Solved

Cisco ASA 5505 initial config help

Posted on 2011-02-25
12
386 Views
Last Modified: 2012-05-11
I have been allocated a /26 which is routed to a /30. I need to configure an ASA5505 to route the subnet and provide basic firewall functionality (all open at first, then will lock down) to a group of servers. I do not wish to run NAT.  Any help is greatly appreciated.
0
Comment
Question by:maxvisionsmith
  • 4
  • 3
  • 2
  • +1
12 Comments
 
LVL 7

Expert Comment

by:GridLock137
ID: 34983842
do you know the range of IP addresses they gave you?

in regards to NAT, that will be the only way to make sure your servers internally are not exposed to the outside world, you need NAT to make that translation from the outside request to the inside.
0
 
LVL 7

Expert Comment

by:GridLock137
ID: 34984007
0
 

Author Comment

by:maxvisionsmith
ID: 34985698
My servers must have public IPs because they run cpanel. I was assigned a /26 and which is routed to a /30
0
 
LVL 7

Accepted Solution

by:
Boilermaker85 earned 500 total points
ID: 34988307
Your servers need public IPs on the outside of the ASA. On the inside they can be private. You use Static statements to link the inside IP to the Public IP.  From a /26, you have 62 available IPs. Apparently, you have carved out of that, 4 addresses in a /30 for the Router to ASA link (router gets one IP, ASA interface gets another, plus network and broadcast). Lets assume you have web server A inside at 192.168.10.10. And you have many IPs left to use for statics, so lets assume your /26 is 111.222.333.64/26. And you used .65 as the router, .66 as the ASA outside interface. So in your router, you would have these routes to route to remaining public IPs:
ip route 111.222.333.68 255.255.255.252 111.222.333.66
ip route 111.222.333.72 255.255.255.248 111.222.333.66
ip route 111.222.333.80 255.255.255.240 111.222.333.66
ip route 111.222.333.96 255.255.255.224 111.222.333.66

In the ASA, you would have this static to expose your server A to the internet as 111.222.333.68:
static (inside,outside) 111.222.333.68 192.168.10.10 netmask 255.255.255.255

And you might have inbound rules like this:
access-list acl_inbound permit tcp any host 111.222.333.68 eq www
access-list acl_inbound permit tcp any host 111.222.333.68 eq https

This line applied the inbound ACL:
access-group acl_inbound in interface outside

And you probably would have interfaces assigned like this:
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 111.222.333.66 255.255.255.252!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!

Does this cover what you are thinking?
0
 
LVL 7

Assisted Solution

by:Boilermaker85
Boilermaker85 earned 500 total points
ID: 34988317
of course you need an outbound global and nat statement so that your outbound traffic will appear to come from a Public IP in the high end of your range.

global (outside) 1 111.222.333.126 netmask 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 7

Expert Comment

by:GridLock137
ID: 34988533
he can also do it by creating a DMZ area where he can place those servers with public IP addresses.
0
 

Author Comment

by:maxvisionsmith
ID: 34989040
The servers must be assigned public IPs, not private.  This is required for cpanel.
0
 
LVL 7

Expert Comment

by:GridLock137
ID: 34989199
Then putting them in the dmz which is outside of your network would be the solution since there you would be able to assign them public addresses.
0
 
LVL 7

Assisted Solution

by:Boilermaker85
Boilermaker85 earned 500 total points
ID: 34992784
Ok fine. I'm getting out of this thread. I dont understand your statement that "cpanel" must be assigned public addresses. That is exactly what I illustrated, where from the internet, the servers are accessed using puclic addresses. With a 5505 you cant get a DMZ unless you pay for an extra license for the third Vlan. You can use one of the above subnets from your address space for your servers. You still need the static statements, but they will look like this assuming you use the .72-79 subnet.:
ststic  (inside,dmz) 111.222.333.73 111.222.333.73 netmask 255.255.255.255
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35321834
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now