10-13-2016 12:25 AM - edited 03-08-2019 07:47 AM
Dear Friends
My company wants to give some services for new contractor. The contractor builds a temporary office and they have a ASA firewall and C3850 Poe Switch.
The following configuration I have configured in my CORE.
router rip
version 2
redistribute static route-map dist-static
network 10.0.0.0
no auto-summary
!
ip classless
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.50.5.2 (My firewall)
ip route 192.168.180.0 255.255.255.0 10.50.5.2 (My firewall)
!
I want allow for contractor which are the IP range of 172.25.50.0 and 172.25.51.0 to access on only my call manager 10.50.10.10, 10.50.10.11 & 10.50.10.12 and a server 10.50.15.15.
Please advise what is best practice design for security prospective? Also share some sample configuration.
Note - I have attached the design.
Solved! Go to Solution.
10-13-2016 05:34 AM
inte gi 2/5/1
does not sound that you are using the firewall here ?
looks more like a port on the coreswitch
1) no need for that if you controle the firewall
ASA has more control, I would suggest to use the ASDM GUI instead of CLI
-> only control acces using the ASA
2) no (real) need for an extra firewall if you put the right access-list on your port
you still need to configure the firewall even with an accesslist on Gi2/5/1
10-13-2016 04:01 AM
I guess you have no authority on the contractors firewall!
So if security is your objective then I would suggest a DMZ-2 on your firewall and attach the contractor there.
then your firewall controlls the contractors access to the call manager and to the internet.
10-13-2016 04:11 AM
The contractor will hand over the firewall to me. There is no option and management also wants to connect from my CORE not from firewall.
What are commands need to apply in CORE for route and ACL?
10-13-2016 04:28 AM
if you have control over the firewall than use this for the access control
in the core your only change will be
ip route 172.25.50.0 0.0.0.255 10.50.5.x (contractor firewall)
ip route 172.25.51.0 0.0.0.255 10.50.5.x (contractor firewall)
or you can reduce this to a single route statement like
ip route 172.25.0.0 0.0.255.255 10.50.5.x
10-13-2016 04:46 AM
What about the access list? Is the following is ok?
Access list 100
permit 172.25.0.0 255.255.0.0 10.50.10.0 255.255.255.0
deny any any
inte gi 2/5/1
access class 100 in
Are the above commands ok?
10-13-2016 05:34 AM
inte gi 2/5/1
does not sound that you are using the firewall here ?
looks more like a port on the coreswitch
1) no need for that if you controle the firewall
ASA has more control, I would suggest to use the ASDM GUI instead of CLI
-> only control acces using the ASA
2) no (real) need for an extra firewall if you put the right access-list on your port
you still need to configure the firewall even with an accesslist on Gi2/5/1
10-14-2016 03:08 AM
Hi there, thank you finding my remark usefull.
I've been once more looking at your proposed design.
you only asked how the contractor can reach the call manager.
But I guess the contractor IP phones will need to call your companies phones?
Then be aware that the voice data-stream (rtp) is between phones directly
So in the ASA you'll need allow rtp-data between the networks for all addreses, not only the call manager.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide