We probably need to be

william.walker001 · ‎06-05-2016

I went through the CCNA Academy back in 2013, passed the certification test with a 947....so I was pretty solid on the knowledge. Unfortunately I haven't used those skills...really at all since then. Keep that in mind as you read, I'm rediscovering answers to my questions as I start to type them, others are just on the other side in the land of forgotten memories.

We are getting fiber installed at one of the networks I take care of. In anticipation of this, I had them purchase (What I thought was) a solid enterprise grade firewall/router, an ASA 5512-X. This was done through Techsoup which gives an outstanding price for the equipment ($500).

At home, I had a 5505 (basic licensing) that I figured I would load up ASDM (ya ya I know) to get the basic configuration down and knock the rust off my Cisco knowledge. Everything went great until I was testing site-to-site VPN connectivity. I was able to set the tunnels up just fine and get connectivity with the corporate network. Unfortunately, I couldn't ping corporate devices across the tunnel using their hostnames, but was able to ping by IP address just fine. After some research, I've discovered that ASA VPNs do not allow NetBIOS broadcasts over VPN tunnels....this is a requirement.

So a workaround that I've come up with is to use the existing router to handle the VPN tunnels and then place the ASA on the network to do the firewall work. I've researched and tested (with the 5505) a basic configuration of the ASA in transparent mode. The question I have is, where would I place the ASA, between the ISP and the router, or between the router and the rest of the internal network? My guess would be that it needs to be just inside the router. If that's the case, how is internal traffic to the outside handled by the ASA, do I need to make rules for everything that the clients want to access or does the ASA dynamically open ports for inside originating traffic? Also, if the router is technically on the outside of the network, do I need to setup static routes to allow management access to the router from the inside?

Richard Burts · ‎06-05-2016

The ASA is very good at firewalling but while it does some routing it is not as strong at that function. So I would say that you did get an enterprise grade firewall and it can do some routing.

You have discovered one of the aspects of site to site VPN which is that it does not pass NetBIOS broadcasts. And that is true of most site to site VPNs and not just ASA VPNs. I am not convinced that it would work much better if you do the VPN on the router. Perhaps you can tell us a bit more about how you expect to configure VPN on the router that will pass NetBIOS broadcasts?

I have seen solutions that use a router and an ASA for an Internet connection. I have seen it done with the router outside of the ASA and I have seen it done with the router inside the ASA. At this point we do not know enough about the environment of that office to give you much advice about which would be better.

HTH

Rick

HTH

Rick

william.walker001 · ‎06-06-2016

What information would you like? Currently, each site accesses the internet from its own location due to the unstable ISP connection the area suffers from. They also all have their own servers so that the site can still function when the ISP connection drops out. The VPN connections facilitate intra-corporate traffic only. All the locations are relatively small at 50-100 users each with the two sites that are getting 5512s being the larger ones. Currently, all sites have Cisco RV320 routers with site-to-site VPNs configured that do allow NetBIOS broadcasts. I've also worked with WatchGuard XTM 2 and 5 series appliances that also allowed for NetBIOS broadcasts which is why I was so surprised to find out the ASAs don't allow for it.

I've got my test setup at home with the 5505 functioning in transparent mode, physically sitting between the router and the rest of the network. I've found it's not the greatest location in MY setup because the router is also the wireless LAN provider, so I had to make additional firewall statements to allow wireless hosts to communicate with wired hosts which may end up being less secure than we'd want to see in a corporate configuration.

I'm basically looking for the best practices way of doing this without spending on a new router. This was all planned out and purchased months ago when the fiber contract was signed (construction is nearly done now). It's unfortunate that I didn't think to dig into the exact capabilities of it's VPN capabilities beyond site-to-site. Chalk it up to experience, as long as it doesn't bite me in the butt.

Richard Burts · ‎06-06-2016

I am surprised to learn that the RV320 does a site to site VPN that does forward NetBIOS broadcasts. In my experience NetBIOS broadcasts are not forwarded over layer 3 hops. And a site to site VPN is usually a layer 3 hop. Can you share anything with us about how the RV320 does this? What configuration does it use for this? (I will admit that I do not have much experience with the RV320 and might need to learn more about it.)

Are you currently doing any firewalling at the remote sites? If so what are you doing and are you assuming that the ASA will now provide those functions? I assume that the remote sites initiate traffic to the Internet which will need to be allowed by the new policies. But does the Internet initiate traffic to any device on the inside of the remote offices? If so that needs to be worked into the access policies of the firewall.

Most of my ASA experience is using it in routed mode and perhaps someone in the forum with more experience in transparent mode might offer their perspective. In routed mode I would suggest putting the ASA outside of the router. This makes it easier to assign a management address and makes it easier to establish the basic security policy. It also allows the RV320 to continue to communicate with the inside devices as it has been doing. without any changes. I am not clear whether implementing transparent mode would change this advice and hop someone with more transparent mode experience will speak up.

HTH

Rick

HTH

Rick

william.walker001 · ‎06-06-2016

Admittedly, the RV320's configuration is GUI only so to enable NetBIOS over IPsec VPN is just a check in the box, similarly configured in WatchGuard's Fireware OS, and Zyxel's Zywall devices. The RV series and Zywall devices are in a different class than the ASA though so that may have something to do with it. All the sites are utilizing the basic, built-in functions that the RV320 provides. I DO have some simple firewall statements blocking certain traffic but that's about it. I'm assuming the ASA will take over firewall duties for the sites that it is installed on. All sites initiate and accept (designated) traffic directly from the internet.

From what I've read, operating in transparent mode creates a layer 2 firewall, though it's able to effect packets based on layer 3 information, which I haven't figured out how it manages that if it's a layer 2 firewall.

If I place the ASA outside the router, assuming it's functioning in routing mode, wouldn't I then need to create a /30 network between the router and the ASA along with all the static routes? What about NAT, would I need to turn off NAT on the router or the ASA or would everything function fine with double natting? In transparent mode, I imagine I wouldn't be able to manage the device remotely since the router SHOULD drop private network traffic before it's able to make it to the ASA

Richard Burts · ‎06-12-2016

We probably need to be careful about terminology as we talk about what layer the firewall is when it is operating in transparent mode. In transparent mode the ASA passes traffic between inside and outside much like a bridge or a switch. It is the same subnet on the inside and on the outside. Since it is not using any layer 3 information to forward frames we describe the ASA as a layer 2 device. But that does not mean that the ASA does not see or can not use the upper layer information for its security processing.

Your last paragraph seems to open the question of whether to operate the ASA in transparent mode or in routed mode. And I am not clear if that is really what you are proposing. In your original post you seemed pretty clear that you wanted to operate the ASA in transparent mode. Are you now re-evaluating the transparent mode vs routed mode options?

HTH

Rick

HTH

Rick

ASA 5512-X Useage