Solved

ASA 5510 Configuration

Posted on 2007-11-29
4
1,694 Views
Last Modified: 2012-05-05
I currently have a PIX and ISA 2004 configuration that I would like to change as I move to a ASA 5510. Currently my internal network 10.2.x.x has a dual nic ISA 2004 server with the internal nic having a 10.2.x.x address and the other nic have a 10.1.x.x address. I then have a switch on the 10.1.x.x network that connects my ISA box to the PIX and then the outside PIX nic has a public address. I would like to take the ISA box to a single nic having a 10.2.x.x address as well as the ASA. I want all of my HTTP traffic to go through the ISA box and know that I can control this via access rules on the ISA box to only allow traffic from that address (correct ?). Also in my network I have numerous other buildings connected to the central location via a Cisco 3600 router. I am assuming that I will need to set the default gateway for the router to the internal address of the ASA server. Finally, I am looking for any sample configurations for the ASA for what I am attempting to accomplish.
0
Comment
Question by:lonekawboy
  • 2
  • 2
4 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 20379098
Given the following topology:

Internet ---------------- ASA ---------------- 10.2.x.x LAN
                                                   |
                                   ISA  -------
                                                   |
                                   3600 ------
                                      /\
                                     /  \
                                    /    \
                            remote  remote
                              site        site

Yes, you could do what you're wanting to do.  Assuming:

ASA Inside - 10.2.1.1
ASA Outside - 1.1.1.1
Next hop gateway (Internet edge router) - 1.1.1.2
ISA IP - 10.2.1.2
3600 IP - 10.2.1.3
Remote networks reached via 3600 router - 10.5.0.0/24, 10.6.0.0/24

You would set up all LAN client's proxy address to be 10.2.1.2 (ISA box) so that all HTTP traffic is routed through that so you can control access.  And just in case you have some savvy users who decide to try and bypass your ISA proxy by and going straight to the Internet via the ASA, you can specify an outbound access list on the ASA that only allows HTTP traffic from 10.2.1.2 (the ISA box)...all other source IP's are denied access for that port (you can also block other outbound ports as well if you want the ISA to control other protocols).

Yes, you would want to make the default gateway on the 3600 router the ASA inside IP address at 10.2.1.1 (if this is the Internet connection you want the remote sites to use).

Below is a sample configuration to use (this isn't a complete firewall configuration, but it covers the parts that we're talking about in this scenario).


interface Ethernet0/0

 nameif outside

 security-level 0

 ip address 1.1.1.1 255.255.255.252

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 10.2.1.1 255.255.255.0

!

interface Ethernet0/2

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0

 management-only

!

passwd IcweNr2uqu08wAtU encrypted

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outbound permit tcp host 10.2.1.2 any eq www

access-list outbound permit tcp host 10.2.1.2 any eq https

pager lines 24

logging enable

logging buffered debugging

logging trap debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outbound in interface inside

route outside 0.0.0.0 0.0.0.0 1.1.1.2 1

route inside 10.5.0.0 255.255.255.0 10.2.1.3 1

route inside 10.6.0.0 255.255.255.0 10.2.1.3 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 0.0.0.0 0.0.0.0 inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server community private

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

Open in new window

0
 

Author Comment

by:lonekawboy
ID: 20381425
Thanks for the excellent response. One more question before I accept the solution. I have a number of static IP addresses that I want to map into web servers on the inside so for example a 1.1.1.10 I want to go to a 10.2.0.5. and I only want to allow http and https. What are the commands to make this happen? Also, when the ISA box goes out and gets pages from the public side what IP address is it going to use?
0
 

Author Comment

by:lonekawboy
ID: 20381597
Sorry but I have one more question. I am using EIGRP on the 3600 and am wondering if I should turn this on for the Internal routes instead of static. Do you see any problems with that? How do I make sure that the Internet is not getting any of my routing information?
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20386406
>>I have a number of static IP addresses that I want to map into web servers on the inside so for example a 1.1.1.10 I want to go to a 10.2.0.5. and I only want to allow http and https. What are the commands to make this happen?

static (inside,outside) 1.1.1.10 10.2.0.5 netmask 255.255.255.255

Just put one of those in for every mapping you want to make.

>>Also, when the ISA box goes out and gets pages from the public side what IP address is it going to use?

I'm not sure I understand the question.  Do you mean what IP address will it look like to the Internet or do you want to know what IP address the ISA box needs to send traffic to in order to get to the Internet?  Could you rephrase the question?

>> I am using EIGRP on the 3600 and am wondering if I should turn this on for the Internal routes instead of static. Do you see any problems with that? How do I make sure that the Internet is not getting any of my routing information?

No, I don't see any problems.  Just make sure you identify the outside interface as passive with the following commands:

router eigrp <as-num>
passive-interface outside

This will prevent the outside interface from sending or receiving any route updates.

0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now