Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3104
Views
70
Helpful
21
Replies

NEW ASA5516-FTD-K9 and I need to add in my topology

amralrazzaz
Level 5
Level 5

‎10-11-2020 06:22 AM - edited ‎10-26-2020 08:01 AM

I HAVE  NEW ASA5516-FTD-K9 and I need to add in my topology 

my current equipment's that i have now as below :

I have cisco catalyst 2960 x 24 gige poe 370w 4x1g sfp lan base  qty. is 2 switches /

Cisco CISCO2911/K9 ( CISCO 2911 VOICE BUNDLE PVD 3-16 UC LICENSE PAK FL-CUBE 01 / Cisco 4 port voice interface card - fxo (ehwic) / Cisco SMARTNET 8X5XNBD Cisco 2911 Voice Bundle )   qty. 1

 

 

According to the design I have currently (the network design attached please have a look) 

So my questions as below :

  • Where should I put in the the network ? (ASA)
  • What kind of configurations should be removed from router 2911 ? and what should be added?
  • What kind of configurations should be added on ASA ?
  • how to setup and configure ASA such as ( dhcp relay agent-nat-site to site vpn-defualt route-static route -ACLs ) using gui

find the attached config file + the nw layout 

 

thanks 

 

amr alrazzaz
Preview file
154 KB
0 Helpful
21 Replies 21

Richard Burts
Hall of Fame
Hall of Fame
In response to amralrazzaz

‎10-22-2020 08:14 AM

amr alrazzaz

 

I have reviewed the information. I will change what I said about connecting the management interface of ASA to a switch. As long as the ASA management interface connects to an access port on the switch in the management vlan it would be ok. With this the ASA can participate in management traffic but not any data traffic on that connection. 

 

In your current environment each of the vlans connects to router subinterfaces, all routing between vlans is done on the router, and the only security policies are to prevent Guest traffic from communicating with Private IP networks and to prevent SSH access to the router. I am assuming that you would want to keep it that way as you transition to the ASA. But the access list that you have developed suggests that this is not the case. I have these comments about the access list:

- near the bottom of the access list is a permit ip any any. If you are going to permit any any then none of the statements following this line will be executed. So there is no point in having them in the access list.

- also if you are going to permit any any then there is not much point in the statements which precede that line since it would all get permitted anyway.

- you have quite a few statements where the source is on the inside interface and the destination is on the inside interface. If the routing between vlans is being done on the router then this traffic would not get to the ASA. Do these statements indicate that you are thinking about routing between vlans on the ASA? If so then each vlan needs an interface on the ASA. Perhaps a trunk connecting a switch to the ASA carrying all the vlans? What would then be sent to the router?

 

I do believe that you will want to remove address translation from the router and do it on the ASA. I did not realize that you have a block of 6 Public IP addresses. We need to think some about how to use those addresses. 

 

I am not clear about the Private IP address configured on the outside interface. My guess is that you probably do need to keep this. Would you post the output of the command show arp on the router? This might give some insight into what is needed.

HTH

Rick

amralrazzaz
Level 5
Level 5
In response to Richard Burts

‎10-22-2020 10:05 AM

hust to make it simple...

1- is there any acl regarding the vlans reachabilty between each other should i make on asa?! or no need?!

2- shall i only make static route on asa pointed to internal sub networks on 2911?! 

if yes so i can have reachbility between networks from asa to 2911 and vice versa?!

3- what kind of acl shall i configure on asa ?!

is it only acl for vpn?! or also acl for vlans to reaching each other?! and also acl to separate traffic between nat and vpn?!

4- what kind of acl that i should removed from router?! only vpn and nat?! 

5- so the asa should manage the reachabilty betweek local sub nw created on 2911?!

6- in my situation i have inside if connected to router and router has many sub interfaces for different vlans so how can i manage the config on asa such as acl policies and nat and so on?!

 

thanks alot for your valued info really useful

amr alrazzaz
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to amralrazzaz

‎10-22-2020 01:37 PM

amr alrazzaz

 

Let me make a general statement and then I will respond to your specific questions. As I understand the original post you have an existing network (that works ok) which has a 2911 router and 2 layer 2 switches. You have obtained an ASA/FTD (which provides a much more effective firewall for your network) which you want to implement. I am assuming that you want to leave most of the internal networking as it is and to focus on what is needed to deploy the ASA. If that understanding is not correct then please provide clarification.

 

1) I believe that the current network, with inter vlan routing on the 2911 router allows any device on the inside network to communicate with any other device on the inside network, with the exception of the guest vlan which is prevented from communicating with anything inside and can only communicate with the Internet. Do you want to change this policy? If not then there is not any need for any acl on the ASA controlling vlan reachability.

2) I believe that it makes sense to configure static routes on the ASA for the vlan subnets connected to the 2911. If you do that, and if the 2911 has a default static route with the next hop as the ASA then you should have reachability between the vlans on the 2911 and the ASA.

3) On the ASA you will need an acl for vpn traffic. Depending on your response to 1) there is not need for acl for vlan reachability. While address translation on router frequently does use an acl there is no need for acl for address translation on the ASA.

4) On the router you have an acl to protect against SSH access. This acl should be removed. You do not need a similar acl on the ASA because the default security policy of ASA will not allow SSH initiated from outside. 

On the router you have an acl for vpn. That acl should be moved to the ASA.

On the router you have an acl to prevent guest access to other vlans. That acl should remain on the router.

5) The answer to this depends on your response to my general statement at the beginning of this post. 

6) I am not clear what this question is really asking. When it mentions many subinterfaces for vlans I think that the answer depends on your response to my general statement. The other part of the question asks about managing the configuration of the ASA. You will have at least 2 options for managing the config: you can access the ASA using telnet or SSH (from inside the network) and using command line to manage the configuration, or you can use the GUI interface (ASDM etc) to manage the configuration.

HTH

Rick

amralrazzaz
Level 5
Level 5
In response to Richard Burts

‎10-25-2020 06:09 AM - edited ‎10-25-2020 01:44 PM

Let me make a general statement and then I will respond to your specific questions. As I understand the original post you have an existing network (that works ok) which has a 2911 router and 2 layer 2 switches. You have obtained an ASA/FTD (which provides a much more effective firewall for your network) which you want to implement. I am assuming that you want to leave most of the internal networking as it is and to focus on what is needed to deploy the ASA. If that understanding is not correct then please provide clarification.

  • Yes exactly that’s what I need ( adding asa to my network and already shared the network layout )
  • Need to know exactly what kind of shared configurations on router should be remain and what should be removed ?
  • What kind of configuration should be adding on ASA ?
  • I need all my internal networks (vlans) same to use

 

 

  • I believe that the current network, with inter vlan routing on the 2911 router allows any device on the inside network to communicate with any other device on the inside network, with the exception of the guest vlan which is prevented from communicating with anything inside and can only communicate with the Internet. Do you want to change this policy? If not then there is not any need for any acl on the ASA controlling vlan reachability.

- yes exactly what u said is my situation and this is what I need to keep remain without changing any policy ( but my question about these policy should be remain on router ( I hope yes so it’s easier and effected as it is even after add ASA !!) or I have to remove and re configure it again on ASA? If there is no problem with keeping it on router and will working fine so would be great??

 

  • I believe that it makes sense to configure static routes on the ASA for the vlan subnets connected to the 2911. If you do that, and if the 2911 has a default static route with the next hop as the ASA then you should have reachability between the vlans on the 2911 and the ASA.

- ill make default static route on router pointing to ASA (next hope ip address which assigned to inside asa interface

- ill make static route on ASA pointing to router so asa will have reachability to all private local vlan subnets where connected to 2911 router

So there will be reachability between asa and router if im correct ?

-ill make default static route on ASA pointing to isp 

  • On the ASA you will need an acl for vpn traffic. Depending on your response to 1) there is not need for acl for vlan reachability. While address translation on router frequently does use an acl there is no need for acl for address translation on the ASA.

- ill remove from 2911 the vpn ikev2 site to site configurations and re configure it on ASA + crypto ACL

- for nat configuration on router shall I remove it from it and reconfigure it on ASA? ( depending on my configuration file shared how to do this ? and also it must to separate the nat traffic from vpn traffic if im using 1 public ip ? but If I have more public ip so can I use one for vpn and another for nat ? so in this case no need to have acl to deny the private network traffic from access destinations and then permit it again? To be only for internet ?

 

 

  • On the router you have an acl to protect against SSH access. This acl should be removed. You do not need a similar acl on the ASA because the default security policy of ASA will not allow SSH initiated from outside. 
  • Ill remove ssh acl from router

On the router you have an acl for vpn. That acl should be moved to the ASA.

  • Ill remove and reconfigure it again on ASA

On the router you have an acl to prevent guest access to other vlans. That acl should remain on the router.

- would be great if keep this on router and don’t change ,if it will work fine so will keep

5) The answer to this depends on your response to my general statement at the beginning of this post. 

- my answer is yes same as what u said exactly sir

6) I am not clear what this question is really asking. When it mentions many subinterfaces for vlans I think that the answer depends on your response to my general statement. The other part of the question asks about managing the configuration of the ASA. You will have at least 2 options for managing the config: you can access the ASA using telnet or SSH (from inside the network) and using command line to manage the configuration, or you can use the GUI interface (ASDM etc) to manage the configuration.

-  I can manage this via ssh or telnet as u said

7) for dhcp configuration im using ip helper address on each sub interface to get the dhcp addresses from main data center via vpn site to site , so can I keep these on router ?

Example of what I have currently:

interface GigabitEthernet0/0.9

 description printers

 encapsulation dot1Q 9

 ip address 10.246.3.207 255.255.255.0

 ip helper-address 10.x8.0.xxx

 ip helper-address 10.80.1x0.xx

 ip nat inside

 ip virtual-reassembly in

!

interface GigabitEthernet0/0.12

 description badge-reader

 encapsulation dot1Q 12

 ip address 10.246.12.207 255.255.255.0

 ip helper-address 10.x8.0.xxx

 ip helper-address 10.80.1x0.xxx

 ip nat inside

 ip virtual-reassembly in:

8)At last ill share the some of the configuration that I need help on and what should be remain what should be remove and how to do it on asa

See attached please

 

amr alrazzaz
Preview file
4 KB
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to amralrazzaz

‎10-26-2020 07:51 AM

So we agree about keeping the inter vlan routing on the router. So the user subnets and the routing logic between subnets remain on the router. The ASA will need routing logic to reach the inside subnets. This might be individual static routes for each subnet but also could be a single static route for the summarized block of addresses. The access list on the router which restricts the guest vlan will remain on the router. 

 

You should choose a subnet to use connecting the inside interface of the ASA to the interface on the router. You should change the default route on the router to point to the inside interface of the ASA. A static default route on the ASA should point to the provider connected interface address. It would be nice to have more understanding about the addresses supplied by the provider. But at this point I believe that you would use the private address for the interface on the ASA and use the Public IP (or several Public IP) for address translation. On the ASA an address for nat does not necessarily need to be assigned to an interface (as it was on the router).

 

On the router you should remove the configuration of vpn and do it on the ASA. Also remove the configuration of address translation from router and do it on ASA.

 

You would leave the configuration of helper addresses on the router for DHCP. The ASA would not have any configuration for this.

HTH

Rick

amralrazzaz
Level 5
Level 5
In response to Richard Burts

‎10-27-2020 03:09 PM

I have more questions please

  • For the ip nat inside / ouside configured on interface and sub-interfaces on router, shall I remove it ? for example the bold lines should be removed

interface GigabitEthernet0/0.9

 description printers

 encapsulation dot1Q 9

 ip address 10.246.3.207 255.255.255.0

 ip helper-address 10.xx.0.2xx

 ip helper-address 10.xx.1x0.1xx

 ip nat inside

 ip virtual-reassembly in

!

interface GigabitEthernet0/0.12

 description badge-reader

 encapsulation dot1Q 12

 ip address 10.246.12.207 255.255.255.0

 ip helper-address 10.xx.0.2xx

 ip helper-address 10.xx.1x0.1xx

 ip nat inside

 ip virtual-reassembly in

 

  • I didn’t get the nat solution , shall I remove from router and configure it on ASA? Or shall I keep on router?

  • also shall i do only simple nat configuration like this on asa ?

    nat (any,outside) source dynamic any-ipv4 interface

     

This is my current nat configuration on router and need to know what to do exactly and which lines should be removed?

 

ip nat pool PUBLIC_POOL 1x6.2x4.80.2x2 1x6.2x4.80.2x3 netmask 255.255.255.248

ip nat inside source route-map INTERNET_TRAFFIC pool PUBLIC_POOL overload

ip route 0.0.0.0 0.0.0.0 172.19.1x8.x9

 

ip access-list extended INTERNET_PAT

 deny   ip 10.246.2.0 0.0.0.255 192.168.0.0 0.0.255.255

 deny   ip 10.246.3.0 0.0.0.255 192.168.0.0 0.0.255.255

 deny   ip 10.246.4.0 0.0.0.255 192.168.0.0 0.0.255.255

 deny   ip 10.246.5.0 0.0.0.255 192.168.0.0 0.0.255.255

 deny   ip 10.246.6.0 0.0.0.255 192.168.0.0 0.0.255.255

 deny   ip 10.246.7.0 0.0.0.255 192.168.0.0 0.0.255.255

 deny   ip 10.246.8.0 0.0.0.255 192.168.0.0 0.0.255.255

 deny   ip 10.246.9.0 0.0.0.255 192.168.0.0 0.0.255.255

 deny   ip 10.246.10.0 0.0.0.255 192.168.0.0 0.0.255.255

 deny   ip 10.246.11.0 0.0.0.255 192.168.0.0 0.0.255.255

 deny   ip 10.246.12.0 0.0.0.255 192.168.0.0 0.0.255.255

 deny   ip 10.246.13.0 0.0.0.255 192.168.0.0 0.0.255.255

 deny   ip 10.246.2.0 0.0.0.255 172.16.0.0 0.15.255.255

 deny   ip 10.246.3.0 0.0.0.255 172.16.0.0 0.15.255.255

 deny   ip 10.246.4.0 0.0.0.255 172.16.0.0 0.15.255.255

 deny   ip 10.246.5.0 0.0.0.255 172.16.0.0 0.15.255.255

 deny   ip 10.246.6.0 0.0.0.255 172.16.0.0 0.15.255.255

 deny   ip 10.246.7.0 0.0.0.255 172.16.0.0 0.15.255.255

 deny   ip 10.246.8.0 0.0.0.255 172.16.0.0 0.15.255.255

 deny   ip 10.246.9.0 0.0.0.255 172.16.0.0 0.15.255.255

 deny   ip 10.246.10.0 0.0.0.255 172.16.0.0 0.15.255.255

 deny   ip 10.246.11.0 0.0.0.255 172.16.0.0 0.15.255.255

 deny   ip 10.246.12.0 0.0.0.255 172.16.0.0 0.15.255.255

 deny   ip 10.246.13.0 0.0.0.255 172.16.0.0 0.15.255.255

 deny   ip 10.246.2.0 0.0.0.255 10.0.0.0 0.255.255.255

 deny   ip 10.246.3.0 0.0.0.255 10.0.0.0 0.255.255.255

 deny   ip 10.246.4.0 0.0.0.255 10.0.0.0 0.255.255.255

 deny   ip 10.246.5.0 0.0.0.255 10.0.0.0 0.255.255.255

 deny   ip 10.246.6.0 0.0.0.255 10.0.0.0 0.255.255.255

 deny   ip 10.246.7.0 0.0.0.255 10.0.0.0 0.255.255.255

 deny   ip 10.246.8.0 0.0.0.255 10.0.0.0 0.255.255.255

 deny   ip 10.246.9.0 0.0.0.255 10.0.0.0 0.255.255.255

 deny   ip 10.246.10.0 0.0.0.255 10.0.0.0 0.255.255.255

 deny   ip 10.246.11.0 0.0.0.255 10.0.0.0 0.255.255.255

 deny   ip 10.246.12.0 0.0.0.255 10.0.0.0 0.255.255.255

 deny   ip 10.246.13.0 0.0.0.255 10.0.0.0 0.255.255.255

 permit ip 10.246.2.0 0.0.0.255 any

 permit ip 10.246.3.0 0.0.0.255 any

 permit ip 10.246.4.0 0.0.0.255 any

 permit ip 10.246.5.0 0.0.0.255 any

 permit ip 10.246.6.0 0.0.0.255 any

 permit ip 10.246.7.0 0.0.0.255 any

 permit ip 10.246.8.0 0.0.0.255 any

 permit ip 10.246.9.0 0.0.0.255 any

 permit ip 10.246.10.0 0.0.0.255 any

 permit ip 10.246.11.0 0.0.0.255 any

 permit ip 10.246.12.0 0.0.0.255 any

 permit ip 10.246.13.0 0.0.0.255 any

 permit ip 10.246.0.0 0.0.15.255 any

 

route-map INTERNET_TRAFFIC permit 10

 match ip address INTERNET_PAT

 match interface GigabitEthernet0/1.328

 

interface GigabitEthernet0/1.328

 description connected to PRIMARY_ISP

 encapsulation dot1Q 328

 ip address 172.1x.1x8.90 255.255.255.252 secondary

 ip address 1x6.2x4.80.2x1 255.255.255.248

 ip access-group BLOCK_SSH in

 ip flow ingress

 ip flow egress

 ip nat outside

 

  • You said On the router you should remove the configuration of vpn and do it on the ASA. Also remove the configuration of address translation from router and do it on ASA.

So ill remove the vpn configurations and crypto ACL and add on ASA,but I didn’t get the which one to remove (the configuration of address translation from router and do it on ASA) do u mean NAT ?

 

- i do this on ASA (static route and default static route ) please confirm :

 

route outside 0.0.0.0 0.0.0.0 172.1x.1xx.89 1  (isp router interface next hop ip)-default static route to isp router
route inside 10.246.0.0 255.255.240.0 10.246.14.2xx 1  (static route to inside private network)

amr alrazzaz
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to amralrazzaz

‎10-29-2020 08:56 AM

amr alrazzaz

 

Yes you would remove the ip nat inside from the router interfaces. Also the ip nat outside. Also the other statements on the router that deal with address translation. It made good sense to do address translation on the router when the router was the connection to outside. Now that the ASA is the connection to outside everything related to address translation should remove from router and corresponding changes added to ASA.

 

The simple nat that you suggest on the ASA looks like it would work. But if you were using a pool of addresses on the router I wonder if you might want to do similar on the ASA.

 

These lines given in your post should be removed from the router config

ip nat pool PUBLIC_POOL 1x6.2x4.80.2x2 1x6.2x4.80.2x3 netmask 255.255.255.248

ip nat inside source route-map INTERNET_TRAFFIC pool PUBLIC_POOL overload

The access list that you use for nat/pat on the router should be removed

ip access-list extended INTERNET_PAT

and the route map that you use for address translation on the router should be removed

route-map INTERNET_TRAFFIC permit 10

 

The static default route that you show on the router should be changed so that the next hop is the inside interface address of the connected ASA.

ip route 0.0.0.0 0.0.0.0 172.19.1x8.x9

 

HTH

Rick
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card