05-13-2010 10:40 AM - edited 03-11-2019 10:45 AM
I've been tasked to replace our old sonicwall tz170 firewall with an ASA 5510 and configure it (which I've never done, only routers and switches) and I have a few questions. I'm inside the ASDM and I'm trying to setup my outside interface... The 5510 came with an SSM card, and I assumed this would be my outside interface, but I'm guessing I'm wrong since it isn't an option when running through the wizard. I know what the SSM card is for, I just don't understand why it isn't an outside interface. Where does this connect (just to my LAN??)?
Currently I set up the management interface to our ip and subnet and am connected through that. I see the management interface and eth0 - eth 3.
This is as simple as it can get, I just need the outside interface to be our public ip, setup the access rules to match my sonicwall.
Also on the version, its running ASA 8.2.1. Should I upgrade to 8.3.1? What is the ED after the version (not familiar with it).
Thanks!
Solved! Go to Solution.
05-14-2010 09:31 AM
Those rules on the ASA are default rules, it is saying anything initiated from the inside is allowed out but nothing initiated from the outside is allowed in. Sorry but I am not familiar with SonicWall at all to give you any tips on the rules you will need to setup. However if all you have is an outside and inside interface then you will need a nat.pat to ensure that internal addresses can get out and access list to restrict those internal networks if needed. If you have inbound traffic ie to mail, web server etc then you will again a nat and a access list to allow the traffic in.
The attached document (you can ignore the router configs) should hopefully give you a better idea of how inbound traffic works and how to apply access lists to interface.
Let me know if this helps.
05-13-2010 10:57 AM
Hi,
The SSM is not an outside interface and how it works depends on the type of module it is. Is it a CSC-SSM or an AIP-SSM? The configuration differs some what when using these modules but it's almost the same and yes it will connect to your LAN. Your outside interface should be one of the ports you select and like wise for the inside interface. Typically though the outside interface is Ethernet0/0. The following link may help with a basic setup.
You can upgrade to the latest version if you so desire but you may require a memory upgrade so I would stick with 8.2, see link below.
The ED means early deployment by the way.
05-13-2010 11:08 AM
It is a CSC SSM. Not sure the difference but that is what it is.
Thank you! I'll configure the eth0 as my outside int. I'll keep you updated!
05-13-2010 11:29 AM
The CSC-SSM is for content filtering smtp, ftp, http, the AIP-SSM is for Intrusion Prevention. So with the module you have you will be able to block websites, block downloads have time of day restrictions and all that stuff.
05-13-2010 01:51 PM
Yea I ordered all those features. It makes sense now. I'm having an issue with subnetting (I admit I dont know as much about it as I should).
My management interface has a static ip and is on the same subnet as my network (255.255.255.0) so I can hit the http server. My eth0 is my outside interface. I'm trying to make eth1 my inside interface and have it on the same subnet as everyone else (including my management interface) but it doesn't like it. It tells me that it can't overlap with the management interface subnet.
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.200.4 255.255.255.0
management-only
!
!
interface Ethernet0/0
description Outside Interface
shutdown
nameif outside
security-level 0
ip address xx.xxx.xx.xxx 255.255.255.248
!
I would really like my eth1 int on the same subnet as management since my because my entire network is on the 255.255.255.0 subnet. Here's what I woudl LIKE to do with Eth1 but it errors out:
!
interface Ethernet0/1
description Inside LAN Interface
shutdown
nameif inside
security-level 100
ip address 192.168.200.4 255.255.255.0
!
How can I make this work? Thank you!
05-13-2010 01:59 PM
Hey that's right you can't have two interfaces on the same device in the same network, worst of all with the same IP address. If you don't need out of band mangement which is what that management interface provides for I would suggest shutting down the port and removing the IP address so that it can be used on the inside interface and you will still be able to manage the device from this interface, with the following commands
telnet 192.168.200.0 255.255.255.0 inside
http 192.168.200.0 255.255.255.0 inside
ssh 192.168.200.0 255.255.255.0 inside
You can also configure a different network on the management interface all together if you still need the out of band management. Example
interface Management0/0
nameif management
security-level 100
ip address 192.168.2.1 255.255.255.0
management-only
telnet 192.168.2.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 management
ssh 192.168.2.0 255.255.255.0 management
Let me know if that helps.
05-13-2010 02:03 PM
Sorry I was incorrect about the ip addresses, I want my management on 192.168.200.4 and my eth1 on 192.168.200.2 and have them on the same subnet. Thats what I'm having problems with.
05-13-2010 02:04 PM
reading again, I'll do exactly that. I'll do out of band management on the management port and manage from the eth0.
05-13-2010 03:11 PM
Yay I got the interfaces setup:
!
interface Ethernet0/0
description Outside WAN Interface
shutdown
nameif outside
security-level 0
ip address xx.xxx.xx.xx 255.255.255.248
!
interface Ethernet0/1
description Inside LAN interface
nameif inside
security-level 100
ip address 192.168.200.2 255.255.255.0
!
My ASA also setup these access rules automatically, are they ok? Screen
Now in my old firewall (Sonicwall), it has route policies that were auto added. Screen I'm assuming I setup the ASA the same way vertabum right?
Also in my sonicwall, it used address objects to map aliases to hosts and IP's, Screen. This would also be wise to do right?
The sonicall also has NAT Policies (SCREEN) and ACCESS RULES (SCREEN). To me, these are exactly the same. Or are the NAT policies the actual rule, and the access rule tell whether to ALLOW OR DENY the nat policy?
Sorry for all the questions, I just want to make sure this is done right. THANKS!!
05-14-2010 09:31 AM
Those rules on the ASA are default rules, it is saying anything initiated from the inside is allowed out but nothing initiated from the outside is allowed in. Sorry but I am not familiar with SonicWall at all to give you any tips on the rules you will need to setup. However if all you have is an outside and inside interface then you will need a nat.pat to ensure that internal addresses can get out and access list to restrict those internal networks if needed. If you have inbound traffic ie to mail, web server etc then you will again a nat and a access list to allow the traffic in.
The attached document (you can ignore the router configs) should hopefully give you a better idea of how inbound traffic works and how to apply access lists to interface.
Let me know if this helps.
05-14-2010 02:09 PM
Ok that helps immensly.
All we have is an outside and inside, so a nat 2 pat is required (once I figure it out ).
We do have incoming traffic that I need to route (webserver, mailserver, etc..). I've already created all my network objects and service groups.
I'm stuck now on routes. The sonicwall (sorry I know you don't work with them) created some routes automatically. My ASA currently has no routes. Should I create the routes in the Sonicwall in the ASA? Here's a screen of the routes automatically created by sonicwall device screen
05-14-2010 02:29 PM
Yes, you will need to create the routes.
For instance to get to the Internet you will need: route outside 0.0.0.0 0.0.0.0 1.1.1.1 (internet gateway)
Also if you have a L3 switch on the LAN that provides for multiple networks then you will need routes on the ASA to get to those internal networks
route inside 172.18.10.0 255.255.255.0 172.17.10.1
route inside 172.19.10.0 255.255.255.0 172.17.10.1 and so on and so on.
I am not a fan of ASDM if that's what you are using so I can't really help there but I believe you will select the interface the traffic will be routed out, add the destination network and then the next hop address.
For natting you can pat, or use a pool or static nat, but just for browsing you can do the following:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 (this allows all networks to be natted as long as a route exists)
The document should help with the inbound traffic and the natting for the Internet as well. You can always post your config if you need anymore help.
05-14-2010 02:31 PM
I'll be having fun this weekend! I just configured my pat and my route to my gateway. I'm working on the
rest now. Thank you so much! If I have issues I'll post my config.
05-23-2010 09:10 AM
Ok I got the firewall up and running, internet traffic works great. Problem is I'm having an issue with my NATs I
think. I setup access rules for my servers inside my network. For example I have an access list that allows any outside traffic coming in on mail ports to forward to my mail server, however its not working. I ran a packet trace and it gets blocked by the final entry of my nat list:
|
Not sure why though. It seems all my access lists get blocked by this final nat entry. Any idea why? Thank you!
05-23-2010 09:21 AM
Can you post your config?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide