General Cisco ASA 5505 / network configuration questions.

I have a few conceptual questions about the Cisco ASA 5505.  I'm not asking any specific configuration questions yet, those will be in another question with more points.

My agency recently acquired three (3) of the ASA 5505 Security Plus bundles.  We are looking to use one as a firewall behind our SDSL modem.  In the future we would like to use the other two devices at remote locations to connect securely back to our main location.  Each remote location has between one and five concurrent users.

Question 1) Do we need to deploy the security plus bundles at every location?  Or can we get away something like the 10-user bundle at the remote locations (for half the price) and the security plus bundle at our main office?

Question 2a) Are there significant advantages to using the DMZ functionality included in the security plus bundle?  Currently, the only services we expose are our Exchange server (including RPC and OWA) and our spam firewall, for which the traffic is currently being routed through our modem using simple port-forwarding.
Question 2b) Our ISP has given us a small handful of IP addresses.  Should we move our spam filter and Exchange server to the public address space and use the NAT functionality instead of the PAT functionality of the ASA 5505?

Question 3) We have a handful of laptops that users take home to do work in a very disconnected fashion.  They log into an account local to the laptop and save their work to a flash drive.  Is it possible, with just the ASA 5505 to setup the laptops so that they connect securely back into our network and provide access to our internal resources?  If not, what additional software/hardware do we need?
Who is Participating?
Hello kevincasey,

1) If you don't need the extended functionality of the Sec Plus at remote sites, why pay more than you need? The base license includes the IPSec VPN functionality. in this config, a device is a user. You will need to allow a 'user' for each printer connection run over the VPN and each server that replicates back to the main site.

2a) The DMZ functionality is useful for hosted servcies and for partitioning the network to make it more secure if you can afford a dedicated front-end exchange server, but this can be a headache to configure.

2b) I would always use the NAT functionality these days for Exchange unless you are using a smart host to route all outbound email through. AOL will not like it if you don't have a reverse DNS record setup on the sending IP and as all outbound email comes from a random port number above 1024, this will not get translated unless you have NAT.

3) The ASA's can act as a remote access VPN endpoint. They can also authenticate against your AD if you setup radius. The Cisco VPN client can also be set to run before logon.


InteraX covered it well.  However I have an addendum to number 1.

Cisco loves to add functionality to their OS package.  If you look at the functionality of the 7.0 version and then look at the 7.2, a ton was added without the need to purchase the security plus.  For example.  7.0 gave 4 interfaces unlocked and no vlans.  Now you get all interfaces unlocked and 50 vlans, plus way more IPSec connections allowed.  So like InteraX said, if its not needed don't use it.  Who knows it may come in a OS upgrade later.

And provide a minor disagreement on 2b

NAT vs. PAT has nothing to do with the reverse DNS.  You can have the PAT'd interface IP setup as your PTR record with your ISP if you wanted and it'd pass AOL's spam testes just as well as if you did a NAT.  HOWEVER, I do agree that you should always use NAT on any public server.  For one, if for some reason you don't firewall smtp traffic (except for the mail server), if someone gets a virus, they could get your PAT IP blacklisted.  If you have your mail server PAT out that interface as well, then it'd be blacklisted and will severely ruin your week.
I wouldn't necessarily use NAT on all public servers. eg. a web server. I use PAT to map port 80 and port 443, so all incoming traffic appears on the translated addres, but any outgoing traffic then uses the global PAT address. People then can't tell where outbound traffic is coming from and helps hide the sending machine whilst allowing inbound traffic to get to the right host.

I would suggest using NAT and not PAT on a mail server because of the issues you mention above and because some anti-spam software does a reverse lookup on the sending IP and will try to match it with what the server announces itself as. This will also simplify the config.
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

but as I stated before NAT/PAT have nothing to do with the anti-spam detection methodology.  The only connection is if infected clients are sending bulk spam out and get that IP blacklisted.  However if you PAT the mail server to the outside interface and create an acl to allow only the mail server to send smtp out then you don't have to worry about it.  All you have to make sure is that your outside interface IP has a PTR for the mail server name that the mail server announces itself as and that there is also an A record to match that IP as well.

also, sorry for putting words in your mouth, obviously misinterpreted your comments.  I'll just say its my personal preference to always do a NAT on any public server.  However of course if you have a ton of public servers and limited IPs (or just want to save IPs for later use), then PAT is the way to go (and if I'm reading right, like InteraX has stated to an IP other than the one assigned to your outside interface if possible).  Heck I honestly like to do a different public IP PAT for each internal network so the inside and guest networks go out over different IPs.  Honestly this is more for log purposes.  As I can quickly see that certain traffic is going thru public IP X.  I know to which host(s) it is assigned to instantly.  And if its a PAT addres then I can delve in deeper in the logs to see specifically which host used the PAT for that session.

however I don't totally understand your comment "People then can't tell where outbound traffic is coming from and helps hide the sending machine whilst allowing inbound traffic to get to the right host."  They will know the PAT public IP which is way better to know than the private IP.  NAT devices just act as an implicit firewall because the private IP network space isn't publicly routable.  This is the reason for homes, its advantageous to get a nat device, but for companies that have firewall that protects the perimeter anyway.  Guess I'm just not reading that part right

To be honest, and I suppose this is the actual answer, it very much depends on how you want to set up your own system as to how you configure the NAT/PAT config.

We all have ways that we like doing things and as long as the system works, there is no right or wrong way of doing things.

What I was suggesting with thecomment you mention is on my web servers, I use PAT to map port 80 and 443. The if an outside host wants to access the machine, then the traffic gets through, but is the webserver makes an outgoing request, this will then appear on the global PAT address assigned for the subnet. In a lot of cases, there will be only 1 global PAT address that will be used for all machines behind the firewall, but this isn't the case in all scenarios and depends on how you want/like to set things up. ;-)
ah, ok, now I understand what you were saying.  Thanks for the clarification.  And you made me want to change my previous statement :-)
>>you should always use NAT on any public server
>>I recommend to always use NAT on any public server IF you have the spare Public IPs to do so.

But as you stated its personal preference on how to do it.  As it is only the translation of the IP between interfaces it doesn't really matter so long as the xlate process can take place in the desired way.
kevincaseyAuthor Commented:
Sorry it's taken me so long to respond when you did so in such a timely fashion.  Please bear with me while I summarize (and internalize what you've discussed)...

1) I'm going to keep the security plus bundle for our main location and exchange a security plus bundle for something much more reasonable (and cost effective) like a 10-user bundle for our remote location.

2a) I'm not going to bother creating a DMZ.
2b) Because I've got several spare IPs, I can NAT our exchange server.

3) I can use the Cisco VPN client on the laptops to securely connect back into our network.

That sums it up nicely.


Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.