06-03-2021 06:32 AM
I'm writing to you today in need of some assistance. I am currently working on a task configuring two networks that can communicate safely with eachother through the use of a firewall. Both networks are working fine individually, however, when it comes to communicating across to the opposite networks the packets fail.
I ran a trace route to see where the issue lies and it seems to be at the routers of each network. I'm unsure on how to get the firewall to become operational and send packets between the networks successfully.
I'm assuming I need to configure VLANS 1 and 2 on the firewall but my knowledge is lacking. Does anyone have any tips?
Attached is a link to the toplogy.
06-03-2021 07:52 AM
How are the routers on each site supposed to route traffic to each other? Are you using OSPF, static routes, some other routing protocol?
On the ASA, did you create rules on eth0\0 and eth 0\1 to allow the required udp\tcp ports from the appropriate ip address ranges? On the ASA, do eth0\0 and eth0\1 have the same security level? If so have you enabled traffic between two or more interfaces which are configured with the same security level?
06-03-2021 08:14 AM
Both routers have static routes. I don't believe I have created the rules you mentioned. I'm pretty new to networking so I'm just trying to rack my brain. As far as I am aware, and this may be incorrect, I need to configure both VLAN 1 and VLAN 2 on the ASA to allow traffic to pass through? I am, however, unsure what the IP configurations of the inside and outside interfaces would be.
I'm sorry if the information I provide is pretty basic, I'm just trying to understand how to achieve the following:
"Install and configure the firewall to provide the secure link between the two networks."
06-03-2021 08:47 AM
On the ASA you will need to create network and or host objects for both networks (192.168.1.0/24 and 192.168.2.0.24) or individual devices.
You will then need to create access rules. The easiest, but most insecure, way is to just create a rule on Eth0\0 for source 192.168.2.0\24 destination 192.168.1.0\24 service ip action permit and a rule on Eth0\1 for source 192.168.1.0\24 destination 192.168.2.0\24 service ip action permit.
The better way is to determine what each device or network needs access to and only allow create rules for that traffic. For example, if devices on network 192.168.2.0\24 only need access to the email server at 192.168.1.3 using imap then the rule would be something similar to this. On interface Eth0\0 create a rule for source 192.168.2.0\24 destination 192.168.1.3\32 service tcp\143,tcp993 action permit.
If devices on network 192.168.1.0\24 only need access to the web server at 192.168.2.3 using https then the rule would be similar to this. On interface Eth0\1 create a rule for source 192.168.1.1\24 destination 192.168.2.3 service tcp\443 action permit.
Unless you are very familiar with creating Cisco ASA configs using the command line, I would highly recommend using the Cisco ASDM app to access the ASA. This will give you a GUI for configuring the ASA. It is usually easier to create objects (ie network object, network groups, service objects, service groups) and use those in your rules. Most well known services (ie http, https, ssh) should already have predefined service objects in ASDM to use in your rules.
I hope that helped. Good luck.
06-03-2021 09:25 AM
I really appreciate you taking time out of your day to explain this to me, it is really kind of you.
Do you happen to know what these commands would be written as in packet tracer?
06-03-2021 09:42 AM
Sorry, I can't help you with network modeling tools.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: