ASA 5505 on a Stick Please Help!

missiongeek · ‎10-12-2013

Hi All, I am on here asking help from the internets today. I have been assigned a task I am not prepared for, or don't have the expertise at all with ASA whatsoever.

I currently have a 2845 router connected to my asa 5505 on port 0/0. Port 0/1 is connected to a switch the feeds to a bunch of other unmanaged switches.

Router-----Port 0/0 ASA5505 Port 0/1------Switch------ Many computers (NO VLANS)

I want to do the following

Router----Port 0/0 ASA5505 Port 0/1-----Managed Cisco Swich----Unmanaged Switches

***I already have the managed switch configured for 802.1q trunking and all that other good stuff.

Here is my current config

hostname ASABLAHBLAH

domain-name BLah.com

enable password BlahEPW encrypted

passwd BPLAH encrypted

names

name 10.10.0.0 A-10.10.0.0 description INSIDE_NETWORK

name 10.10.0.5 A-10.10.0.5 description VPN_PLATINUM2

name 10.10.0.90 A-10.10.0.90 description VGSUPPORT

name 63.150.232.0 A-63.150.232.0 description OUTSIDE_NETWORK

!

interface Ethernet0/0

description VLAN 2

switchport access vlan 2

!

interface Ethernet0/1

description VLAN 1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

shutdown

!

interface Vlan1

description Inside

nameif Inside

security-level 100

ip address 10.10.0.1 255.255.252.0

!

interface Vlan2

description Public

nameif Public

security-level 0

ip address 68.x.x.x 255.255.255.224

!

boot system disk0:/asa824-1-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time edt recurring

dns domain-lookup Inside

dns domain-lookup Public

dns server-group DefaultDNS

name-server A-10.10.0.5

name-server 10.10.0.7

domain-name Blah.com

same-security-traffic permit intra-interface

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

access-list NoNAT extended permit ip A-10.10.0.0 255.255.252.0 log critical

access-list in-out extended permit ip any any

access-list in-out extended permit tcp host 10.10.0.10 any eq smtp

access-list in-out extended permit tcp host 10.10.0.104 any eq smtp

access-list in-out extended permit tcp host 10.10.1.15 any eq smtp

access-list in-out extended permit tcp any eq www any eq www log

access-list in-out extended permit tcp any eq smtp any eq smtp

access-list in-out extended permit tcp any eq https any eq https log

access-list Public_1_cryptomap extended permit ip A-10.10.0.0 255.255.252.0 zzz255.255.248.0

access-list nonat extended permit ip A-10.10.0.0 255.255.252.0 xxx 255.255.248.0

pager lines 24

logging enable

logging timestamp

logging emblem

logging list SyslogEvents level alerts

logging console warnings

logging monitor errors

logging buffered emergencies

logging trap errors

logging history errors

logging asdm errors

logging from-address mauricio@terarecon.com

logging host Inside 10.10.0.250 format emblem

logging host Inside x.x.x.x format emblem

logging permit-hostdown

mtu Inside 1500

mtu Public 1500

ip local pool Pool 10.10.1.200-10.10.1.245 mask 255.255.255.224

ip verify reverse-path interface Inside

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-625-53.bin

asdm history enable

arp timeout 14400

global (Public) 1 interface

nat (Inside) 0 access-list nonat

nat (Inside) 1 0.0.0.0 0.0.0.0

access-group out-in in interface Public

route Public 0.0.0.0 0.0.0.0 63.150.232.1 1

route Public 172.16.0.0 255.255.248.0 63.150.232.1 1

timeout xlate 1:00:00

timeout conn 0:30:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

mac-list 500 permit 001c.2395.9ab5 ffff.ffff.ffff

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 Inside

snmp-server host Inside 172.16.51.0 community ***** version 2c

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set chevelle esp-des esp-md5-hmac

crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac

crypto ipsec transform-set terarecon esp-des esp-md5-hmac

crypto ipsec transform-set strong esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dynmap 100 set transform-set 3desmd5

crypto map vpn 1 match address Public_1_cryptomap

crypto map vpn 1 set peer x.x.x.x

crypto map vpn 1 set transform-set 3desmd5 terarecon strong chevelle

crypto map vpn 100 ipsec-isakmp dynamic dynmap

crypto map vpn interface Public

crypto isakmp identity address

crypto isakmp enable Inside

crypto isakmp enable Public

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 2

authentication pre-share

encryption des

hash md5

group 1

lifetime 1000

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

client-update enable

telnet 0.0.0.0 0.0.0.0 Inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 Inside

ssh timeout 60

ssh version 2

console timeout 0

management-access Inside

no threat-detection basic-threat

threat-detection scanning-threat shun

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

enable Public

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc image disk0:/anyconnect-wince-ARMv4I-2.4.1012-k9.pkg 2

svc enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username terarecon password vKhU6EpRuuCQRcyQ encrypted

username missiongeek password vrGUIr23/Frg5rdJ encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

address-pool Pool

dhcp-server A-10.10.0.5

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *****

!

class-map type inspect http match-all asdm_medium_security_methods

match not request method head

match not request method post

match not request method get

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

id-randomization

id-mismatch action log

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect dns preset_dns_map

inspect http

inspect pptp

inspect icmp

inspect ip-options

policy-map type inspect http HTTP_inspection

parameters

protocol-violation action drop-connection

class asdm_medium_security_methods

drop-connection

!

service-policy global_policy global

smtp-server x.x.x.x

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

-------------------------------------------------------------------------------------------

proposed solution

interface Ethernet0/0

description VLAN 2

switchport access vlan 2

interface Ethernet0/0

description LAN

no nameif

no security-level

no ip address

!

interface Ethernet0/0.2

vlan 2

nameif Inside

security-level 100

ip address 10.10.0.0 255.255.252.0

!

interface Ethernet0/0.3

vlan 3

nameif dev

security-level 100

ip address 192.168.3.1 255.255.255.0

!

interface Ethernet0/0.4

vlan 4

nameif wireless

security-level 100

ip address 192.168.4.1 255.255.255.0

!

interface Ethernet0/1

description Primary Internet

nameif Public

security-level 0

ip address x.x.x.x 255.255.255.224

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

!

global (Public) 1 interface

nat (Inside) 1 10.10.0. 255.255.252.0

nat (dev) 1 192.168.3.0 255.255.255.0

nat (wireless) 1 192.168.4.0 255.255.255.0

!

static (Inside,wireless) 10.10.0.0 10.10.0.0 netmask 255.255.252.0

static (Inside,servers) 10.10.0.0 10.10.0.0 netmask 255.255.252.0

static (wireless,Inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

static (wireless,servers) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

static (servers,Inside) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

static (servers,wireless) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

PLEASE PLEASE HELP

Julio Carvajal · ‎10-13-2013

Hello,

Not sure what the question is but you have an ASA 5505 where you would like to implement 802.1q

An ASA 5505 behaves (configuration speaking) as a L3 switch (SVI stuff and L2 physical ports).

So here is my example. I will use port fas 0/3 as a trunk link going to switch 1 and will trunk vlans 10,20 and 30.

Interface vlan 10

nameif Inside_1

security 100

ip add 10.10.10.1 255.255.255.0

no shut

interface vlan 20

nameif inside_2

ip add 10.10.20.1 255.255.255.0

no shut

interface vlan 30

nameif inside_3

ip add 10.10.30.1 255.255.255.0

no shut

interface fas 0/3

switchport mode trunk

switchport trunk allow vlan 10,20,30

no shut

That's it

Then configure security policies as you wish.

Note: To make this work on your device remember to rate my post hehe

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC