet does not need to be in DHCP and it can be any size you want as long as you have an IP for the Netgear and an IP for the ASA. It can be just normal private addressing.

3) connect the WAN interface of the Netgear and the ASA inside interface into the switch in that new vlan and assign the new IP addresses to the interfaces.

4) add a default route to the Netgear pointing to the ASA inside interface

5) add a route to the ASA for the internal client vlan/IP subnet pointing to the WAN interface IP on the Netgear.

The ASA obviously also needs a default route pointing to the cable modem.

So basically the Netgear still routes for the client vlan in your network and i think you need to do this because of the WiFi. If it was just wired connections you wouldn't need the Netgear and could just use the ASA inside interface as the default gateway.

And yes you would need to migrate the rules from the Netgear as it simply there for routing now and move them to the ASA.

I think this is the best way to go. You can leave the DHCP scope on the existing server and as i say set the default gateway to be the internal IP of the Netgear not the ASA.

Does this sound okay ?

Jon

Jon,

Sounds great!

I will give it a try and let you know how it turns out.

Thanks again for your help on this!

Hey Jon,

Hopefully you see this!

I'm a little confused about item #2:

2) create a new vlan together with a new IP subnet for the Netgear WAN interface to the ASA inside interface connection. Note this IP subnet does not need to be in DHCP and it can be any size you want as long as you have an IP for the Netgear and an IP for the ASA. It can be just normal private addressing.

I know you said your experience was with the Catalyst line of switches and I'm using a SMB SG-500 switch.  I understand how to create VLAN's and assign specific port(s) to them but I'm not sure that I can assign an IP address to each VLAN (if I'm understanding what you're recommending correctly).  Could you maybe expand on what you mean and how you would accomplish it on a Catalyst switch?

Thanks!

Clint

I don't know whether your switch will do it but on a catalyst you would -

1) create the vlan eg. vlan 10

2) create an SVI for this vlan ie.

int vlan 10

ip address x.x.x.x y.y.y.y

this SVI (Switched Virtual Interface) is used to route traffic for vlan 10.

The alternative on a L3 catalyst switch is if you only need to create a point to point link ie. just for two L3 devices you can configure the physical port as -

int gi0/1

no switchport

ip address x.x.x.x y.y.y.y

you can only do the above if there are no end devices in the IP subnet. If there are you need a vlan and SVI.

I don't know whether you can do this on your switch or even whether your switch is L3 capable.

I will have a quick look and see what it can do but there is a Small Business forum for these switches which you could post into and link back to this.

Jon

Clint

Okay, it looks like they are L3 capable although you might need to enable ip routing.

It says you can assign and IP to a port as well as a vlan so you could use either as above.

I haven't used these switches so i suggest you read through the guide to understand how it could affect your setup.

Here is the link to the guides for your switch. You should look at the Maintain and Operate guide - 

http://www.cisco.com/cisco/web/solutions/small_business/products/routers_switches/500_series_switches/index.html

as i say you can also use the Small Business forums if you need help configuring it.

Jon

Jon,

Thanks again for the info!

For starters the switch was running in L2 mode instead of L3 mode, so that was the first thing I had to correct.  I also popped over to the Cisco Small Business forums and found some good info on setting up the switch as you suggested.  Similar to the Catalyst switch you're accustomed to working with, when the switch is in L3 mode and if an IP address is assigned to a VLAN, then it creates an SVI.

So, armed with this new knowledge and your recomendation hopefully I can get the setup right and get this thing working.

Again, very much appreciate your insight and assistance!

Clint

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: