kevincasey
asked on
General Cisco ASA 5505 / network configuration questions.
I have a few conceptual questions about the Cisco ASA 5505. I'm not asking any specific configuration questions yet, those will be in another question with more points.
My agency recently acquired three (3) of the ASA 5505 Security Plus bundles. We are looking to use one as a firewall behind our SDSL modem. In the future we would like to use the other two devices at remote locations to connect securely back to our main location. Each remote location has between one and five concurrent users.
Question 1) Do we need to deploy the security plus bundles at every location? Or can we get away something like the 10-user bundle at the remote locations (for half the price) and the security plus bundle at our main office?
Question 2a) Are there significant advantages to using the DMZ functionality included in the security plus bundle? Currently, the only services we expose are our Exchange server (including RPC and OWA) and our spam firewall, for which the traffic is currently being routed through our modem using simple port-forwarding.
Question 2b) Our ISP has given us a small handful of IP addresses. Should we move our spam filter and Exchange server to the public address space and use the NAT functionality instead of the PAT functionality of the ASA 5505?
Question 3) We have a handful of laptops that users take home to do work in a very disconnected fashion. They log into an account local to the laptop and save their work to a flash drive. Is it possible, with just the ASA 5505 to setup the laptops so that they connect securely back into our network and provide access to our internal resources? If not, what additional software/hardware do we need?
My agency recently acquired three (3) of the ASA 5505 Security Plus bundles. We are looking to use one as a firewall behind our SDSL modem. In the future we would like to use the other two devices at remote locations to connect securely back to our main location. Each remote location has between one and five concurrent users.
Question 1) Do we need to deploy the security plus bundles at every location? Or can we get away something like the 10-user bundle at the remote locations (for half the price) and the security plus bundle at our main office?
Question 2a) Are there significant advantages to using the DMZ functionality included in the security plus bundle? Currently, the only services we expose are our Exchange server (including RPC and OWA) and our spam firewall, for which the traffic is currently being routed through our modem using simple port-forwarding.
Question 2b) Our ISP has given us a small handful of IP addresses. Should we move our spam filter and Exchange server to the public address space and use the NAT functionality instead of the PAT functionality of the ASA 5505?
Question 3) We have a handful of laptops that users take home to do work in a very disconnected fashion. They log into an account local to the laptop and save their work to a flash drive. Is it possible, with just the ASA 5505 to setup the laptops so that they connect securely back into our network and provide access to our internal resources? If not, what additional software/hardware do we need?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I wouldn't necessarily use NAT on all public servers. eg. a web server. I use PAT to map port 80 and port 443, so all incoming traffic appears on the translated addres, but any outgoing traffic then uses the global PAT address. People then can't tell where outbound traffic is coming from and helps hide the sending machine whilst allowing inbound traffic to get to the right host.
I would suggest using NAT and not PAT on a mail server because of the issues you mention above and because some anti-spam software does a reverse lookup on the sending IP and will try to match it with what the server announces itself as. This will also simplify the config.
I would suggest using NAT and not PAT on a mail server because of the issues you mention above and because some anti-spam software does a reverse lookup on the sending IP and will try to match it with what the server announces itself as. This will also simplify the config.
but as I stated before NAT/PAT have nothing to do with the anti-spam detection methodology. The only connection is if infected clients are sending bulk spam out and get that IP blacklisted. However if you PAT the mail server to the outside interface and create an acl to allow only the mail server to send smtp out then you don't have to worry about it. All you have to make sure is that your outside interface IP has a PTR for the mail server name that the mail server announces itself as and that there is also an A record to match that IP as well.
also, sorry for putting words in your mouth, obviously misinterpreted your comments. I'll just say its my personal preference to always do a NAT on any public server. However of course if you have a ton of public servers and limited IPs (or just want to save IPs for later use), then PAT is the way to go (and if I'm reading right, like InteraX has stated to an IP other than the one assigned to your outside interface if possible). Heck I honestly like to do a different public IP PAT for each internal network so the inside and guest networks go out over different IPs. Honestly this is more for log purposes. As I can quickly see that certain traffic is going thru public IP X. I know to which host(s) it is assigned to instantly. And if its a PAT addres then I can delve in deeper in the logs to see specifically which host used the PAT for that session.
however I don't totally understand your comment "People then can't tell where outbound traffic is coming from and helps hide the sending machine whilst allowing inbound traffic to get to the right host." They will know the PAT public IP which is way better to know than the private IP. NAT devices just act as an implicit firewall because the private IP network space isn't publicly routable. This is the reason for homes, its advantageous to get a nat device, but for companies that have firewall that protects the perimeter anyway. Guess I'm just not reading that part right
also, sorry for putting words in your mouth, obviously misinterpreted your comments. I'll just say its my personal preference to always do a NAT on any public server. However of course if you have a ton of public servers and limited IPs (or just want to save IPs for later use), then PAT is the way to go (and if I'm reading right, like InteraX has stated to an IP other than the one assigned to your outside interface if possible). Heck I honestly like to do a different public IP PAT for each internal network so the inside and guest networks go out over different IPs. Honestly this is more for log purposes. As I can quickly see that certain traffic is going thru public IP X. I know to which host(s) it is assigned to instantly. And if its a PAT addres then I can delve in deeper in the logs to see specifically which host used the PAT for that session.
however I don't totally understand your comment "People then can't tell where outbound traffic is coming from and helps hide the sending machine whilst allowing inbound traffic to get to the right host." They will know the PAT public IP which is way better to know than the private IP. NAT devices just act as an implicit firewall because the private IP network space isn't publicly routable. This is the reason for homes, its advantageous to get a nat device, but for companies that have firewall that protects the perimeter anyway. Guess I'm just not reading that part right
Cyclops,
To be honest, and I suppose this is the actual answer, it very much depends on how you want to set up your own system as to how you configure the NAT/PAT config.
We all have ways that we like doing things and as long as the system works, there is no right or wrong way of doing things.
What I was suggesting with thecomment you mention is on my web servers, I use PAT to map port 80 and 443. The if an outside host wants to access the machine, then the traffic gets through, but is the webserver makes an outgoing request, this will then appear on the global PAT address assigned for the subnet. In a lot of cases, there will be only 1 global PAT address that will be used for all machines behind the firewall, but this isn't the case in all scenarios and depends on how you want/like to set things up. ;-)
To be honest, and I suppose this is the actual answer, it very much depends on how you want to set up your own system as to how you configure the NAT/PAT config.
We all have ways that we like doing things and as long as the system works, there is no right or wrong way of doing things.
What I was suggesting with thecomment you mention is on my web servers, I use PAT to map port 80 and 443. The if an outside host wants to access the machine, then the traffic gets through, but is the webserver makes an outgoing request, this will then appear on the global PAT address assigned for the subnet. In a lot of cases, there will be only 1 global PAT address that will be used for all machines behind the firewall, but this isn't the case in all scenarios and depends on how you want/like to set things up. ;-)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry it's taken me so long to respond when you did so in such a timely fashion. Please bear with me while I summarize (and internalize what you've discussed)...
1) I'm going to keep the security plus bundle for our main location and exchange a security plus bundle for something much more reasonable (and cost effective) like a 10-user bundle for our remote location.
2a) I'm not going to bother creating a DMZ.
2b) Because I've got several spare IPs, I can NAT our exchange server.
3) I can use the Cisco VPN client on the laptops to securely connect back into our network.
1) I'm going to keep the security plus bundle for our main location and exchange a security plus bundle for something much more reasonable (and cost effective) like a 10-user bundle for our remote location.
2a) I'm not going to bother creating a DMZ.
2b) Because I've got several spare IPs, I can NAT our exchange server.
3) I can use the Cisco VPN client on the laptops to securely connect back into our network.
Kevin,
That sums it up nicely.
Regards,
Chris
That sums it up nicely.
Regards,
Chris
Cisco loves to add functionality to their OS package. If you look at the functionality of the 7.0 version and then look at the 7.2, a ton was added without the need to purchase the security plus. For example. 7.0 gave 4 interfaces unlocked and no vlans. Now you get all interfaces unlocked and 50 vlans, plus way more IPSec connections allowed. So like InteraX said, if its not needed don't use it. Who knows it may come in a OS upgrade later.
And provide a minor disagreement on 2b
NAT vs. PAT has nothing to do with the reverse DNS. You can have the PAT'd interface IP setup as your PTR record with your ISP if you wanted and it'd pass AOL's spam testes just as well as if you did a NAT. HOWEVER, I do agree that you should always use NAT on any public server. For one, if for some reason you don't firewall smtp traffic (except for the mail server), if someone gets a virus, they could get your PAT IP blacklisted. If you have your mail server PAT out that interface as well, then it'd be blacklisted and will severely ruin your week.