Solved

Cisco ASA 5505 initial config help

Posted on 2011-02-25
12
391 Views
Last Modified: 2012-05-11
I have been allocated a /26 which is routed to a /30. I need to configure an ASA5505 to route the subnet and provide basic firewall functionality (all open at first, then will lock down) to a group of servers. I do not wish to run NAT.  Any help is greatly appreciated.
0
Comment
Question by:maxvisionsmith
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
12 Comments
 
LVL 7

Expert Comment

by:GridLock137
ID: 34983842
do you know the range of IP addresses they gave you?

in regards to NAT, that will be the only way to make sure your servers internally are not exposed to the outside world, you need NAT to make that translation from the outside request to the inside.
0
 

Author Comment

by:maxvisionsmith
ID: 34985698
My servers must have public IPs because they run cpanel. I was assigned a /26 and which is routed to a /30
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 7

Accepted Solution

by:
Boilermaker85 earned 500 total points
ID: 34988307
Your servers need public IPs on the outside of the ASA. On the inside they can be private. You use Static statements to link the inside IP to the Public IP.  From a /26, you have 62 available IPs. Apparently, you have carved out of that, 4 addresses in a /30 for the Router to ASA link (router gets one IP, ASA interface gets another, plus network and broadcast). Lets assume you have web server A inside at 192.168.10.10. And you have many IPs left to use for statics, so lets assume your /26 is 111.222.333.64/26. And you used .65 as the router, .66 as the ASA outside interface. So in your router, you would have these routes to route to remaining public IPs:
ip route 111.222.333.68 255.255.255.252 111.222.333.66
ip route 111.222.333.72 255.255.255.248 111.222.333.66
ip route 111.222.333.80 255.255.255.240 111.222.333.66
ip route 111.222.333.96 255.255.255.224 111.222.333.66

In the ASA, you would have this static to expose your server A to the internet as 111.222.333.68:
static (inside,outside) 111.222.333.68 192.168.10.10 netmask 255.255.255.255

And you might have inbound rules like this:
access-list acl_inbound permit tcp any host 111.222.333.68 eq www
access-list acl_inbound permit tcp any host 111.222.333.68 eq https

This line applied the inbound ACL:
access-group acl_inbound in interface outside

And you probably would have interfaces assigned like this:
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 111.222.333.66 255.255.255.252!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!

Does this cover what you are thinking?
0
 
LVL 7

Assisted Solution

by:Boilermaker85
Boilermaker85 earned 500 total points
ID: 34988317
of course you need an outbound global and nat statement so that your outbound traffic will appear to come from a Public IP in the high end of your range.

global (outside) 1 111.222.333.126 netmask 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
0
 
LVL 7

Expert Comment

by:GridLock137
ID: 34988533
he can also do it by creating a DMZ area where he can place those servers with public IP addresses.
0
 

Author Comment

by:maxvisionsmith
ID: 34989040
The servers must be assigned public IPs, not private.  This is required for cpanel.
0
 
LVL 7

Expert Comment

by:GridLock137
ID: 34989199
Then putting them in the dmz which is outside of your network would be the solution since there you would be able to assign them public addresses.
0
 
LVL 7

Assisted Solution

by:Boilermaker85
Boilermaker85 earned 500 total points
ID: 34992784
Ok fine. I'm getting out of this thread. I dont understand your statement that "cpanel" must be assigned public addresses. That is exactly what I illustrated, where from the internet, the servers are accessed using puclic addresses. With a 5505 you cant get a DMZ unless you pay for an extra license for the third Vlan. You can use one of the above subnets from your address space for your servers. You still need the static statements, but they will look like this assuming you use the .72-79 subnet.:
ststic  (inside,dmz) 111.222.333.73 111.222.333.73 netmask 255.255.255.255
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 35321834
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question