Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

ASA 5510 Configuration

Posted on 2007-11-29
4
Medium Priority
?
1,749 Views
Last Modified: 2012-05-05
I currently have a PIX and ISA 2004 configuration that I would like to change as I move to a ASA 5510. Currently my internal network 10.2.x.x has a dual nic ISA 2004 server with the internal nic having a 10.2.x.x address and the other nic have a 10.1.x.x address. I then have a switch on the 10.1.x.x network that connects my ISA box to the PIX and then the outside PIX nic has a public address. I would like to take the ISA box to a single nic having a 10.2.x.x address as well as the ASA. I want all of my HTTP traffic to go through the ISA box and know that I can control this via access rules on the ISA box to only allow traffic from that address (correct ?). Also in my network I have numerous other buildings connected to the central location via a Cisco 3600 router. I am assuming that I will need to set the default gateway for the router to the internal address of the ASA server. Finally, I am looking for any sample configurations for the ASA for what I am attempting to accomplish.
0
Comment
Question by:lonekawboy
  • 2
  • 2
4 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 2000 total points
ID: 20379098
Given the following topology:

Internet ---------------- ASA ---------------- 10.2.x.x LAN
                                                   |
                                   ISA  -------
                                                   |
                                   3600 ------
                                      /\
                                     /  \
                                    /    \
                            remote  remote
                              site        site

Yes, you could do what you're wanting to do.  Assuming:

ASA Inside - 10.2.1.1
ASA Outside - 1.1.1.1
Next hop gateway (Internet edge router) - 1.1.1.2
ISA IP - 10.2.1.2
3600 IP - 10.2.1.3
Remote networks reached via 3600 router - 10.5.0.0/24, 10.6.0.0/24

You would set up all LAN client's proxy address to be 10.2.1.2 (ISA box) so that all HTTP traffic is routed through that so you can control access.  And just in case you have some savvy users who decide to try and bypass your ISA proxy by and going straight to the Internet via the ASA, you can specify an outbound access list on the ASA that only allows HTTP traffic from 10.2.1.2 (the ISA box)...all other source IP's are denied access for that port (you can also block other outbound ports as well if you want the ISA to control other protocols).

Yes, you would want to make the default gateway on the 3600 router the ASA inside IP address at 10.2.1.1 (if this is the Internet connection you want the remote sites to use).

Below is a sample configuration to use (this isn't a complete firewall configuration, but it covers the parts that we're talking about in this scenario).


interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.252
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.2.1.1 255.255.255.0
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd IcweNr2uqu08wAtU encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outbound permit tcp host 10.2.1.2 any eq www
access-list outbound permit tcp host 10.2.1.2 any eq https
pager lines 24
logging enable
logging buffered debugging
logging trap debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
route inside 10.5.0.0 255.255.255.0 10.2.1.3 1
route inside 10.6.0.0 255.255.255.0 10.2.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server community private
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0

Open in new window

0
 

Author Comment

by:lonekawboy
ID: 20381425
Thanks for the excellent response. One more question before I accept the solution. I have a number of static IP addresses that I want to map into web servers on the inside so for example a 1.1.1.10 I want to go to a 10.2.0.5. and I only want to allow http and https. What are the commands to make this happen? Also, when the ISA box goes out and gets pages from the public side what IP address is it going to use?
0
 

Author Comment

by:lonekawboy
ID: 20381597
Sorry but I have one more question. I am using EIGRP on the 3600 and am wondering if I should turn this on for the Internal routes instead of static. Do you see any problems with that? How do I make sure that the Internet is not getting any of my routing information?
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20386406
>>I have a number of static IP addresses that I want to map into web servers on the inside so for example a 1.1.1.10 I want to go to a 10.2.0.5. and I only want to allow http and https. What are the commands to make this happen?

static (inside,outside) 1.1.1.10 10.2.0.5 netmask 255.255.255.255

Just put one of those in for every mapping you want to make.

>>Also, when the ISA box goes out and gets pages from the public side what IP address is it going to use?

I'm not sure I understand the question.  Do you mean what IP address will it look like to the Internet or do you want to know what IP address the ISA box needs to send traffic to in order to get to the Internet?  Could you rephrase the question?

>> I am using EIGRP on the 3600 and am wondering if I should turn this on for the Internal routes instead of static. Do you see any problems with that? How do I make sure that the Internet is not getting any of my routing information?

No, I don't see any problems.  Just make sure you identify the outside interface as passive with the following commands:

router eigrp <as-num>
passive-interface outside

This will prevent the outside interface from sending or receiving any route updates.

0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question