Cisco ASA 5510 Firewall setup
Hello Cisco experts
We just recently bought a Cisco ASA 5510 appliance and I am supposed to set it up and install in our network (currently use Watchguard)
My conection to the internet is a 5MB Optical Circuit (Metro Ethernet) and the Ethernet cable is plugged straight into Watchguard outbound port. (no router)
Behind the firewall I have 3 internal networks (2 + 1 DMZ) . I am trying to figure out the best way to set the ASA up so I have started to read an article Cisco Document ID 63880 "Connecting Multiple Internal Networks with Internet: Configuration Example"
This document refers to PIX/ASA 7.x or higher and one of the prerequisites is to use a Cisco router behind the PIX (?!) I don't know if this apply to ASA device, it it does then I am in trouble (need a router)
My ASA 5510 software is 7.12 . I have tried to upgrade to 8.X (available on the CD which came with the unit) but it fails every time I try to upgrade the software
I have also noticed that Packet Tracker is not available on my ASDM interface. Should I upgrade to v 6.11 ( also available on CD) or is something else I should to to get this very usefull tool
Thank you all in advance for your help
Cheers
We just recently bought a Cisco ASA 5510 appliance and I am supposed to set it up and install in our network (currently use Watchguard)
My conection to the internet is a 5MB Optical Circuit (Metro Ethernet) and the Ethernet cable is plugged straight into Watchguard outbound port. (no router)
Behind the firewall I have 3 internal networks (2 + 1 DMZ) . I am trying to figure out the best way to set the ASA up so I have started to read an article Cisco Document ID 63880 "Connecting Multiple Internal Networks with Internet: Configuration Example"
This document refers to PIX/ASA 7.x or higher and one of the prerequisites is to use a Cisco router behind the PIX (?!) I don't know if this apply to ASA device, it it does then I am in trouble (need a router)
My ASA 5510 software is 7.12 . I have tried to upgrade to 8.X (available on the CD which came with the unit) but it fails every time I try to upgrade the software
I have also noticed that Packet Tracker is not available on my ASDM interface. Should I upgrade to v 6.11 ( also available on CD) or is something else I should to to get this very usefull tool
Thank you all in advance for your help
Cheers
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
first, you have 3 100mbit interfaces (incl the management) and 2 1Gb interfaces (0 and 1 i think)
of course use the GB interfaces for LAN and whichever DMZ has the most traffic, spread the others
u dont need a router to make the different Networks connected to the ASA to communicate with each other
you use static and access-list commands to restrict communication the way you want.
you will have to give me more detail on your network to make any other suggestions and since you have an ASA now, tell your boss you need Cisco Training for that thing, otherwise you will never really know what you are doing and less understand it
this - "same-security-traffic permit inter-interface" is the lazy version if you dont need access rules between the interface (physical and virtual)
anyways, without a plan its hard to say whats best for you
of course use the GB interfaces for LAN and whichever DMZ has the most traffic, spread the others
u dont need a router to make the different Networks connected to the ASA to communicate with each other
you use static and access-list commands to restrict communication the way you want.
you will have to give me more detail on your network to make any other suggestions and since you have an ASA now, tell your boss you need Cisco Training for that thing, otherwise you will never really know what you are doing and less understand it
this - "same-security-traffic permit inter-interface" is the lazy version if you dont need access rules between the interface (physical and virtual)
anyways, without a plan its hard to say whats best for you
if you want to stay with version 7 you need to upgrade to 7.2.4 and ASDM 5.2.4 - i dont really recommend version 8 as it has alot more bugs then 7
it has advantages if you use alot of ssl-vpn, other then that stay with 724
and you need a tftp or ftp server to upload the image or you use the http interface for it, dont forget to match ASDM with the Version you want to run and edit the config to tell it to boot the right image
it has advantages if you use alot of ssl-vpn, other then that stay with 724
and you need a tftp or ftp server to upload the image or you use the http interface for it, dont forget to match ASDM with the Version you want to run and edit the config to tell it to boot the right image
ASKER
Thank you guys for the time taken to answer. Yes, I am new to cisco stuff. So far I have managed to upgrade to v 8 and ASDM 6, configure the appliance, and I am in process to setup the access rules. Compared with Watchguard is a different world ! I am not going to use "Enable traffic between interfaces with the same security level" because yes, that's a lazy way to do it. Again, thank you all for your time responding to my question.
Old Links Above
http://www.petenetlive.com/KB/Article/0000075.htm
also see
http://www.petenetlive.com/KB/Article/0000173.htm
http://www.petenetlive.com/KB/Article/0000075.htm
also see
http://www.petenetlive.com/KB/Article/0000173.htm
Old Links above see
Update ASA form ASDM http://www.petenetlive.com/KB/Article/0000073.htm
Update ASA form CLI http://www.petenetlive.com/KB/Article/0000074.htm
Update ASA form ASDM http://www.petenetlive.com/KB/Article/0000073.htm
Update ASA form CLI http://www.petenetlive.com/KB/Article/0000074.htm
You can configure each of the interfaces on the device (4 on your model I believe) to a different subnet. So; you do not require a router. The only problem you may run into is if you want the to subnets to communicate directly without restriction you will need to set them to the same security level and configure the "same-security-traffic permit inter-interface" command to get that to work.