Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 11418
  • Last Modified:

ASA configuration help

Hi!
i have been hired by a company that wants to host its own web services like financial research in its own data center and asked to come up with a solution that will be available 24/7.

however i came up with a solution "Draft diagram attached", but i have a few questions regarding the configuration of the Cisco ASA 5550.

1- if BGP is not possible to be configured at this time. can i have two leased line internet connections comming to both of the outside routers and to have one of the lines configured as a backup interface "on the ASA device"?

2- can i have each one of the DNS servers on a separate subnet? assuming that the first ISP range is 1.1.1.0 and the second is 2.1.1.0.

3- is the below configuration example for the Active ASA right " ACLs, Failover, backup ISP config & Nating"?

ASA1# sh run
: Saved
:
PIX Version 7.2(3)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0 standby 192.168.0.2
!
interface Ethernet1
 nameif dmz
 security-level 50
 ip address 172.16.0.1 255.255.255.0 standby 172.16.0.2
!
interface Ethernet2
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.0 standby 1.1.1.2
!
interface Ethernet3
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 nameif backup
 security-level 0
 ip address 2.1.1.1 255.255.255.0 standby 2.1.1.2
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list outside_int extended permit tcp any host 1.1.1.3 eq domain
access-list outside_int extended permit udp any host 1.1.1.3 eq domain
access-list outside_int extended permit tcp any host 1.1.1.4 eq www
access-list outside_int extended permit tcp any host 1.1.1.4 eq https
access-list backup_int extended permit tcp any host 2.1.1.3 eq domain
access-list backup_int extended permit udp any host 2.1.1.3 eq domain
access-list outside_int extended permit icmp any any
access-list inside_int extended permit ip any any
access-list dmz_int extended permit tcp host 172.16.0.50 any eq domain
access-list dmz_int extended permit tcp host 172.16.0.51 any eq domain
access-list dmz_int extended permit tcp host 172.16.0.100 any eq www
access-list dmz_int extended permit tcp host 172.16.0.100 any eq https
access-list dmz_int extended permit ip any 192.168.0.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu dmz 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (dmz,outside) 1.1.1.3 172.16.0.50 netmask 255.255.255.255
static (dmz,backup) 2.1.1.3 172.16.0.51 netmask 255.255.255.255
static (dmz,outside) 1.1.1.4 172.16.0.100 netmask 255.255.255.255
static (dmz,backup) 2.1.1.4 172.16.0.100 netmask 255.255.255.255
access-group inside_int in interface inside
access-group dmz_int in interface dmz
access-group outside_int in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.10 1 track 1
route backup 0.0.0.0 0.0.0.0 2.1.1.10 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho 1.0.0.2 interface outside
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
telnet timeout 5
ssh timeout 5
console timeout 0

Thanks in advance for your help,,,
Network-Diagram-Draft6b.jpg
0
Omarhib2
Asked:
Omarhib2
  • 2
1 Solution
 
lrmooreCommented:
1 - yes, but... I would put a switch between them and run OSPF between the routers and the ASA
2 - yes, it is actually recommended that they be, but... both primary and secondary should be available online at the same time. With your backup config only one will be available at a time
3 - see above
>access-list dmz_int extended permit ip any 192.168.0.0 255.255.255.0
Then what is the purpose of having a DMZ if you are allowing all traffic between dmz and inside?

>access-list dmz_int extended permit tcp host 172.16.0.50 any eq domain
>access-list dmz_int extended permit tcp host 172.16.0.51 any eq domain
These should be: (udp vs tcp for dns)
access-list dmz_int extended permit udp host 172.16.0.50 eq domain any
access-list dmz_int extended permit udp host 172.16.0.51 eq domain any
access-list dmz_int extended permit udp host 172.16.0.50 any eq domain
access-list dmz_int extended permit udp host 172.16.0.51 any eq domain
access-list dmz_int extended permit tcp host 172.16.0.100 eq www any
access-list dmz_int extended permit tcp host 172.16.0.100 eq https any
access-list dmz_int extended permit tcp 172.16.0.0 255.255.255.0 any eq http
access-list dmz_int extended permit tcp 172.16.0.0 255.255.255.0 any eq https

>access-list inside_int extended permit ip any any
Do not assign this acl to the inside interface. Permit any any is the default from inside to outside or inside to dmz.

0
 
lrmooreCommented:
BTW, personally, I would not use the 4500's. I would opt for a 6500VSS pair. No HSRP. Cross-chassis multichannel uplinks to distribution switches.

On your 3750 pair in the DMZ, you do not need cross-connects, you do not need HSRP because of the stackwise features of the 3750.
0
 
Omarhib2Author Commented:
Thanks for your comments...

>access-list dmz_int extended permit ip any 192.168.0.0 255.255.255.0
Then what is the purpose of having a DMZ if you are allowing all traffic between dmz and inside?
-- the above acl is temporary and will be replaced with an acl allowing port 1521 only, and is needed for the web servers in the dmz to access the orfacle database servers in the inside network... is it secure to procede with this design "allowing the web servers to access the db servers on port 1521 only"?

-- Can you please clarfify more about why to run OSPF between the routers and the ASA devices with an example?

-- can you confirm that the static mapping in my case is correct?

Thanks for your time...
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now