Solved: Estabilish temporary Network for contractor

shahulhameed · ‎10-13-2016

Dear Friends

My company wants to give some services for new contractor. The contractor builds a temporary office and they have a ASA firewall and C3850 Poe Switch.

The following configuration I have configured in my CORE.

router rip

version 2

redistribute static route-map dist-static

network 10.0.0.0

no auto-summary

!

ip classless

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.50.5.2 (My firewall)

ip route 192.168.180.0 255.255.255.0 10.50.5.2 (My firewall)

!

I want allow for contractor which are the IP range of 172.25.50.0 and 172.25.51.0 to access on only my call manager 10.50.10.10, 10.50.10.11 & 10.50.10.12 and a server 10.50.15.15.

Please advise what is best practice design for security prospective? Also share some sample configuration.

Note - I have attached the design.

pieterh · ‎10-13-2016

inte gi 2/5/1

does not sound that you are using the firewall here ?

looks more like a port on the coreswitch

1) no need for that if you controle the firewall

ASA has more control, I would suggest to use the ASDM GUI instead of CLI
-> only control acces using the ASA

2) no (real) need for an extra firewall if you put the right access-list on your port
you still need to configure the firewall even with an accesslist on Gi2/5/1

View solution in original post

pieterh · ‎10-13-2016

I guess you have no authority on the contractors firewall!

So if security is your objective then I would suggest a DMZ-2 on your firewall and attach the contractor there.

then your firewall controlls the contractors access to the call manager and to the internet.

shahulhameed · ‎10-13-2016

The contractor will hand over the firewall to me. There is no option and management also wants to connect from my CORE not from firewall.

What are commands need to apply in CORE for route and ACL?

pieterh · ‎10-13-2016

if you have control over the firewall than use this for the access control

in the core your only change will be

ip route 172.25.50.0 0.0.0.255 10.50.5.x (contractor firewall)

ip route 172.25.51.0 0.0.0.255 10.50.5.x (contractor firewall)

or you can reduce this to a single route statement like

ip route 172.25.0.0 0.0.255.255 10.50.5.x

shahulhameed · ‎10-13-2016

What about the access list? Is the following is ok?

Access list 100

permit 172.25.0.0 255.255.0.0 10.50.10.0 255.255.255.0

deny any any

inte gi 2/5/1

access class 100 in

Are the above commands ok?

pieterh · ‎10-13-2016

inte gi 2/5/1

does not sound that you are using the firewall here ?

looks more like a port on the coreswitch

1) no need for that if you controle the firewall

ASA has more control, I would suggest to use the ASDM GUI instead of CLI
-> only control acces using the ASA

2) no (real) need for an extra firewall if you put the right access-list on your port
you still need to configure the firewall even with an accesslist on Gi2/5/1

pieterh · ‎10-14-2016

Hi there, thank you finding my remark usefull.

I've been once more looking at your proposed design.

you only asked how the contractor can reach the call manager.

But I guess the contractor IP phones will need to call your companies phones?
Then be aware that the voice data-stream (rtp) is between phones directly

So in the ASA you'll need allow rtp-data between the networks for all addreses, not only the call manager.