Cisco ASA5505 for internet access

haughjd · ‎09-12-2011

Hi Quick Question:

I have a office in Jacksonville FL, with a connection to the UK. At present the office is using an old Proxy server in the UK for internet access. Works but it is not fast. With an Internet line installed in the office, could I install a Cisco ASA, such as the "ASA5505-BUN-K9"

(Cisco ASA 5505 10-User Bundle includes 8-port Fast Ethernet switch, 10 IPsec VPN peers, 2 Premium VPN peers, Triple Data Encryption Standard/Advanced Encryption Standard (3DES/AES) license)

If I set this up so that the ASA is the default GW for all PC's on the local subnet, could I set this up with a little NAT and give internet access to all the PC's. I believe that the ASA should do NAT, so that I can translate 20or so PC IP addresses to my public address.

Now my problem is trying to work out which model might be best. This one talks about a 10user bundle, is that for my 10 PCs on the LAN, so if I wanted 11PCs all accessing the internet at the same time - i'd have a problem. In that case should I be looking for the 25user version / unlimited? just want to be sure I'm going for the right model.

Thanks for reading.

Jon

Reza Sharifi · ‎09-12-2011

Hi Jon,

It is not very common to connect the end devices directly to the firewall and as you already know with limited ports, there is really no room for expansion. A better way to do this is to put a small switch (2960 series or 3560 series) and connect the end devices to it and then uplink the switch to the firewall.

Also, you need to know what type of Internet will be installed in your office. If they are giving a T1 interface, you cannot connect that to the firewall, you would need a router with a T1 card to terminate the connection.

In this case, it would the router, the firewall and a switch. If the Internet provider is giving you an Ethernet connection, then you could connect that to the firewall without the need for a router.

HTH

haughjd · ‎09-12-2011

I already have seveal switches on the LAN, just wanted to connect one port of the ASA to the LAN switch, and the other to a segment on the internet (my internet switch). This is an ethernet segment, managed by another cisco router.

What I want, what I need is someway I can, by using perhaps NAT to give access to 10+ users on 192.168.xxx.xxx access to the internet. Will an ASA firewall on both the LAN and the Internet do this? And if so what do I need to know about user licensing.

If Cisco isnt the best way to give a small office network access to the internet, then perhaps I should keep hold of my Novell Border Manager server.

Thanks Jon

Kevin-John Beasley · ‎09-12-2011

Hi Jon,

Yeah that sounds fine. I'm not sure if this bundle is what you want, the licensing is sold in 10, 50 and UL bundles. I'm not aware of a solution where you can but 2 x 10 user licenses and get 20 users, I think you have to buy a 50 user option if you need more than 10 IP's to access the internet. Obviously if you expect growth, get the UL version of the bundle. That way you don't need to worry about any user limit.It looks like you take most of the price hit in going from 10 users to 50 anyway. But you know better what size will suit.

From Cisco:

In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit only when they communicate with the outside (Internet VLAN). Internet hosts are not counted towards the limit. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view host limits.

haughjd · ‎09-13-2011

I've been reading about the:

ASA5505-BUN-K9

Looks to be a good value firewall. But could I use this connected to the LAN and the Internet to provide internet access to ALL users on the LAN to the Internet. I realise I'd have to use some kind of NAT and some state-full https(s) filters. Just worried about the licensing on the firewall. As it looks to come in various flavours, such as 10,25,50 and UL(unlimited) does this apply to internal users going out to the internet or external users who may want to VPN back in. Or Both?

Sorry if I sound confused.

Presently we have many sites all with an internet connection. The majority of these sites do not access the internet locally. They do so via a Border Manage proxy at a main site. What I want/need to do is decommission the BM proxy (old serves). Then give all the sites their own 'internet gateway' locally, thus improving internet speed/access for all sites. This should also remove traffic from the larger sites, as the small sites no-longer go thu them for the net.

Jon

Latchum Naidu · ‎09-13-2011

Hi John,

The ASA5505 is enough for facing internet connection (make sure the provider internet line hand off with ehternet RG45 so that you can connect directly to the ASA5505)

Yes, you need to have configure NAT on the ASA Firewall for your LAN networks say 192.168.2.0/24

For the licensing part please refer the below link.
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html#wp1056883

Please rate the helpful posts.
Regards,
Naidu.