Cisco ASA 5505 initial config help

I have been allocated a /26 which is routed to a /30. I need to configure an ASA5505 to route the subnet and provide basic firewall functionality (all open at first, then will lock down) to a group of servers. I do not wish to run NAT.  Any help is greatly appreciated.
maxvisionsmithAsked:
Who is Participating?
 
Boilermaker85Commented:
Your servers need public IPs on the outside of the ASA. On the inside they can be private. You use Static statements to link the inside IP to the Public IP.  From a /26, you have 62 available IPs. Apparently, you have carved out of that, 4 addresses in a /30 for the Router to ASA link (router gets one IP, ASA interface gets another, plus network and broadcast). Lets assume you have web server A inside at 192.168.10.10. And you have many IPs left to use for statics, so lets assume your /26 is 111.222.333.64/26. And you used .65 as the router, .66 as the ASA outside interface. So in your router, you would have these routes to route to remaining public IPs:
ip route 111.222.333.68 255.255.255.252 111.222.333.66
ip route 111.222.333.72 255.255.255.248 111.222.333.66
ip route 111.222.333.80 255.255.255.240 111.222.333.66
ip route 111.222.333.96 255.255.255.224 111.222.333.66

In the ASA, you would have this static to expose your server A to the internet as 111.222.333.68:
static (inside,outside) 111.222.333.68 192.168.10.10 netmask 255.255.255.255

And you might have inbound rules like this:
access-list acl_inbound permit tcp any host 111.222.333.68 eq www
access-list acl_inbound permit tcp any host 111.222.333.68 eq https

This line applied the inbound ACL:
access-group acl_inbound in interface outside

And you probably would have interfaces assigned like this:
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 111.222.333.66 255.255.255.252!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!

Does this cover what you are thinking?
0
 
GridLock137Commented:
do you know the range of IP addresses they gave you?

in regards to NAT, that will be the only way to make sure your servers internally are not exposed to the outside world, you need NAT to make that translation from the outside request to the inside.
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

 
maxvisionsmithAuthor Commented:
My servers must have public IPs because they run cpanel. I was assigned a /26 and which is routed to a /30
0
 
Boilermaker85Commented:
of course you need an outbound global and nat statement so that your outbound traffic will appear to come from a Public IP in the high end of your range.

global (outside) 1 111.222.333.126 netmask 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
0
 
GridLock137Commented:
he can also do it by creating a DMZ area where he can place those servers with public IP addresses.
0
 
maxvisionsmithAuthor Commented:
The servers must be assigned public IPs, not private.  This is required for cpanel.
0
 
GridLock137Commented:
Then putting them in the dmz which is outside of your network would be the solution since there you would be able to assign them public addresses.
0
 
Boilermaker85Commented:
Ok fine. I'm getting out of this thread. I dont understand your statement that "cpanel" must be assigned public addresses. That is exactly what I illustrated, where from the internet, the servers are accessed using puclic addresses. With a 5505 you cant get a DMZ unless you pay for an extra license for the third Vlan. You can use one of the above subnets from your address space for your servers. You still need the static statements, but they will look like this assuming you use the .72-79 subnet.:
ststic  (inside,dmz) 111.222.333.73 111.222.333.73 netmask 255.255.255.255
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.