09-12-2011 12:19 PM - edited 03-07-2019 02:10 AM
Hi Quick Question:
I have a office in Jacksonville FL, with a connection to the UK. At present the office is using an old Proxy server in the UK for internet access. Works but it is not fast. With an Internet line installed in the office, could I install a Cisco ASA, such as the "ASA5505-BUN-K9"
(Cisco ASA 5505 10-User Bundle includes 8-port Fast Ethernet switch, 10 IPsec VPN peers, 2 Premium VPN peers, Triple Data Encryption Standard/Advanced Encryption Standard (3DES/AES) license)
If I set this up so that the ASA is the default GW for all PC's on the local subnet, could I set this up with a little NAT and give internet access to all the PC's. I believe that the ASA should do NAT, so that I can translate 20or so PC IP addresses to my public address.
Now my problem is trying to work out which model might be best. This one talks about a 10user bundle, is that for my 10 PCs on the LAN, so if I wanted 11PCs all accessing the internet at the same time - i'd have a problem. In that case should I be looking for the 25user version / unlimited? just want to be sure I'm going for the right model.
Thanks for reading.
Jon
09-12-2011 12:41 PM
Hi Jon,
It is not very common to connect the end devices directly to the firewall and as you already know with limited ports, there is really no room for expansion. A better way to do this is to put a small switch (2960 series or 3560 series) and connect the end devices to it and then uplink the switch to the firewall.
Also, you need to know what type of Internet will be installed in your office. If they are giving a T1 interface, you cannot connect that to the firewall, you would need a router with a T1 card to terminate the connection.
In this case, it would the router, the firewall and a switch. If the Internet provider is giving you an Ethernet connection, then you could connect that to the firewall without the need for a router.
HTH
09-12-2011 12:54 PM
I already have seveal switches on the LAN, just wanted to connect one port of the ASA to the LAN switch, and the other to a segment on the internet (my internet switch). This is an ethernet segment, managed by another cisco router.
What I want, what I need is someway I can, by using perhaps NAT to give access to 10+ users on 192.168.xxx.xxx access to the internet. Will an ASA firewall on both the LAN and the Internet do this? And if so what do I need to know about user licensing.
If Cisco isnt the best way to give a small office network access to the internet, then perhaps I should keep hold of my Novell Border Manager server.
Thanks Jon
09-12-2011 06:13 PM
Hi Jon,
Yeah that sounds fine. I'm not sure if this bundle is what you want, the licensing is sold in 10, 50 and UL bundles. I'm not aware of a solution where you can but 2 x 10 user licenses and get 20 users, I think you have to buy a 50 user option if you need more than 10 IP's to access the internet. Obviously if you expect growth, get the UL version of the bundle. That way you don't need to worry about any user limit.It looks like you take most of the price hit in going from 10 users to 50 anyway. But you know better what size will suit.
From Cisco:
In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit only when they communicate with the outside (Internet VLAN). Internet hosts are not counted towards the limit. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view host limits.
09-13-2011 12:01 AM
I've been reading about the:
ASA5505-BUN-K9
Sorry if I sound confused.
09-13-2011 12:24 AM
Hi John,
The ASA5505 is enough for facing internet connection (make sure the provider internet line hand off with ehternet RG45 so that you can connect directly to the ASA5505)
Yes, you need to have configure NAT on the ASA Firewall for your LAN networks say 192.168.2.0/24
For the licensing part please refer the below link.
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html#wp1056883
Please rate the helpful posts.
Regards,
Naidu.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide