Solved: Cisco ASA 5510 New deployment

shivudu1984 · ‎12-07-2010

Hi

We are a moving to Cisco ASA 5510 from our existing firewall (non-cisco). It is our primary firewall to our head office and i will be directly connecting to the ISP and configuring features like NAT, VPN tunnels, RVPN etc.. Am not configuring failover on the same ASA 5510 but i have purchased two indentical units actually. i am in the process of configuring the firewall and putting it to test on the live network by the end of this month. But before that i have few questions.

1. Since i am connecting my ISP to the outside interface do i have to configure a static route ?

2. I have a branch office running Cisco 1811 running an IPSEC tunnel to the head office. this 1811 is connected to another 1811 here at the head office through a different ISP. Point to be noted i have two ISP's at my head office. Right now the plan is to migrate that connection to ASA 5510. So how will i configure the new VPN tunnel and what changes do i have to make on the cisco 1811 at my branch office ?

3. I am configuring int eth 0/1 as my inside interface and also configured a sub int on eth 0/1.1 (vlan 1) as my DMZ. How will i route packets between LAN-DMZ, WAN-DMZ. Is it all done using the access list ?

I will post more questions when i get to the next level.i am referring to cisco 5510 complete guide for my configurations. your help is appreciated

Thanks

SR

Panos Kampanakis · ‎12-07-2010

To answer your questions:

1) No, you can pull the route using dhcp "ip address dhcp setroute" option under the interface.

2) You can set L2L config on the ASA and it is a little simpler than the IOS. Here is a sample doc http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml

3) I am not sure what the 2 DMZ interfaces are. But you should treat them as regular interfaces. You need ACLs, translations and router to pass traffic between them.

I hope it helps.

PK

View solution in original post

Kureli Sankar · ‎12-07-2010

int eth0/1

nameif inside

10.x.x.x mask

int eth0/1.1

vlan1

nameif DMZ

10.10.x.x mask

Siva,

Even though you quickly typed it up, I'd like to mention not to use the main interface with nameif and only configure sub-interfaces with nameif/ip address etc.

Anyway, how to route IN to DMZ and DMZ to OUT packets, here is what you need to remember.

R-oute

T-ranslation

P-ermission

IN to DMZ is high to low so, you need to provide translation static (inside,DMZ) 10.x.x.x 10.x.x.x

DMZ to outside is high to low again so, you need to provide translation.

Permission is not required from high to low in the ASA platform but traffic initiated from LOW to HIGH requires permission.

If you have a layer three device on the inside it has to have a route to 10.10.x.x on the DMZ via the inside interface IP of the firewall.

On the DMZ you mentioned that they are directly connected so, they will have the ASA's DMZ interface IP as their GW so, the firewall will take care of routing to inside as well as outside.

-KS

View solution in original post

Panos Kampanakis · ‎12-07-2010

To answer your questions:

1) No, you can pull the route using dhcp "ip address dhcp setroute" option under the interface.

2) You can set L2L config on the ASA and it is a little simpler than the IOS. Here is a sample doc http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml

3) I am not sure what the 2 DMZ interfaces are. But you should treat them as regular interfaces. You need ACLs, translations and router to pass traffic between them.

I hope it helps.

PK

shivudu1984 · ‎12-07-2010

Thanks for your reply.

my third question was

int eth0/1

nameif inside

10.x.x.x mask

int eth0/1.1

vlan1

nameif DMZ

10.10.x.x mask

Sorry that's just the rough config i typed out. but the point is on my DMZ i will have couple of servers that will be on the same subnet as the LAN. how will i route the packets ?? i.e if an user wants to access the server on the DMZ from local LAN how will the routing be done. and if the user from an outside network wants to access the server on the DMZ how will it be done. But wait i have a guide that has a pictorial n/w diagram. anyways your help will be appreciated and i will understand it better.

thanks

Siva R

Kureli Sankar · ‎12-07-2010

int eth0/1

nameif inside

10.x.x.x mask

int eth0/1.1

vlan1

nameif DMZ

10.10.x.x mask

Siva,

Even though you quickly typed it up, I'd like to mention not to use the main interface with nameif and only configure sub-interfaces with nameif/ip address etc.

Anyway, how to route IN to DMZ and DMZ to OUT packets, here is what you need to remember.

R-oute

T-ranslation

P-ermission

IN to DMZ is high to low so, you need to provide translation static (inside,DMZ) 10.x.x.x 10.x.x.x

DMZ to outside is high to low again so, you need to provide translation.

Permission is not required from high to low in the ASA platform but traffic initiated from LOW to HIGH requires permission.

If you have a layer three device on the inside it has to have a route to 10.10.x.x on the DMZ via the inside interface IP of the firewall.

On the DMZ you mentioned that they are directly connected so, they will have the ASA's DMZ interface IP as their GW so, the firewall will take care of routing to inside as well as outside.

-KS