Solved

configuring ASA 5505 4 VLANs

Posted on 2007-03-17
3
3,801 Views
Last Modified: 2012-06-27
is there a way to configure the ASA 5505  secure plus device from scratch via ASDM over IE remotely with limit on site assist?

It composes of:
1)  business, internet, home and DMZ four VLANs;
2) one device in DMZ zone mapping to second fix public IP with  port 443 open.
3) one IP in business VLAN open port 135 for a device in home VLAN.

Any major steps to accomplish this setup?


0
Comment
Question by:fshguo
  • 2
3 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
Comment Utility
It's not a major thing, but if you're configuring this device strictly from a remote site, you need to be careful about the VLAN setups since you could lose connectivity if you make a wrong move and not be able to get back in to make any more changes!

If you have the outside interface configured the way you want it with administrative access allowed, then you should be able to set up the other 3 VLAN's remotely with no problem...I wouldn't change anything about the interface you are administrating the ASA from, though, since this could cause a connectivity issue like I stated above.

Assuming you have the outside interface configured to allow http access in for administration, then you need to decide on the different security levels of each interface, since this will dictate how you permit access to the devices in your DMZ and business VLAN's.  For instance, say you had the following security levels applied to the 4 VLAN interfaces:

outside = 0
DMZ = 50
home = 80
business = 100

the config for these interfaces would look something like this:

interface VLAN1
  description outside
  nameif outside
  security-level 0
  ip address 1.1.1.1 255.255.255.248

interface VLAN2
  description DMZ
  nameif DMZ
  security-level 50
  ip address 192.168.1.1 255.255.255.0

interface VLAN3
  description home
  nameif home
  security-level 80
  ip address 172.16.1.1 255.255.255.0

interface VLAN4
  description business
  nameif business
  security-level 100
  ip address 10.1.1.1 255.255.255.0

You could then perform the mappings listed in your steps 2 and 3 above with the following commands:

Assuming that:
1.1.1.2 = the second fixed public IP you want to map the DMZ host to
192.168.1.2 = the DMZ host's real IP address that you want to allow TCP 443 inbound to
10.1.1.2 = the IP address of the host in the business VLAN that you want to allow TCP 135 inbound from a host in the home VLAN 172.16.1.2 = the host in the home VLAN that is granted access to host 10.1.1.2 in the business VLAN:

access-list acl_outside_in permit tcp any host 1.1.1.2 eq 443     <--creates ACL to allow inbound TCP 443 traffic to host 1.1.1.2
access-list acl_home_in permit tcp host 172.16.1.2 host 10.1.1.2 eq 135  <--ACL to allow TCP 135 from 172.16.1.2 to 10.1.1.2
static (DMZ, outside) 1.1.1.2 192.168.1.2 netmask 255.255.255.255  <--create translation for DMZ host to public IP address 1.1.1.2
static (business,home) 10.1.1.2 10.1.1.2 netmask 255.255.255.255  <--create translation for business host to look like itself on home VLAN
access-group acl_outside_in in interface outside  <--apply ACL named "acl_outside_in" to outside interface in inbound direction
access-group acl_home_in in interface home  <--apply ACL named "acl_home_in" to home interface in inbound direction

Now there is a lot of stuff that has been left out of an ASA configuration if you're starting from scratch and this is what the command line interface way of doing it would look like (you asked about the ASDM).  It's hard to put the exact instructions for a GUI into a forum like this which is why I presented the CLI way of doing it.

If your comfort level with configuring the ASA is high, then I would say that remotely configuring the ASA would be OK.  But if you're new at configuring the ASA, then be very careful doing this remotely because of the nature of the changes you're wanting to make.

0
 

Author Comment

by:fshguo
Comment Utility
Let me clarify two items based on your comments:
1) the following lines:
static (DMZ, outside) 1.1.1.2 192.168.1.2 netmask 255.255.255.255  <--create translation for DMZ host to public IP address 1.1.1.2
static (business,home) 10.1.1.2 10.1.1.2 netmask 255.255.255.255  <--create translation for business host to look like itself on home VLAN
are these the NAT? where this applies in  ASDM?
2) do you thing the "access-group acl_home_in in interface home" should be  to acl_home_out instead? and again where this applies in ASDM?

In addition, three more questions:
1) does the routing table need to manually added between VLANs? or the device will learn by itself once the VLAN created?
2) Should the NAT or PAT enable in this senario?
3) by default, the VLAN has higher security level can access the lower one, how can it be revoked for business VLAN from accessing home unless it is permitted in access-list?

Thanks.
0
 
LVL 28

Assisted Solution

by:batry_boy
batry_boy earned 500 total points
Comment Utility
1.  Yes, those are the NAT statements.  You apply them in the ASDM under Configuration-NAT...click on "Add" button, then choose "Add static NAT rule" and specify the appropriate values in the window that comes up

2.  It wasn't very clear about how you wanted the traffic allowed, so you will have to elaborate on your desire.  The name of the ACL is not relevant so you can call the ACL whatever you like.  What matters is how and where you apply it (what direction and to what interface).  If your intent is to restrict traffic coming from the "home" VLAN going to the "business" VLAN, then I would do it like I presented above, which is to inspect the traffic inbound to the "home" interface on the firewall and then see if it is allowed.  If so, allow it to pass to the business VLAN...if not, then drop the packet.

3.  The device will know how to route between the VLAN's because you are creating them on the ASA and you will have switchports directly connected to these VLAN's.  Once the VLAN's are created, you need to assign the physical Ethernet ports to be members of the appropriate VLAN's.  You do this under Configuration-Interfaces.

4.  NAT would be used here since you have a second public IP address available to use.  If you only had one to use on the public interface, i.e. your firewall interface IP address, then you would have to use PAT

5.  You would create an ACL that defines the traffic you want to explicitly allow or deny coming from the business VLAN to the home VLAN and apply this ACL to the "business" VLAN interface.  Something like this:

access-list acl_business_in permit tcp host 10.1.1.2 host 172.16.1.2 eq smtp
access-group acl_business_in in interface business

The above statements would allow mail traffic from host 10.1.1.2 to host 172.16.1.2.

Hope thie helps...
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now