02-07-2014 12:14 AM - edited 03-11-2019 08:41 PM
Hi,
I am very very new to Security/Firewall domain, As I have gone through lot of documents and understood there must be one outside interface and atleast one or multiple inside interfaces depends on the requirement. I have attached a high level design, it shows how ASAs tobe connected to Aggre/Dist. Switches and how DMZ are conneccted to ASA via L2 Switches. Could any one help me on this how to configure and what are basic configuration required to eastablish the network and it works. I need two inside networks one is for dmz servers and another one is other servers to be advertise to outside DC.
Solved! Go to Solution.
02-10-2014 03:26 AM
Is this what you are looking for?
http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/DC_3_0/dc_sec_design.html
--
Please remember to rate and select a correct answer
02-07-2014 10:50 AM
Hi Goutam,
Few days ago i have configured same topology. But first required requirments then i help you. You mail me direct (parosh.islam@yahoo.com)
Here is the below link for configuration help.
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/asa_84_cli_config.html
Regards
Parosh
+8801755591722
02-09-2014 10:09 PM
Hi Parosh,
Thanks for your reply, If you have configured same topology, could you please give me configuration sample for the same setup.
02-07-2014 11:44 AM
Which ASA model are you running and version?
A very basic configuration you could setup, just remember to change the interface numbers and IP addresses to the required values:
int gig0/1
security-level 100
nameif inside
ip add 192.168.1.1 255.255.255.0
no shut
int gig0/2
security-level 0
nameif outside
ip add 8.8.8.9 255.255.255.252
no shut
route outside 0 0 8.8.8.10
object network LAN-to-outside-NAT
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface
http server enable
http 192.168.1.0 255.255.255.0 inside
crypto key generate rsa modulus 2048
ssh 192.168.1.0 255.255.255.0 inside
username USERNAME password PASSWORD
enable password PASSWORD
As I mentioned this is a very basic config that allows only traffic from the inside to the outside and nothing more. But you will have internet access at lease. Also keep in mind that you should change the subnets for http and ssh to a dedicated management subnet.
Please refer to this guide for configuration guide.
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/interface_start.html
If you need more assistance please let us know.
--
Please remember to rate and select a correct answer
02-09-2014 10:12 PM
Hi,
Thanks.
What I understood from your configaration. ASA is located inline. Is it right my understanding? If so could you pls. give me sample config for ASAs are connected to Nk501 & 02 with high availability.
ASA model is 5584-X but not aware about software versin, it would be latest version.
02-10-2014 12:32 AM
When you say NK501 that it is a typo and that it should be N5K01 (for nexus 5000 switch 1?)
So if these are nexus switches, and I assume you are looking for active/standby configuration on the ASA for HA. Your configuration would be something like the following if you want full redundancy.
---------------------------
N5K01
feature vpc
vpc domain 1
role priority 1000
system-priority 1
peer-keepalive destination 169.254.111.1 source 169.254.111.2 vrf default
auto-recovery
interface Ethernet1/19
description ASA01
switchport mode trunk
channel-group 2 mode active
interface Ethernet1/21
description ASA01
switchport mode trunk
channel-group 2 mode active
interface Ethernet1/22
description vpc-keepalive
no switchport
ip address 169.254.111.1/16
no shutdown
interface Ethernet1/23
description vpc-peerlink
channel-group 1
no shutdown
interface Ethernet1/24
description vpc-peerlink
channel-group 1
no shutdown
interface port-channel1
description vpc-peerlink
vpc peer-link
interface port-channel2
description ASA
switchport mode trunk
vpc 1
------------------------------------------
N5K02
feature vpc
vpc domain 1
role priority 65535
system-priority 1
peer-keepalive destination 169.254.111.2 source 169.254.111.1 vrf default
auto-recovery
interface Ethernet1/19
description ASA02
switchport mode trunk
channel-group 2 mode active
interface Ethernet1/21
description ASA02
switchport mode trunk
channel-group 2 mode active
interface Ethernet1/22
description vpc-keepalive
no switchport
ip address 169.254.111.2/16
no shutdown
interface Ethernet1/23
description vpc-peerlink
channel-group 1
no shutdown
interface Ethernet1/24
description vpc-peerlink
channel-group 1
no shutdown
interface port-channel1
description vpc-peerlink
vpc peer-link
interface port-channel2
description ASA
switchport mode trunk
vpc 1
----------------------------------------------
ASA01
interface TenGigabitEthernet0/6
description N5K01
channel-group 2 mode active
interface TenGigabitEthernet0/7
description N5K01
channel-group 2 mode active
interface TenGigabitEthernet0/8
description Failover
channel-group 3
interface TenGigabitEthernet0/9
description Failover
channel-group 3
interface Port-channel2
description N5K01
nameif NAME
security-level 60
ip address 10.10.10.1 255.255.255.240 standby 10.10.10.2
interface Port-channel3
description Failover link
interface Port-channel3.10
description State link
vlan 10
interface Port-channel3.20
description STATE Failover Interface
vlan 20
failover
failover lan unit primary
failover lan interface Failover_Link Port-channel3.10
failover key PASSWORD
failover replication http
failover link Stateful_Failover_Link Port-channel3.20
failover interface ip Failover_Link 10.8.4.145 255.255.255.240 standby 10.8.4.146
failover interface ip Stateful_Failover_Link 10.8.4.161 255.255.255.240 standby 10.8.4.162
----------------------------
ASA02
interface TenGigabitEthernet0/6
description N5K01
channel-group 2 mode active
interface TenGigabitEthernet0/7
description N5K01
channel-group 2 mode active
interface TenGigabitEthernet0/8
description Failover
channel-group 3
interface TenGigabitEthernet0/9
description Failover
channel-group 3
interface Port-channel2
description N5K01
nameif NAME
security-level 60
ip address 10.10.10.1 255.255.255.240 standby 10.10.10.2
interface Port-channel3
description STATE Failover Interface
interface Port-channel3.10
description Failover link
vlan 10
interface Port-channel3.20
description State link
vlan 20
failover
failover lan unit primary
failover lan interface Failover_Link Port-channel3.10
failover key PASSWORD
failover replication http
failover link Stateful_Failover_Link Port-channel3.20
failover interface ip Failover_Link 10.8.4.145 255.255.255.240 standby 10.8.4.146
failover interface ip Stateful_Failover_Link 10.8.4.161 255.255.255.240 standby 10.8.4.162
--
Please remember to rate and select a correct answer
02-10-2014 12:34 AM
Just noticed that I forgot to include the DMZ interfaces on the ASAs. But I am sure that you can figure that out by looking at the other interface configuration that I provided.
--
Please remember to rate and select a correct answer
02-10-2014 01:29 AM
Hi,
Thanks,
can you tell me which interface would work for outside. As per my understanding according to your config sample. port-channel2 is configured between ASA and nk5-1 and 2 will be used for outside and the same port channel 2 is used for inside also with security level 60. is that mean I need to sub interface that port channel like.
port-channel2.30 is mapped with vlan 30 used for outside security level 0
port-channel2.40 is mapped with vlan 40 used for inside security level 60
port-channel2.50 is mapped with vlan 50 used for inside security level 90
and as per your configure ASA-01 is connecting to n5k-01 and ASA-02 is connecting to n5k-02 no crosss connect between ASA and nk5 (will it be good for redundancy purpose or this is design restriction)
02-10-2014 03:09 AM
If you have several VLANs that need to go through the firewall then yes you need to configure the portchannel 2 as subinterface
I did not include any configuration for the inside network as I thought it would be quite self explanitory by following the example for the interfaces going towards NK501 - 2.
ASA-01 is only connected to n5k-01 and ASA-02 is only connected to n5k-02 as per your network diagram. Yes you could cable them redundant between the n5k switches if you wanted to do that. I was just following your diagram.
--
Please remember to rate and select a correct answer
02-10-2014 03:14 AM
Hi
Thanks, I will check and let you know if everything works fine. Thanks again for your help. Another help if possible.
Do you have any documents on ASA, where it shows diagram based configuration according to Data Center Design, it would help me to understand better and corelate with my setup.
I mean different design diagram and configuration deployment solution in today's Data Center.
02-10-2014 03:26 AM
Is this what you are looking for?
http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/DC_3_0/dc_sec_design.html
--
Please remember to rate and select a correct answer
02-11-2014 01:51 AM
Hi,
I am looking for basic design and configuration, this is very high level of design and configuration, which is little bit difficult to understand to me as freshers in Security.
02-11-2014 02:45 AM
Normally design documents do not have any configuration in them. But had a look around and found this...hope it is what you are looking for.
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns824/sbaDC_cGuide.pdf
--
Please remember to rate and select a correct answer
02-11-2014 02:47 AM
I have this one thanks
02-11-2014 02:49 AM
Then the only other thing that might be what you want is a configuration guide. and not a design guide.
Let me know if this is closer
--
Please remember to rate and select a correct answer
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide