cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4317
Views
70
Helpful
64
Replies

ASA5508-X Using Block Of Static IP’s

fbeye
Level 4
Level 4

So I have my configuration able to Ping from the Router itself (GBit 1/1 using a Static IP set for PPPoE) and I see GBit 1/2 is the LAN 192.168.1.1 but I am having a heck of a time removing the DHCP / Nat and being able to use, at random (to be specificed on the device) my Block Of Static IP’s. I currently have no running-config that differs from default aside from the WAN but I am going in circles. I am using my Cisco 891f (which is set the way I liked it) as a reference and with an open mind to the fact this is far more technical but I am just lost.

 

64 Replies 64

I feel like we are making good progress.

 

So let us talk about G1/2 and G1/3. What device will you use to manage the ASA? Where will it be connected and what will be its IP address? So far you have not talked about devices in your network other than the ones that have public IP address and will be connected to G1/3. Are there other devices?

 

If there are devices that will connect to G1/2 then I see the purpose of using that interface and it might as well be the management address for ASDM. But if there are not devices that connect to it then I do not see an advantage in configuring it and using it for ASDM. You could just as easily use G1/3.

 

As far as DHCP is concerned, I agree that it is possible to configure DHCP on the ASA and to let DHCP assign the IP addresses. But making sure that the right machine is assigned the right IP address adds complexity to the config. And I do not see much advantage in doing that. I believe that in most cases simpler is better.

 

I do agree that using a spare machine to test is a good idea.

 

HTH

 

Rick

HTH

Rick

My only intentions for the 1/2 was to use it for ASDM Configuration via my Laptop because straight out of the Box 1/2 is for that management purpose, so I have left it. There is no other reason. The only device on that Interface is my Laptop which sits next to the router. This can be changed, I just kept it as is due to its configuration as such.

 

You are right. I have spent so much time on the "can I do this" that it has evolved into us actually planning it without a proposal on what I need. So, I have done an elementary drawing of how my system is currently set up on the 891 but should have no difference on the 5508 in its simplest form.

 

Along with the picture I will include I will also write out my intentions.

Of my 5 Static IP's, I will only be using 4 of them (5 if we use the 5th for testing purposes).

 

x.x.121.177 is for my Home WiFi Router which itself hands out 192.168.0.x IP's

x.x.121.178 is Unused (for testing)

x.x.121.179 is a Web Server only with its own Domain and Internal SSH

x.x.121.180 is an Email Server only with SSH

x.x.121.181 is a Web Server only with its own Domain and Internal SSH

 

No other devices will be connected to any other interfaces for any reason. If any new devices are connected they will most likely be off of the .177 WiFi for home use.

 

5508-X;

 

1/1 - (outside) - PPPoE WAN

1/2 - (inside) - Management for ASDM

1/3 - (block) - Unmanaged Switch - Each Device using a 192.168.2.x IP using NAT to its Public Address.

 

 

Thank you for the drawing and for the additional explanation. They are helpful. I find that it is frequently beneficial to verbalize what the requirements/expectations are for a project. So I appreciate your doing that here. It contains two things that I had not known about and here are my comments about them.

 

I had not known about the laptop. My suggestion about not using G1/2 was based on not knowing that anything was really using it. If the laptop is connected there it is perfectly fine to leave it there and to use it for ASDM management.

 

You had mentioned wireless but I had not given it much thought. So now I have a question about it. Do the devices connected via wireless need Internet access? If so there needs to be address translation for them. Does your wireless router do this address translation? If so then the ASA does not need to be involved. If the wireless router does not provide the address translation then the ASA will need to have a dynamic nat configured for those addresses.

 

That raises a similar question about your laptop connected to G1/2. Does it need Internet access? If so then the ASA needs a dynamic nat for that subnet/host address.

 

Another question is whether the laptop on G1/2 has any need to access the devices connected to G1/3? This brings up the subject of security levels on interfaces. The ASA requires that you specify a security level on interfaces that will carry traffic. And the ASA uses that security level in determining what traffic is allowed. Traffic from a higher level interface to a lower level interface is always allowed (and responses to that traffic are allowed). Traffic from a lower level interface to a higher level interface is not allowed unless specifically configured. The usual practice for ASA is to use security level 100 for inside interface and security level 0 for the outside interface. I suggest that you use those levels. That way anything from your devices inside will always be permitted to get outside and responses from outside are permitted. It does mean that for the Internet devices to access your web servers and mail server that you will need an access list on the outside interface permitting this traffic.

 

There is also a question about what security level to specify on your management interface G1/2. If your laptop will need to access the devices on the inside network then I suggest that you specify the security level for G1/2 to be zero - and you also will need to allow same security level inter interface. If the management interface does not need to access the inside network then you can use any level between 0 and 100.

 

HTH

 

Rick

HTH

Rick

Alright so here is how it is set up. I only compare anything to the 891f not in assuming it has to continue to be this way but that it is how currently it is and how I only know how it to be.

If you look back to my original post and I pasted my 891 config, it shows this for my .177 IP (the WiFi)

Inside-To-Outside 

permit ip host 207.108.121.177 any

Outside-To-Inside 

permit icmp any host 207.108.121.177

My TPLink WiFi did indeed do all of its Routing and Translation.. I just assume let the TPLink do what it’s gonna do and just give that .177 IP either same same access as before or some sort of DMZ thing? 

 

As as far as the Laptop connected to 1/2 and needing Internet access. No, 1/2 does not need Internet but only ASDM access. I do connect my Laptop to my TPLink when I do want  it on the Net....

 

In regards to 1/2 needing to talk to anything 1/3, I do not think so because when I need to use 1/2 it will simply be my laptop plugged into it.

They only “internal” communication would be the 3 Linux Computers being able to SHH to each other and then the 3 Linux Computers talking to .177 as I have an NAS Connected to it and I mount the NAS as a Network Drive, which I have currently. I believe I have an ip route on my TPLink to my 891 and from my 891 to the DHCP IP Subnet through my .177. It should also be seen in the config I posted, if that helps. 

‘This is all home use so there’s no security in the sense of internal prying eyes. Ideally...... I guess we can saying anyone internal can access anyone internal and anyone internal can access the Internet (referring to 1/3) but only Incoming from Outside we’d specify what ports to what ip per which service (I.e email will only allow 993, smtp and ssh from outside Interface).

 

As far as security levels go, I understand the concept I just don’t know what’s practical. I understand the pyramid of HIGH  can access low but low to HIGH needs permissions. At the end of the day my only true security concerns would be safety for my email and web servers and then safety for my .177 as to not being DDoS and the likes. Really I’d be happy to close everything except the ports I need and I actually think my Linux machines, all 3, can maybe be on 1/3 and have a similar series of protection and maybe do a 1/4 for my .177 because it is for home.. we are talking Netflix, Gaming, all sorts of streaming, voice/video chat. Just a lot more going on than the simply 2-3 Ports each on the Linux machines..

Forgive my ignorance but maybe make 1/4 a DMZ style and give full access to that 1 IP/ Interface and let my TPLink do its protection? It is a high end business class TPLink. 

 

I Hope I am not beginning to complicate this. 

Thanks for the explanation about TPLink. It is good to know that it does route and translate addresses for the devices connected using wireless. That is one less thing to need to do on the ASA.

 

What to do with TPLink on the ASA is an interesting question. As I see it you have two choices. You can use the connection for TPLink on the ASA in the same way that it was on the 891. It will be in the same vlan/same subnet as the other devices. Basically the 891 had an outside network and an inside network. Any device on the inside network can communicate directly with any other device on the inside network without going through the router. You could do the same thing on the ASA. But the ASA has an option you can use that was not possible on the 891. You can separate the TPLink and the devices connected through it from the outward facing servers. Essentially you could have an outside, and inside, and a middle (which many people would call DMZ). Since this is a home network you might think that this is over kill. And if so having the TPLink connected with the servers would be fine.

 

Before I hit send I re-read your post and noticed the mention of having NAS accessible through TPLink. I believe that this makes the option of leaving TPLink connected in the same vlan/same subnet as the servers better. But I left the discussion about separation in my response in case that was interesting.

 

So for security levels use 0 for outside, 100 for inside, and some value in between for ASDM.

 

HTH

 

Rick

HTH

Rick

I agree about what you say about keeping the TPLink on the same Interface as the rest of the Network so simplicity sake. And because it seems to be a proven way...

 

I only mentioned 1/4 because I know nothing about NAT and was thinking that the 3 Linux Machines have pretty much all port access in common except the SMTP and 993 so I was not sure if it'd be easier to NAT groups to use same Ports or if it even works that way and having the TPLink Sperate and allow full access but allow the TPLink to chose what opens/closes. But as you say, let us keep it simple and as is. . I definitely know we would use NAT not PAT but then I am wondering would it be Auto NAT over Manual NAT? I was assuming Auto.

Anyway, back on track, as far as overkill and using a DMZ I would be completely open to the experience.

But I still agree the same vlan/subnet would be just as secure and easier to monitor/control.

I also completely understand the 0 security vs. 100 security and how data only flows higher to lower unless it has permissions but as far as what security to give the ASDM between the 2 is something I can not even fathom. What would 15 be vs. 55? If outside is 0 and inside is 100 and  ASDM is only to configure settings but also be secure, 99?

 

I will mention something about the NAS. For personal reasons, as we all have, I run all of my machines on VPN's but I use software tunnel based VPN's that if disconnect, completely shut down my internet access in and out (on the machine using the VPN). I would #1 love to utilize a Cisco Wireless Router if they had such a thing {integrated inside the 5508} but being they don't I unfortunately have to use a 3rd party Router for HOME. Also I would absolutely love to have the NAS off of the TPLink and use it's own Static IP but unfortunately my VPN service only uses OpenVPN which Cisco does not partake... So I just set it on my TPLink and it is all good. Just wanted to mention the NAS scenario.

As far as the security level for the interface for ASDM is concerned it is an arbitrary choice. There is no real difference between 15 or 55 (or 99). The thing that matters is what interfaces are higher level and what interfaces are lower level (and are there any interfaces at the same level). You are required to specify a security level for each interface. So pick some number - it wont make a real difference what you pick.

 

I appreciate the explanation about your NAS.

 

HTH

 

Rick

HTH

Rick

Well I suppose I will just leave it at (or make it when I enact in all of this) at 100 in case for whatever reason I do need to cross traffic from 1/2 and 1/3.

 

Trying to do some reading  on NAT because although you did give me an idea about it I am still on the unconfident side of how to implement. Do I make class groups etc as a whole or do I just make simple NAT; This external ip translates to this internal ip opening this port.. Do I need to make a NAT per port per ip so like my Linux Email have 3 NAT’s for ssh, smtp and 993 or can I combine multiple Ports into 1 NAT. And being that 2 Linux machines will have both web server and ssh, would I make a group of Ports and then with NAT reference those ips to those groups. This is stuff as well that I am trying to read up on.

I feel for me, if possible, I’d like to create 1 NAT rule per ip per port... Just so I can see on a grand scale how  all operates and in the future I can categorize them. I think my 89q was this way as I opened up each port individually per ip. 

Here is a link about address translation that specifies port numbers that I hope you will find helpful.

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/118996-config-asa-00.html?dtid=osscdc000283#anc10

 

HTH

 

Rick

HTH

Rick

Fantastic, thank you so much.

 

I will give all this a shot tonight or possibly tomorrow but here is recap.

 

1/1 (outside) PPPoEw/ .182 Gateway Security 0  

1/2 (inside) ASDM Security 100

1/3 (block) set Static 192.168.2.1 connected to unmanaged switch Security 100

 

Do not set up a DHCP Pool but statically set each device to its corresponding 192.168.2.x address 

Using that link you sent me, which is so simplified it’s crazy, I set up NAT Rules as intended.

 

I will begin with my spare PC just for incoming SHH and outgoing Web Access.

 

This then raises 2 questions. On either my 1/1 or 1/3 do I need to set any sort of static ip route? Will my (block (let’s say 1/3 as a whole)) even touch my (outside) Interface without a static ip route or will NAT redirect it?

The second question is by using NAT in this format, is this also “security” or do I also need to make rules similar to my ZONE setup on my 891.

In answer to your first question - your ASA will need a default route to be able to access the Internet and to forward traffic from inside/block to the Internet. It may be that in the negotiation of pppoe the ASA will learn a default route. If the ASA does not learn a default route in the negotiation then you will need to configure a default route.

 

In answer to your second question - the rules that you created on your 891 for zones are pretty much built into the security level processing of the ASA. One thing I will point out is that for traffic from the Internet arriving on outside (level 0) and going to block (level 100) you will need to configure and apply an access list for the outside interface that permits this traffic. The article mentions this, but I am disappointed to notice that it does not include this in its examples.

 

I will also make the point that for inside (level 100) and block (level 100) to communicate that you will need to specify same security inter interface.

 

HTH

 

Rick

HTH

Rick

I am not really seeing where it deal with an access list on my scenario.

 

I see completely where I will use Port Redirection (Forwarding) with Static but will I also need to utilize Allow Untrusted Hosts Access to Hosts on Your Trusted Network? Or are they one in the same expect a different approach.

 

I do have a selection on my 1/1 setup where it does select to use pppoe to create an ip route. That is fine, I can ping the world with my "outside" but do I somehow need to tell 1/3 to use that path as well or will it know it by default?

I ask because unless [due to] me not setting up an access list I was not able to get 1/3 to ping .182. BUT my PC could Ping 192.168.2.1 (the 1/3 Gateway). Being that 1/3 is 100 and 1/1 is 0 I assume it is not a permission think so I came to conclusion it needs to have an ip route. I was messing with the IP Route stuff but kept getting an error about the Gateway address .x.x.121.182 already being used.

Of course I only did enable Port 80. I did not enable DNS or ICMP or anything... But I would still say that regardless of anything I would be able to Ping the Router Gateway unless I did not have an IP Route.

 

20 minutes later I was thinking... NAT, though a security in itself as you are listing onlyu the ports of what IP goes where, is not necessarily the "access". I mean, Just because 192.168.2.178 goes to x.x.121.178 does not mean it can unless I permit it using ACL's? So its a 2 step thing? Or am I geting ahead of myself?

 

Where does AAA come into play.. Is this a series of protocols kinda of phasing out?

Also, unless I read it wrong. I do not want .182 to be Negotiated OUTSIDE and to be used Inside. .182 sole purpose is my Gateway IP from my ISP which allows me to use .177-.181 and have no intention of using aside from being the OUTSIDE / Wan/ Router IP. . I only want .177-181 to be used Inside. Wanted to clarify that...

I tried to explain it before but it seems not clearly to you. So let me try explaining it in a different way. First let us be clear that this is sort of a two step thing. First we need to configure the static nat. This will associate the outside public address (perhaps the x.x.121.180 address) with the private inside address (192.168.2.180). When this is done then when the ASA receives an IP packet from the Internet with destination address of x.x.121.180 it will know to forward it to 192.168.2.180. Now that the nat is done think about what will happen when some Internet device sends an IP packet to x.x.121.180. The ASA knows that it is trying to go to 192.168.2.180. But we have a packet from a low security level trying to go to a high security level and that is not permitted. That is where the access list comes in. You configure an access list and apply it to the outside interface that permits packets from any Internet source to 192.168.2.180 (and perhaps you specify the tcp port numbers in the access list to allow only the desired protocols).

 

So you need both the static nat and the access list for this to work.

 

HTH

 

Rick

HTH

Rick

After I posted my response about needing both static nat and access list I see that you also asked a question about default route.  If you have set up pppoe to learn a route and are able to ping 8.8.8.8 etc then your ASA is learning a default route. You can confirm that using the show route command. You do not need to do anything on either 1/2 or 1/3 about using the default route. Once the ASA has learned a default route then it will use it for all of its interfaces.

 

HTH

 

Rick

HTH

Rick
Review Cisco Networking for a $25 gift card