Help setting up a 5510 for VPN only

administrator · ‎10-11-2013

Hi,

We are wanting to set up on old asa5510 we have to provide user VPN connectivity to our network. Currently we are connecting via VPN through our ISP's managed firewall but it doesn't work very well. So we want to try to provide it ourselves. The 5510 will not be used as a firewall, and will not be placed between a router and the internet. We want to plug it into our switch, give it an internal IP only, then use an external IP and nat forwarding from our ISP to that IP. I've started to build it but can't get any connectivity to it at all other than setting a static IP on a laptop plugged directly into it with the mgmt subnet, or via console cable. I'm no wiz at cisco configs so I definitely need some help on this. It's out of warranty so tac isn't an option. Any help would be appreciated.

Thanks. Config is attached.

Jouni Forss · ‎10-11-2013

Hi,

First off I am wondering what your actual network edge setup is like. I gather that you have a separate firewall device on the edge but does it perhaps have a small public subnet configured on it external interface or does it perhaps only have a small /30 subnet to act as link network to the ISP?

If you have a /29 subnet or bigger you could perhaps consider attaching the WAN link of the WAN ASA directly to the ISP device (if that is even possible) and assigning a free public IP address from the same public subnet that the Firewall is attached to. This way you wouldnt need to do any NAT for the actual device.

Again all of the above depends on how your actual setup is.

With regards to the problem with management connections here are some reasons

Your "http" and "telnet" statements are wrong to use "0.0.0.0 255.255.255.255". It should be "0.0.0.0 0.0.0.0" if you want to allow everything. Though the "telnet" is not something you should use and it wont even work on an interface with "security-level 0" unless you are accessing it through VPN.

So add

http 0.0.0.0 0.0.0.0 outside

If you want to manage it from behind "outside" though I would consider limiting the source IP address

Same for SSH if needed

ssh version 2

ssh 0.0.0.0 0.0.0.0 outside

crypto key generate rsa modulus 1024

Again I would limit the source address if possible

- Jouni

administrator · ‎10-11-2013

Hi Jouni,

Thanks for the response first off

We are a 14 office company set up on an MPLS network through Level3. The firewall is controlled by a 3rd party vendor they use and I believe is located in LA, so definitely not a possibility to connect the asa to that.

thanks for the info on the management.

Jouni Forss · ‎10-11-2013

Ah ok,

Well its a pretty common setup where I work. We manage hundreds of customer firewalls that are located in our Datacenter and our MPLS network is used to connect the various customer locations to the customer firewall. We usually have separate firewall hardware to do the VPN for the customer.

Have you considered the option to setup this VPN device at the ISP premises? I gather at the moment you will be trying to add it at one of the offices? I am not sure if its an option to have it installed at the ISP location where the firewall probalby is. I do think though that you will still need help from the ISP with regards to routing if you want the VPN users to reach the other offices through this device located at one office.

So was your main problem at the moment establishing the management connection to the ASA? Or was the problem setting up the ASA at the office to be reachable from the public network or was the problem configuring the actual VPN on it?

- Jouni

administrator · ‎10-11-2013

Right now i'm just trying to get it reachable on the network so I can start working on the VPN stuff. I can't figure out why it's not. I get a "no route to host 10.2.50.1" when i'm trying to ping the gateway or anything past that. I know there's no static route entry in the config, just not sure if that's needed when there's no inside & outside interfaces. since right now it's just the 'outside' interface that's up.

administrator · ‎10-11-2013

Ugh, nevermind. I figured it out. Helps if you plug your network cable into the same port you're configuring.