cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

804
Views
0
Helpful
2
Replies
Highlighted
Beginner

ASA 5505 Home Users Internet Access Only

Hello.

I have configured and tested an ASA-5505 that will be deployed at a customer's home.  The ISP cable modem will connect to the E0 (outside) interface of the ASA.  All other interfaces on the ASA are configured for the inside network 192.168.5.0/24. I have created a VPN site-to-site tunnel between this ASA and the UC540 to allow 192.168.5.0/24 subnet access to the internal networks on the UC540. 

The user has requested that all the network devices used by the rest of the family will only need to connect to the Internet.  They will not need access to the VPN tunnel and they will not need access to the computers on the 192.168.5.0/24 inside network.  I was planning on performing the following tasks to get this to work:

  • Create a new inside interface & assigning one of the physical interfaces on the ASA to a different subnet such as 192.168.255.0/30.
  • Connect the WAN port of a home router (Linksys or Netgear) to the respective physical interface and set a static IP on the WAN interface in the same 192.168.255.0/30 subnet.
  • Configure the inside network on the home router to 192.168.254.0/24.
  • Create static route on home router to forward all traffic to 192.168.255.1 (the IP that will be configured on the ASA).
  • Disable NAT on the home router.

Is there a better or tested method of performing this configuration.  Any advice would be appreciated.

Thanks & have a good day.

2 REPLIES 2
Frequent Contributor

ASA 5505 Home Users Internet Access Only

probably more simple way is

to creat a VPN site-to-site tunnel between this ASA and the UC540 to allow 192.168.5.0/(25 or 26) subnet access to the internal networks on the UC540.

so ip addresses 192.168.5.1 -192.168.5.127 will go into tinnel but others 192.168.5.129 -192.168.5.255 will

not go.

dont forget to rate post

Beginner

ASA 5505 Home Users Internet Access Only

The only caveat I see with that setup is automatically determining devices that are authorized to connect through the VPN tunnel vs unauthorized devices that aren't supposed to connect through the tunnel.    I would need to set static IPs on devices that need to connect to main office through the VPN tunnel and configure DHCP on the ASA to provide IP addresses starting at 192.168.5.129 - 158 (only scope of 30 addresses max permitted).   Right now, I have the DHCP scope on the ASA providing IP addresses from 192.168.5.21 - 50.  I obviously can't set up two DHCP servers on the same subnet.  If I set up the DHCP scope to be 192.168.5.121 - 150, that would also not work because without my intervention, there's no way to determine if unauthorized devices connect to the VPN or authorized devices not being able to connect to VPN.

Not a bad idea though.  Thanks.