Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 393
  • Last Modified:

Cisco ASA 5505 initial config help

I have been allocated a /26 which is routed to a /30. I need to configure an ASA5505 to route the subnet and provide basic firewall functionality (all open at first, then will lock down) to a group of servers. I do not wish to run NAT.  Any help is greatly appreciated.
0
maxvisionsmith
Asked:
maxvisionsmith
  • 4
  • 3
  • 2
  • +1
3 Solutions
 
GridLock137Commented:
do you know the range of IP addresses they gave you?

in regards to NAT, that will be the only way to make sure your servers internally are not exposed to the outside world, you need NAT to make that translation from the outside request to the inside.
0
 
maxvisionsmithAuthor Commented:
My servers must have public IPs because they run cpanel. I was assigned a /26 and which is routed to a /30
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
Boilermaker85Commented:
Your servers need public IPs on the outside of the ASA. On the inside they can be private. You use Static statements to link the inside IP to the Public IP.  From a /26, you have 62 available IPs. Apparently, you have carved out of that, 4 addresses in a /30 for the Router to ASA link (router gets one IP, ASA interface gets another, plus network and broadcast). Lets assume you have web server A inside at 192.168.10.10. And you have many IPs left to use for statics, so lets assume your /26 is 111.222.333.64/26. And you used .65 as the router, .66 as the ASA outside interface. So in your router, you would have these routes to route to remaining public IPs:
ip route 111.222.333.68 255.255.255.252 111.222.333.66
ip route 111.222.333.72 255.255.255.248 111.222.333.66
ip route 111.222.333.80 255.255.255.240 111.222.333.66
ip route 111.222.333.96 255.255.255.224 111.222.333.66

In the ASA, you would have this static to expose your server A to the internet as 111.222.333.68:
static (inside,outside) 111.222.333.68 192.168.10.10 netmask 255.255.255.255

And you might have inbound rules like this:
access-list acl_inbound permit tcp any host 111.222.333.68 eq www
access-list acl_inbound permit tcp any host 111.222.333.68 eq https

This line applied the inbound ACL:
access-group acl_inbound in interface outside

And you probably would have interfaces assigned like this:
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 111.222.333.66 255.255.255.252!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!

Does this cover what you are thinking?
0
 
Boilermaker85Commented:
of course you need an outbound global and nat statement so that your outbound traffic will appear to come from a Public IP in the high end of your range.

global (outside) 1 111.222.333.126 netmask 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
0
 
GridLock137Commented:
he can also do it by creating a DMZ area where he can place those servers with public IP addresses.
0
 
maxvisionsmithAuthor Commented:
The servers must be assigned public IPs, not private.  This is required for cpanel.
0
 
GridLock137Commented:
Then putting them in the dmz which is outside of your network would be the solution since there you would be able to assign them public addresses.
0
 
Boilermaker85Commented:
Ok fine. I'm getting out of this thread. I dont understand your statement that "cpanel" must be assigned public addresses. That is exactly what I illustrated, where from the internet, the servers are accessed using puclic addresses. With a 5505 you cant get a DMZ unless you pay for an extra license for the third Vlan. You can use one of the above subnets from your address space for your servers. You still need the static statements, but they will look like this assuming you use the .72-79 subnet.:
ststic  (inside,dmz) 111.222.333.73 111.222.333.73 netmask 255.255.255.255
0
 
QlemoC++ DeveloperCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now