configuring ASA 5505 4 VLANs

is there a way to configure the ASA 5505  secure plus device from scratch via ASDM over IE remotely with limit on site assist?

It composes of:
1)  business, internet, home and DMZ four VLANs;
2) one device in DMZ zone mapping to second fix public IP with  port 443 open.
3) one IP in business VLAN open port 135 for a device in home VLAN.

Any major steps to accomplish this setup?


fshguoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

batry_boyCommented:
It's not a major thing, but if you're configuring this device strictly from a remote site, you need to be careful about the VLAN setups since you could lose connectivity if you make a wrong move and not be able to get back in to make any more changes!

If you have the outside interface configured the way you want it with administrative access allowed, then you should be able to set up the other 3 VLAN's remotely with no problem...I wouldn't change anything about the interface you are administrating the ASA from, though, since this could cause a connectivity issue like I stated above.

Assuming you have the outside interface configured to allow http access in for administration, then you need to decide on the different security levels of each interface, since this will dictate how you permit access to the devices in your DMZ and business VLAN's.  For instance, say you had the following security levels applied to the 4 VLAN interfaces:

outside = 0
DMZ = 50
home = 80
business = 100

the config for these interfaces would look something like this:

interface VLAN1
  description outside
  nameif outside
  security-level 0
  ip address 1.1.1.1 255.255.255.248

interface VLAN2
  description DMZ
  nameif DMZ
  security-level 50
  ip address 192.168.1.1 255.255.255.0

interface VLAN3
  description home
  nameif home
  security-level 80
  ip address 172.16.1.1 255.255.255.0

interface VLAN4
  description business
  nameif business
  security-level 100
  ip address 10.1.1.1 255.255.255.0

You could then perform the mappings listed in your steps 2 and 3 above with the following commands:

Assuming that:
1.1.1.2 = the second fixed public IP you want to map the DMZ host to
192.168.1.2 = the DMZ host's real IP address that you want to allow TCP 443 inbound to
10.1.1.2 = the IP address of the host in the business VLAN that you want to allow TCP 135 inbound from a host in the home VLAN 172.16.1.2 = the host in the home VLAN that is granted access to host 10.1.1.2 in the business VLAN:

access-list acl_outside_in permit tcp any host 1.1.1.2 eq 443     <--creates ACL to allow inbound TCP 443 traffic to host 1.1.1.2
access-list acl_home_in permit tcp host 172.16.1.2 host 10.1.1.2 eq 135  <--ACL to allow TCP 135 from 172.16.1.2 to 10.1.1.2
static (DMZ, outside) 1.1.1.2 192.168.1.2 netmask 255.255.255.255  <--create translation for DMZ host to public IP address 1.1.1.2
static (business,home) 10.1.1.2 10.1.1.2 netmask 255.255.255.255  <--create translation for business host to look like itself on home VLAN
access-group acl_outside_in in interface outside  <--apply ACL named "acl_outside_in" to outside interface in inbound direction
access-group acl_home_in in interface home  <--apply ACL named "acl_home_in" to home interface in inbound direction

Now there is a lot of stuff that has been left out of an ASA configuration if you're starting from scratch and this is what the command line interface way of doing it would look like (you asked about the ASDM).  It's hard to put the exact instructions for a GUI into a forum like this which is why I presented the CLI way of doing it.

If your comfort level with configuring the ASA is high, then I would say that remotely configuring the ASA would be OK.  But if you're new at configuring the ASA, then be very careful doing this remotely because of the nature of the changes you're wanting to make.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
fshguoAuthor Commented:
Let me clarify two items based on your comments:
1) the following lines:
static (DMZ, outside) 1.1.1.2 192.168.1.2 netmask 255.255.255.255  <--create translation for DMZ host to public IP address 1.1.1.2
static (business,home) 10.1.1.2 10.1.1.2 netmask 255.255.255.255  <--create translation for business host to look like itself on home VLAN
are these the NAT? where this applies in  ASDM?
2) do you thing the "access-group acl_home_in in interface home" should be  to acl_home_out instead? and again where this applies in ASDM?

In addition, three more questions:
1) does the routing table need to manually added between VLANs? or the device will learn by itself once the VLAN created?
2) Should the NAT or PAT enable in this senario?
3) by default, the VLAN has higher security level can access the lower one, how can it be revoked for business VLAN from accessing home unless it is permitted in access-list?

Thanks.
0
batry_boyCommented:
1.  Yes, those are the NAT statements.  You apply them in the ASDM under Configuration-NAT...click on "Add" button, then choose "Add static NAT rule" and specify the appropriate values in the window that comes up

2.  It wasn't very clear about how you wanted the traffic allowed, so you will have to elaborate on your desire.  The name of the ACL is not relevant so you can call the ACL whatever you like.  What matters is how and where you apply it (what direction and to what interface).  If your intent is to restrict traffic coming from the "home" VLAN going to the "business" VLAN, then I would do it like I presented above, which is to inspect the traffic inbound to the "home" interface on the firewall and then see if it is allowed.  If so, allow it to pass to the business VLAN...if not, then drop the packet.

3.  The device will know how to route between the VLAN's because you are creating them on the ASA and you will have switchports directly connected to these VLAN's.  Once the VLAN's are created, you need to assign the physical Ethernet ports to be members of the appropriate VLAN's.  You do this under Configuration-Interfaces.

4.  NAT would be used here since you have a second public IP address available to use.  If you only had one to use on the public interface, i.e. your firewall interface IP address, then you would have to use PAT

5.  You would create an ACL that defines the traffic you want to explicitly allow or deny coming from the business VLAN to the home VLAN and apply this ACL to the "business" VLAN interface.  Something like this:

access-list acl_business_in permit tcp host 10.1.1.2 host 172.16.1.2 eq smtp
access-group acl_business_in in interface business

The above statements would allow mail traffic from host 10.1.1.2 to host 172.16.1.2.

Hope thie helps...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.