Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1791
Views
0
Helpful
3
Replies

Test Lab - Cisco Asa 5506

t.leray
Level 1
Level 1

‎08-28-2018 08:45 AM - edited ‎03-03-2019 08:53 AM

Hello happy networkers !

 

So, I'm trying to learn the CISCO ASA 5506-X devices. I were using 5505 mainly before it.

I would want to know how are you doing to test new devices like it ?

Testing the Inside stuff is OK but what about the outside, VPN site to site, etc...

 

My 5506 will operate on a small company environment (stores to be exact). Something like this :

 

HQ Lan -> ASA5510 -> ISP router A -> Internet -> ISP router B -> ASA 5506 -> Office Lan

With a site to site VPN between both ASA (with both a public IP on their outside interface).

 

I would want to create a lab internally to allow me to test the 5506 fully.

Unfortunately, I do not have any spare public IP… So it comes in my mind that I could eventually use my actual HQ Lan as a 'fake internet'.

 

Do you think it would be possible ? And what should I set on my outside interface  for the IP/Subnet/Gateway/DNS to lure my 5506 ?

Do I need a specific router on my HQLAN side to operate like an ISP router ?

 

Thank you ;)

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎09-05-2018 09:56 AM

There are multiple ways to create a lab for testing new models and new versions. Some are more simple and some are more complex. To help us decide how to advise you can you start by helping us understand what you really mean when you say you want to test 5506 fully? Will this test environment be totally stand alone? Or will part of it touch your live network? Is it enough to configure the VPN and see the tunnel come up? Or do you need to actually run traffic through the tunnel? Is it enough to just run some simple traffic or do you need to test using the same kinds of traffic that your live network would use? Do you need to test with the same volume of traffic that your live network will generate? Is it good enough to connect your ASA to a small router for testing? Or do you need to test connecting to the same type of router that will be used in the live network?

 

HTH

 

Rick

HTH

Rick
0 Helpful

t.leray
Level 1
Level 1
In response to Richard Burts

‎09-07-2018 03:01 AM

Hello Richard,

 

I'm glad I got an answer on this.

Sorry if my question is not totally clear. English is not my native language... 

Basically we need something simple to test that our configuration is working on this asa 5506. 

 

Will this test environment be totally stand alone? Or will part of it touch your live network? 

 

Well no, it'll not be stand alone.

For the outside part, since I do not have an additionnal public IP to test with my internet provider, I would want to connect it to my headquarter LAN (to act like a 'fake' internet)

For the inside part (Bridge group from interface port 2 to 8) will be a local network on a specific range of IP.

 

VPN & Traffic :

 

Yes I would want to be able to test the good working of a VPN configuration with a simple traffic.

I do not need to stress test this with the exact traffic/volume I'll have on my final site/installation.

 

 Is it good enough to connect your ASA to a small router for testing? Or do you need to test connecting to the same type of router that will be used in the live network?

 

Any router will be ok. 

What I would test mainly is, for a computer connected on one of my inside interface  :

- Can I see all devices on my inside network (testing bridge group)

- Can I access internet (testing the outside if + NAt & route to inside)

- Can I manage the Cisco  (http telnet etc)

- Can I build a VPN and did I get traffic on it

 

The final network schems on a production environment will be :

Internet -> ISP router -> Cisco 5506 -> LAN

 

My test environment would be something like this :

Internet ->ISP router -> HQ Cisco 5510 -> HQ LAN -> Cisco 5506 -> Lan Test

 

 

What do I need on my HQ lan to build a 'fake' internet to lure my 5506 ?

Do I need to configure a router specifically to act as a gateway for my 5506 ?

 

I tried to simply set an IP on my outside interface on my Cisco 5506 but I can't get internet nor ping watever from my inside side. 

But I can ping both Lan if I do it from the Cisco CLI directly.

 

Thanks ;)

 

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to t.leray

‎09-08-2018 08:33 AM

Thanks for the clarification that English is not your native language. I will bear that in mind. My main point is still true. To be able to give you good advice we need to have some understanding of your environment and of your expectations.

 

To be able to test something like the 5506 I believe that this is the minimum of what you would need:

- LAN connected to 5506

- 5506

- something to represent the networks in between (Internet)

- some device that can do IPSEC tunnels (perhaps another ASA or perhaps a router)

- LAN connected to that device

 

When I suggested a stand alone test environment I was thinking of something like this:

- some device (or devices) connected to 5506

- 5506

- a router to represent the Internet

- a router (or an ASA) to represent the remote peer for the VPN

- some device (or devices) to represent the remote LAN

With that you could configure Public IP addresses on the outside interface of the VPN devices and route between them. You could configure both LANs with appropriate private IP addresses. And you could configure VPN policies on both VPN peer devices. And you could test to verify that the tunnel does come up and does pass traffic.

 

You could create a test environment as you describe it where the 5506 is a device in the production LAN. For that kind of test environment what would be the remote peer for the test VPN?

 

In the test environment that you describe setting up the test LAN could be fairly easy. Define some IP network that does not match any network in your live environment and that becomes your test LAN. One aspect to consider in setting up the test LAN is whether it could work satisfactorily with a single device? Unlike the 5505 where several ports on the ASA can be in the same vlan/same subnet, on the 5506 each port is a routed port. So to have multiple devices in the test LAN you would need some switch connecting the 5506 to the hosts in the test LAN.

 

Configuring the outside interface of the 5506 will be a bit of a challenge. Since the 5506 is connected in the HQ LAN the 5506 outside interface must be configured with an IP address of the production subnet. Then there would need to be some static address translation/port forwarding in your production 5510 to send the test VPN traffic received on the 5510 outside interface to the 5506. It will be especially challenging if your 5510 has a single Public IP address and is already configured for UPSEC tunnels.

 

How you would set up the rest of the test environment would depend on what device will be the VPN peer for testing.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents