Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4875
Views
9
Helpful
12
Replies

ASA 5510 and 5505 Setup

andrew kwayu
Level 1
Level 1

‎08-17-2010 06:44 AM - edited ‎03-11-2019 11:26 AM

I am new to CISCO!

I currently use MS ISA Server 2006 to protect a windows internal network, where there is also an MS Exchange server. I have acquired a Cisco 5510 to enhance security at main office. Later I will have ASA 5505 for branches, including VPN-ning. Please help in: 

  1. to have firewall at main office. I have several public IPs and would like to setup DMZ for Web, Exchange server and FTP. How do I setup interface and sub-interface for the DMZ?
  2. Can I continue using ISA Server connecting to Cisco 5510 on the perimeter? If so, How do I set the interfaces (and sub-interfaces) as well as NAT-ting and access configuration between the inside and outside?

I will appreciate some sample code lines.

Thanks,

Andrew

Labels:
0 Helpful
12 Replies 12

Jitendriya Athavale
Cisco Employee
Cisco Employee

‎08-17-2010 08:05 AM

some basics of nat

https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

other than that configuring interfaces for firewall is simple

example

int e0/0

ip address x.x.x.x y.y.y.y

nameif

no shut

security level can be inside outside or dmz

inside being most secure and outside being least secure

if you need to know more here is a link

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intro.html

this should give you what you need

please let us know if this resolves your issue

Kureli Sankar
Cisco Employee
Cisco Employee
In response to Jitendriya Athavale

‎08-17-2010 08:12 AM

Follow every step in this link to configure the ASA5505 to be able to access the internet from the inside: http://www.firewall.cx/ftopict-7053.html

Follow this for the ASA5510: http://www.networkstraining.com/how-to-configure-a-cisco-asa-5510-firewall-basic-configuration-tutorial/

-KS

andrew kwayu
Level 1
Level 1
In response to Jitendriya Athavale

‎08-17-2010 10:18 PM

Dear Jathaval, Kusankar,

I have an internal DNS which and DHCP assigning addresses internally. Do I still  need to have ASA 5510 run DHCP? I also currently have ISA server 2006 on  which I had a stub copy of DNS, which forwards queries to external DNSs. How will I assign ASA 5510 to do this?

If  I wanted to continue using ISA server with ASA 5510, the latter at the perimeter, how could I accommodate both? Also, I have several  global IPs and I do not know how to define sub-interfaces to assign  several global IPs to a single physical interface, i.e. can I for example assign several global IPs on physical interface 0/0? How? Can a subinterface also acomodate a VPN? Please help with some example code if possible!

Thanks

Andrew

0 Helpful

andrew kwayu
Level 1
Level 1
In response to Jitendriya Athavale

‎08-31-2010 11:10 PM

Dear Jathavar,


Is it possible to assign more that vlan to one physical interface? I was thinking of assigning two public IPs to two different VLANs but all going through one physical interface, say interface 0/0. If thats possible how do I start?

Thanks
andrew

0 Helpful

mirober2
Cisco Employee
Cisco Employee
In response to andrew kwayu

‎09-01-2010 05:40 AM

Hi Andrew,

On the 5505, you can do something like this:

interface Ethernet0/0
  switchport mode trunk
  switchport trunk allowed vlan 10,20
!
interface vlan 10
  nameif outside1
  security-level 0
  ip address 1.1.1.1 255.255.255.0
!
interface vlan 20
  nameif outside2
  security-level 0
  ip address 2.2.2.2 255.255.255.0

Likewise, on the 5510, you can do this:

interface Ethernet0/0.10
  vlan 10
  nameif outside1
  security-level 0
  ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/0.20
  vlan 20
  nameif outside2
  security-level 0
  ip address 2.2.2.2 255.255.255.0

Hope that helps.

-Mike

andrew kwayu
Level 1
Level 1
In response to mirober2

‎09-01-2010 10:02 AM

Dear Mirober2

Thanks, it helps, but I am told the physical interface, which has been split into sub-intefaces must be connected to a Trunk Port.  ...Just what does this mean in real world?. My plan was to just connect this port to a router and on to ISP. Will this work for a sub-interfaces

thanks

0 Helpful

mirober2
Cisco Employee
Cisco Employee
In response to andrew kwayu

‎09-01-2010 10:14 AM

Hi Andrew,

Subinterfaces will automatically configure the ASA's physical interface to be an 802.1q trunk. There is no way around this, since the ASA depends on the .1q tag on the packets to determine which subinterface the packet should be processed by.

Hope that helps.

-Mike

0 Helpful

andrew kwayu
Level 1
Level 1
In response to mirober2

‎09-01-2010 10:20 PM

Dear mirober2

My ISP have given me IPs that are in Mask 255.255.255.248. When i enter subinterfaces to combine some of these public IPs on one physical interface, I get a conflict.

inteface ethernet0/0

no nameif

no security-level

no ip address

!

interface ethernet0/0.1

description outside1

vlan 1

security level 0

ip address x.x.x.90 255.255.255.248

interface ethernet0/0.2

description outside2

vlan 2

security level 0

ip address x.x.x.91 255.255.255.248    --------- Conflict with interface 0/0.1

Help

0 Helpful

mirober2
Cisco Employee
Cisco Employee
In response to andrew kwayu

‎09-02-2010 05:06 AM

Hi Andrew,

The behavior you see there is correct. Since the addresses are in the same subnet, you cannot apply them to 2 different interfaces.

What are you requirements for the use of the two public IPs? One use case might be to assign 1 of the addresses to the outside interface and then use the other address for translating a certain host or hosts. You could do something like this:

interface ethernet0/0

   nameif outside

   security-level 0

   ip address x.x.x.90 255.255.255.248

!

nat (inside) 1 0 0

global (outside) 1 x.x.x.91

That configuration would use .90 for the ASA's external address and use PAT to translate all of the hosts on your inside interface to .91 when they go out to the Internet. Let us know what you're trying to accomplish with the use of 2 external IPs and we might be able to suggest a better solution.

Hope that helps.

-Mike

andrew kwayu
Level 1
Level 1
In response to mirober2

‎09-02-2010 11:47 PM

Dear Mike,

Thanks for this response. In a nutshell, this is broadly what I want to do:

  • I want public IP x.x.x.90 to be for the web, which i would like to be placed in DMZ. In DMZ to add other servers, eg ftp
  • public IP x.x.x.91 to be assigned as outside role. Also this same public IP for Exchange server mail, which will be in the internal LAN with internal IP 192.168.x.x.
  • I will place ISA 2006 in the DMZ for proxy, and would like to force all internal clients to internet through ISA server 2006 (back to back configuration with ASA 5510.
  • I also have plans to a VPN connection with branch office with an ASA5505.

Please help

0 Helpful

mirober2
Cisco Employee
Cisco Employee
In response to andrew kwayu

‎09-03-2010 05:19 AM

Hi Andrew,

In that case, you can setup static PAT to achieve this:

interface ethernet0/0
  nameif outside
  security-level 0
  ip address  x.x.x.91 255.255.255.0
!
static (dmz,outside) tcp x.x.x.90 www  www
static (dmz,outside) tcp x.x.x.90 ftp  ftp
static (inside,outside) tcp interface smtp  smtp

You can also setup a simple PAT so the hosts on the inside network can get out to the Internet:

nat (inside) 1 0 0
global (outside) 1 interface

Hope that helps.

-Mike

0 Helpful

andrew kwayu
Level 1
Level 1
In response to mirober2

‎08-23-2011 07:23 AM

Dear Mirober,

This seem to be neering what I need. But can you please place the ISA server somewhere in you presentation?

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card