- Home
- Hardware
- Networking Hardware
- Firewalls
- ASA configuration help
|
[x]
Posted via EE Mobile
|
||
Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again. |
||
| Question |
|
[x]
Attachment Details
|
||
|
[x]
The Solution Rating System
|
||
With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.
Your Input Matters If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support. Thank you! |
||
7.6
ASA configuration help
Asked by Omarhib2 in Networking Hardware Firewalls, Network Design & Methodology, Cisco PIX Firewall
Tags: Cisco ASA
Hi!
i have been hired by a company that wants to host its own web services like financial research in its own data center and asked to come up with a solution that will be available 24/7.
however i came up with a solution "Draft diagram attached", but i have a few questions regarding the configuration of the Cisco ASA 5550.
1- if BGP is not possible to be configured at this time. can i have two leased line internet connections comming to both of the outside routers and to have one of the lines configured as a backup interface "on the ASA device"?
2- can i have each one of the DNS servers on a separate subnet? assuming that the first ISP range is 1.1.1.0 and the second is 2.1.1.0.
3- is the below configuration example for the Active ASA right " ACLs, Failover, backup ISP config & Nating"?
ASA1# sh run
: Saved
:
PIX Version 7.2(3)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0 standby 192.168.0.2
!
interface Ethernet1
nameif dmz
security-level 50
ip address 172.16.0.1 255.255.255.0 standby 172.16.0.2
!
interface Ethernet2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0 standby 1.1.1.2
!
interface Ethernet3
no nameif
no security-level
no ip address
!
interface Ethernet4
nameif backup
security-level 0
ip address 2.1.1.1 255.255.255.0 standby 2.1.1.2
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list outside_int extended permit tcp any host 1.1.1.3 eq domain
access-list outside_int extended permit udp any host 1.1.1.3 eq domain
access-list outside_int extended permit tcp any host 1.1.1.4 eq www
access-list outside_int extended permit tcp any host 1.1.1.4 eq https
access-list backup_int extended permit tcp any host 2.1.1.3 eq domain
access-list backup_int extended permit udp any host 2.1.1.3 eq domain
access-list outside_int extended permit icmp any any
access-list inside_int extended permit ip any any
access-list dmz_int extended permit tcp host 172.16.0.50 any eq domain
access-list dmz_int extended permit tcp host 172.16.0.51 any eq domain
access-list dmz_int extended permit tcp host 172.16.0.100 any eq www
access-list dmz_int extended permit tcp host 172.16.0.100 any eq https
access-list dmz_int extended permit ip any 192.168.0.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu dmz 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (dmz,outside) 1.1.1.3 172.16.0.50 netmask 255.255.255.255
static (dmz,backup) 2.1.1.3 172.16.0.51 netmask 255.255.255.255
static (dmz,outside) 1.1.1.4 172.16.0.100 netmask 255.255.255.255
static (dmz,backup) 2.1.1.4 172.16.0.100 netmask 255.255.255.255
access-group inside_int in interface inside
access-group dmz_int in interface dmz
access-group outside_int in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.10 1 track 1
route backup 0.0.0.0 0.0.0.0 2.1.1.10 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 1.0.0.2 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
telnet timeout 5
ssh timeout 5
console timeout 0
Thanks in advance for your help,,,
i have been hired by a company that wants to host its own web services like financial research in its own data center and asked to come up with a solution that will be available 24/7.
however i came up with a solution "Draft diagram attached", but i have a few questions regarding the configuration of the Cisco ASA 5550.
1- if BGP is not possible to be configured at this time. can i have two leased line internet connections comming to both of the outside routers and to have one of the lines configured as a backup interface "on the ASA device"?
2- can i have each one of the DNS servers on a separate subnet? assuming that the first ISP range is 1.1.1.0 and the second is 2.1.1.0.
3- is the below configuration example for the Active ASA right " ACLs, Failover, backup ISP config & Nating"?
ASA1# sh run
: Saved
:
PIX Version 7.2(3)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0 standby 192.168.0.2
!
interface Ethernet1
nameif dmz
security-level 50
ip address 172.16.0.1 255.255.255.0 standby 172.16.0.2
!
interface Ethernet2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0 standby 1.1.1.2
!
interface Ethernet3
no nameif
no security-level
no ip address
!
interface Ethernet4
nameif backup
security-level 0
ip address 2.1.1.1 255.255.255.0 standby 2.1.1.2
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list outside_int extended permit tcp any host 1.1.1.3 eq domain
access-list outside_int extended permit udp any host 1.1.1.3 eq domain
access-list outside_int extended permit tcp any host 1.1.1.4 eq www
access-list outside_int extended permit tcp any host 1.1.1.4 eq https
access-list backup_int extended permit tcp any host 2.1.1.3 eq domain
access-list backup_int extended permit udp any host 2.1.1.3 eq domain
access-list outside_int extended permit icmp any any
access-list inside_int extended permit ip any any
access-list dmz_int extended permit tcp host 172.16.0.50 any eq domain
access-list dmz_int extended permit tcp host 172.16.0.51 any eq domain
access-list dmz_int extended permit tcp host 172.16.0.100 any eq www
access-list dmz_int extended permit tcp host 172.16.0.100 any eq https
access-list dmz_int extended permit ip any 192.168.0.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu dmz 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (dmz,outside) 1.1.1.3 172.16.0.50 netmask 255.255.255.255
static (dmz,backup) 2.1.1.3 172.16.0.51 netmask 255.255.255.255
static (dmz,outside) 1.1.1.4 172.16.0.100 netmask 255.255.255.255
static (dmz,backup) 2.1.1.4 172.16.0.100 netmask 255.255.255.255
access-group inside_int in interface inside
access-group dmz_int in interface dmz
access-group outside_int in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.10 1 track 1
route backup 0.0.0.0 0.0.0.0 2.1.1.10 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 1.0.0.2 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
telnet timeout 5
ssh timeout 5
console timeout 0
Thanks in advance for your help,,,
Attachments:
Loading Advertisement...
20091111-EE-VQP-89 - Hierarchy / EE_QW_3_20080625
Advertisement
| Hall of Fame |
- 1. JFrederic...297,897
- 2. dpk_wal190,976
- 3. lrmoore161,519
- 4. ccomley129,179
- 5. 3nerds126,450
- 6. ikalmar126,061
- 7. MikeKane124,898
- 8. kenboonejr82,375
- 9. rsivanandan61,654
- 10. sangamc58,732
- 11. bignewf57,701
- 12. Qlemo55,902
- 13. deimark52,350
- 14. stsonline50,575
- 15. rochey2...48,750
- 16. asavener48,145
- 17. uetian170742,279
- 18. RobWill40,834
- 19. jodylemoine39,020
- 20. that1guy1538,762
- 21. nodisco37,800
- 22. harbor23535,405
- 23. PeteLong35,050
- 24. arnold33,871
- 25. equalizer33,150
- 1. lrmoore1,423,270
- 2. JFrederic...507,441
- 3. batry_boy488,895
- 4. RobWill455,233
- 5. dpk_wal445,633
- 6. rsivanandan326,996
- 7. harbor235212,034
- 8. ccomley171,466
- 9. MikeKane152,388
- 10. PeteLong134,731
- 11. 3nerds126,450
- 12. ikalmar126,061
- 13. nodisco124,822
- 14. grblades123,979
- 15. Cyclops3...116,570
- 16. giltjr110,457
- 17. MrHusy98,341
- 18. pseudocy...90,643
- 19. Voltz-dk87,658
- 20. arnold85,917
- 21. RPPreacher85,616
- 22. kenboonejr82,375
- 23. Qlemo77,869
- 24. calvinetter76,413
- 25. donjohnston74,205
