Cisco ASA 5505 Initial Configuration for Private Network with External Connectivity

I just got the Cisco ASA 5505 and I am having some issues setting it up.  We have 5 static Ip addresses ranging from 67.XX.XXX.130-135.  The ip address to my router is 67.XX.XXX.129 which is one less than the static ip's I have and the subnet mask is 255.255.255.248.  The internal side is all set up to just use the external static ip addresses.  All the other postings I have seen, have shown the ip addresses for the inside network to be on a completely different ip address range.  I was hoping someone could send me an initial config file to get the basics set up.  I dont need VPN , just basic security and I will modify later.  
danaustriAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
Connect to your ASDM see my website here http://www.petenetlive.com/Tech/Firewalls/Cisco/connect2.htm
and run through the setup wizard - if you get stuck just sing out :)
0
Pete LongTechnical ConsultantCommented:
>> have seen, have shown the ip addresses for the inside network to be on a completely different ip address range.
Correct thats done with a global and a nat command
 
ie
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 67.XX.XXX.128 255.255.255.248
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 67.XX.XXX.129 1
 
0
danaustriAuthor Commented:
I dont want the internal ip addresses to be different though.  I want it set up so that the computers inside the network can keep and pass through their external static ip addresses.  
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

danaustriAuthor Commented:


Here is the deal of the set up for my network.

I have a windows server that is set up as follows:
ip address:  67.XX.XXX.130
subnet: 255.255.255.248
gateway:  67.XXX.XXX.129

I have another server set up as follows:  
ip address:  67.XX.XXX.131
subnet: 255.255.255.248
gateway:  67.XXX.XXX.129  

My cisco 2821 router is set up as follows:
ip address:  67.XX.XXX.129
subnet: 255.255.255.248

Now when putting in the firewall between the router and the two servers, how do I set it up so I dont have to change the external static ip addresses that the servers are using.  
0
dkarpekinCommented:
Why 2821 is 67.XX.XXX.129  ? This address should belong to ISP modem/router, which will be used as "gateway/next hop" in your router 2821 config.
And interface of your 2821 facing ISP should have one of 67.XX.XXX.130-135.
Any servers with public WAN from this range , should be connected to ISP modem/router as well (if there is not enouf port - you cn get $30 4 port switch).
Posting some drawing should be helpfull for further discussion.
0
dkarpekinCommented:
P.S.
Your basic config should be looks like this
Username:
Password:


Using 7427 out of 245752 bytes
!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxxxxx
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 52000
enable secret 5
enable password 7

!
!
a
aaa session-id common
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
!
!
ip cef
!
!
ip domain name
ip name-server
ip name-server
!

!
!

!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
 no dspfarm
!
!

!
!
ip tcp synwait-time 10
!
!
!

!
interface FastEthernet0/0
 description Wan side
 ip address 68.x.x.130 255.255.255.248
  duplex auto
 speed auto
!
interface FastEthernet0/1
 description LAN side
 ip address 10.10.0.100 255.255.0.0
 
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 permanent

!
ip http server
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.0.0 0.0.255.255
!
!
access-list 101 permit ip 10.10.0.0 0.0.255.255 any
!
route-map SDM_RMAP_1 perm
 match ip address 101
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password
scheduler allocate 20000 1000
ntp update-calendar
ntp server r
!

and use SDM to simplify config.
0
dkarpekinCommented:
This should give some details, and having your connection topology will be really helpfull.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094768.shtml
0
danaustriAuthor Commented:
Basically, I want a set up that is laid out like the jpg attached in terms of ip addresses.  I have the two servers connected to a dumb switch which is then connected to the router.  The two servers are set up to have external ip static ip addresses.  There is no NAT used.  
setup.JPG
0
danaustriAuthor Commented:
Ok, here is a rough idea of how our network is setup including putting this lovely little firewall in there.  Any  help would be greatly appreciated on how I work with the ip address issue.  

setup.JPG
0
dkarpekinCommented:
If external Ip same as internal, then it is defeat purpose of having router, and you can connect ASA directly to ISP.
And on 255.255.255.248 you will have IP range 67.x.x.129-67.x.x.134 , and 67.x.x.135- is broadcast IP cannot be used to assigned to anything- please confirm that with ISP.
In cisco link above - prett straight forward config, use ASDM simplyfy config.
Also you can replace "dumb switch " with 8 port module for ASA, unless you need more then 300feet from ASA to PC.
0
danaustriAuthor Commented:
We have the router due to the number of T1 lines coming into our office.  We also have more than 300 ft of cord involved which is why we have the switch.  
0
Pete LongTechnical ConsultantCommented:
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dkarpekinCommented:
Agree, just follow the link example, and once you "preconfigure" check basic ping/conuctivity to "outside" word, use "tracert x.x.x.x", "ping www.yahoo.com"  or from ASA "trace ip x.x.x.x".
0
danaustriAuthor Commented:
Thanks for the transparent firewall mode comment.  I did not know about that mode.  Is there any security issue with this mode or downsides versus doing Nat 0 and just passing through the ip addresses that I need to?
0
Pete LongTechnical ConsultantCommented:
>>Is there any security issue with this mode or downsides
 
no in fact is more secure as a 2bump in the wire" than a traditional firewall :)
0
Pete LongTechnical ConsultantCommented:
ThanQ
0
Pete LongTechnical ConsultantCommented:
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.