Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1109
Views
0
Helpful
2
Replies

ASA 5505 Home Users Internet Access Only

ryandutton
Level 1
Level 1

‎02-28-2013 01:09 PM - edited ‎02-21-2020 04:50 AM

Hello.

I have configured and tested an ASA-5505 that will be deployed at a customer's home.  The ISP cable modem will connect to the E0 (outside) interface of the ASA.  All other interfaces on the ASA are configured for the inside network 192.168.5.0/24. I have created a VPN site-to-site tunnel between this ASA and the UC540 to allow 192.168.5.0/24 subnet access to the internal networks on the UC540. 

The user has requested that all the network devices used by the rest of the family will only need to connect to the Internet.  They will not need access to the VPN tunnel and they will not need access to the computers on the 192.168.5.0/24 inside network.  I was planning on performing the following tasks to get this to work:

  • Create a new inside interface & assigning one of the physical interfaces on the ASA to a different subnet such as 192.168.255.0/30.
  • Connect the WAN port of a home router (Linksys or Netgear) to the respective physical interface and set a static IP on the WAN interface in the same 192.168.255.0/30 subnet.
  • Configure the inside network on the home router to 192.168.254.0/24.
  • Create static route on home router to forward all traffic to 192.168.255.1 (the IP that will be configured on the ASA).
  • Disable NAT on the home router.

Is there a better or tested method of performing this configuration.  Any advice would be appreciated.

Thanks & have a good day.

0 Helpful
2 Replies 2

Tagir Temirgaliyev
Spotlight
Spotlight

‎03-01-2013 09:16 PM

probably more simple way is

to creat a VPN site-to-site tunnel between this ASA and the UC540 to allow 192.168.5.0/(25 or 26) subnet access to the internal networks on the UC540.

so ip addresses 192.168.5.1 -192.168.5.127 will go into tinnel but others 192.168.5.129 -192.168.5.255 will

not go.

dont forget to rate post

0 Helpful

ryandutton
Level 1
Level 1
In response to Tagir Temirgaliyev

‎03-11-2013 12:03 PM

The only caveat I see with that setup is automatically determining devices that are authorized to connect through the VPN tunnel vs unauthorized devices that aren't supposed to connect through the tunnel.    I would need to set static IPs on devices that need to connect to main office through the VPN tunnel and configure DHCP on the ASA to provide IP addresses starting at 192.168.5.129 - 158 (only scope of 30 addresses max permitted).   Right now, I have the DHCP scope on the ASA providing IP addresses from 192.168.5.21 - 50.  I obviously can't set up two DHCP servers on the same subnet.  If I set up the DHCP scope to be 192.168.5.121 - 150, that would also not work because without my intervention, there's no way to determine if unauthorized devices connect to the VPN or authorized devices not being able to connect to VPN.

Not a bad idea though.  Thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card