• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1115
  • Last Modified:

Cisco ASA 5505 Initial Configuration for Private Network with External Connectivity

I just got the Cisco ASA 5505 and I am having some issues setting it up.  We have 5 static Ip addresses ranging from 67.XX.XXX.130-135.  The ip address to my router is 67.XX.XXX.129 which is one less than the static ip's I have and the subnet mask is 255.255.255.248.  The internal side is all set up to just use the external static ip addresses.  All the other postings I have seen, have shown the ip addresses for the inside network to be on a completely different ip address range.  I was hoping someone could send me an initial config file to get the basics set up.  I dont need VPN , just basic security and I will modify later.  
0
danaustri
Asked:
danaustri
  • 6
  • 6
  • 6
2 Solutions
 
Pete LongConsultantCommented:
Connect to your ASDM see my website here http://www.petenetlive.com/Tech/Firewalls/Cisco/connect2.htm
and run through the setup wizard - if you get stuck just sing out :)
0
 
Pete LongConsultantCommented:
>> have seen, have shown the ip addresses for the inside network to be on a completely different ip address range.
Correct thats done with a global and a nat command
 
ie
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 67.XX.XXX.128 255.255.255.248
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 67.XX.XXX.129 1
 
0
 
danaustriAuthor Commented:
I dont want the internal ip addresses to be different though.  I want it set up so that the computers inside the network can keep and pass through their external static ip addresses.  
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
danaustriAuthor Commented:


Here is the deal of the set up for my network.

I have a windows server that is set up as follows:
ip address:  67.XX.XXX.130
subnet: 255.255.255.248
gateway:  67.XXX.XXX.129

I have another server set up as follows:  
ip address:  67.XX.XXX.131
subnet: 255.255.255.248
gateway:  67.XXX.XXX.129  

My cisco 2821 router is set up as follows:
ip address:  67.XX.XXX.129
subnet: 255.255.255.248

Now when putting in the firewall between the router and the two servers, how do I set it up so I dont have to change the external static ip addresses that the servers are using.  
0
 
dkarpekinCommented:
Why 2821 is 67.XX.XXX.129  ? This address should belong to ISP modem/router, which will be used as "gateway/next hop" in your router 2821 config.
And interface of your 2821 facing ISP should have one of 67.XX.XXX.130-135.
Any servers with public WAN from this range , should be connected to ISP modem/router as well (if there is not enouf port - you cn get $30 4 port switch).
Posting some drawing should be helpfull for further discussion.
0
 
dkarpekinCommented:
P.S.
Your basic config should be looks like this
Username:
Password:


Using 7427 out of 245752 bytes
!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxxxxx
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 52000
enable secret 5
enable password 7

!
!
a
aaa session-id common
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
!
!
ip cef
!
!
ip domain name
ip name-server
ip name-server
!

!
!

!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
 no dspfarm
!
!

!
!
ip tcp synwait-time 10
!
!
!

!
interface FastEthernet0/0
 description Wan side
 ip address 68.x.x.130 255.255.255.248
  duplex auto
 speed auto
!
interface FastEthernet0/1
 description LAN side
 ip address 10.10.0.100 255.255.0.0
 
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 permanent

!
ip http server
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.0.0 0.0.255.255
!
!
access-list 101 permit ip 10.10.0.0 0.0.255.255 any
!
route-map SDM_RMAP_1 perm
 match ip address 101
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password
scheduler allocate 20000 1000
ntp update-calendar
ntp server r
!

and use SDM to simplify config.
0
 
dkarpekinCommented:
This should give some details, and having your connection topology will be really helpfull.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094768.shtml
0
 
danaustriAuthor Commented:
Basically, I want a set up that is laid out like the jpg attached in terms of ip addresses.  I have the two servers connected to a dumb switch which is then connected to the router.  The two servers are set up to have external ip static ip addresses.  There is no NAT used.  
setup.JPG
0
 
danaustriAuthor Commented:
Ok, here is a rough idea of how our network is setup including putting this lovely little firewall in there.  Any  help would be greatly appreciated on how I work with the ip address issue.  

setup.JPG
0
 
dkarpekinCommented:
If external Ip same as internal, then it is defeat purpose of having router, and you can connect ASA directly to ISP.
And on 255.255.255.248 you will have IP range 67.x.x.129-67.x.x.134 , and 67.x.x.135- is broadcast IP cannot be used to assigned to anything- please confirm that with ISP.
In cisco link above - prett straight forward config, use ASDM simplyfy config.
Also you can replace "dumb switch " with 8 port module for ASA, unless you need more then 300feet from ASA to PC.
0
 
danaustriAuthor Commented:
We have the router due to the number of T1 lines coming into our office.  We also have more than 300 ft of cord involved which is why we have the switch.  
0
 
Pete LongConsultantCommented:
0
 
dkarpekinCommented:
Agree, just follow the link example, and once you "preconfigure" check basic ping/conuctivity to "outside" word, use "tracert x.x.x.x", "ping www.yahoo.com"  or from ASA "trace ip x.x.x.x".
0
 
danaustriAuthor Commented:
Thanks for the transparent firewall mode comment.  I did not know about that mode.  Is there any security issue with this mode or downsides versus doing Nat 0 and just passing through the ip addresses that I need to?
0
 
Pete LongConsultantCommented:
>>Is there any security issue with this mode or downsides
 
no in fact is more secure as a 2bump in the wire" than a traditional firewall :)
0
 
Pete LongConsultantCommented:
ThanQ
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 6
  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now