Cisco ASA 5505 Config questions

I need a little help determining the best location for a new ASA 5505 we purchased awhile back.

We have a Microsoft SBS 2003 unit running ISA 2004 firewall. An external audit determined that the ISA firewall is protecting the server from external access, however we have a DLink router setup to handle internet access, and that connection is not secured by the ISA firewall. Basically creating a backdoor to the server.

Heres what we have in place:

Adtran Router (Internet): IP Address - xx.xx.xx.241
SBS2003 External (Mail etc): IP Address - xx.xx.xx.242
DLink Router (External): IP Address - xx.xx.xx.243

SBS2003 Internal (Network): IP Address - 192.168.254.3
DLink Router Internal (Netwrok): IP Address - 192.168.254.2
Procurve Switches (Network): Handles workstation connections

Our Current DHCP Scope assigns the following:

IP Address: 192.168.254.xxx
Subnet: 255.255.255.0
Default Gateway: 192.168.254.2
DNS Server: 192.168.254.3

We have a 5 port switch directly behind our internet router. This handles the connections for the external access.

I want to use the ASA in the best locaton, and personally I think replacing the 5 port switch and eliminating the second router may be the best location, I'm just not sure I can set that up using VLans. If we can't, I think I should just replace the Dlink router with the ASA and run from there.

The ISA Firewall is protecting the server from external access, and I think the ASA will handle the other external IP Address without having to interfere with the main server. Is this assumption ridiculous?

Should I place the ASA directly behind the internet router and configure the main server on a DMZ?

thanks.
kwcraftAsked:
Who is Participating?
 
rustamonlineConnect With a Mentor Commented:
ASA5505-SEC-BUN-K9 can support DMZ. If you bundle differs from it, do as in the screenshot.


NetMap.jpg
0
 
khashayar01Connect With a Mentor Commented:
Here is what I recommend assuming your internet router provides you with an Ethernet hand-off and doesn't require circuit termination.


Lan -------- ASA ----------Internet router --------- internet

I have several offices set up where the internet router plugs directly into our ASA and you can use NATing(static command)  and ACLs to MAP external IPs to Internal IPs.

As far as DMZ is concerned, for maximum protection it is recommended to place any server communicating with the internet in an Isolated zone (DMZ). Your Inside and Outside VLANs are created by default but if you want to create a DMZ then you are going to need to create a third VLAN
0
 
sidetrackedConnect With a Mentor Commented:
Should I place the ASA directly behind the internet router and configure the main server on a DMZ?

the answer is yes
0
 
kwcraftAuthor Commented:
Right now I have the following setup with the ASA in place:

Internet --- Internet Router --- Switch --- ASA --- Internal Switches
                                                     | ------- External Server     |------- Internal Server

This is working out for the moment, but we are about to upgrade to SBS 2008 and that will eliminate the dual network card setup. I will reconfigure the ASA once this happens.

thanks everyone for the help.
0
 
kwcraftAuthor Commented:
These answers all were correct, I used a temporary setup and will use the ones listed here when we upgrade.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.