Solved

Cisco ASA 5505 initial config help

Posted on 2011-02-25
12
390 Views
Last Modified: 2012-05-11
I have been allocated a /26 which is routed to a /30. I need to configure an ASA5505 to route the subnet and provide basic firewall functionality (all open at first, then will lock down) to a group of servers. I do not wish to run NAT.  Any help is greatly appreciated.
0
Comment
Question by:maxvisionsmith
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
12 Comments
 
LVL 7

Expert Comment

by:GridLock137
ID: 34983842
do you know the range of IP addresses they gave you?

in regards to NAT, that will be the only way to make sure your servers internally are not exposed to the outside world, you need NAT to make that translation from the outside request to the inside.
0
 
LVL 7

Expert Comment

by:GridLock137
ID: 34984007
0
 

Author Comment

by:maxvisionsmith
ID: 34985698
My servers must have public IPs because they run cpanel. I was assigned a /26 and which is routed to a /30
0
Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 7

Accepted Solution

by:
Boilermaker85 earned 500 total points
ID: 34988307
Your servers need public IPs on the outside of the ASA. On the inside they can be private. You use Static statements to link the inside IP to the Public IP.  From a /26, you have 62 available IPs. Apparently, you have carved out of that, 4 addresses in a /30 for the Router to ASA link (router gets one IP, ASA interface gets another, plus network and broadcast). Lets assume you have web server A inside at 192.168.10.10. And you have many IPs left to use for statics, so lets assume your /26 is 111.222.333.64/26. And you used .65 as the router, .66 as the ASA outside interface. So in your router, you would have these routes to route to remaining public IPs:
ip route 111.222.333.68 255.255.255.252 111.222.333.66
ip route 111.222.333.72 255.255.255.248 111.222.333.66
ip route 111.222.333.80 255.255.255.240 111.222.333.66
ip route 111.222.333.96 255.255.255.224 111.222.333.66

In the ASA, you would have this static to expose your server A to the internet as 111.222.333.68:
static (inside,outside) 111.222.333.68 192.168.10.10 netmask 255.255.255.255

And you might have inbound rules like this:
access-list acl_inbound permit tcp any host 111.222.333.68 eq www
access-list acl_inbound permit tcp any host 111.222.333.68 eq https

This line applied the inbound ACL:
access-group acl_inbound in interface outside

And you probably would have interfaces assigned like this:
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 111.222.333.66 255.255.255.252!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!

Does this cover what you are thinking?
0
 
LVL 7

Assisted Solution

by:Boilermaker85
Boilermaker85 earned 500 total points
ID: 34988317
of course you need an outbound global and nat statement so that your outbound traffic will appear to come from a Public IP in the high end of your range.

global (outside) 1 111.222.333.126 netmask 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
0
 
LVL 7

Expert Comment

by:GridLock137
ID: 34988533
he can also do it by creating a DMZ area where he can place those servers with public IP addresses.
0
 

Author Comment

by:maxvisionsmith
ID: 34989040
The servers must be assigned public IPs, not private.  This is required for cpanel.
0
 
LVL 7

Expert Comment

by:GridLock137
ID: 34989199
Then putting them in the dmz which is outside of your network would be the solution since there you would be able to assign them public addresses.
0
 
LVL 7

Assisted Solution

by:Boilermaker85
Boilermaker85 earned 500 total points
ID: 34992784
Ok fine. I'm getting out of this thread. I dont understand your statement that "cpanel" must be assigned public addresses. That is exactly what I illustrated, where from the internet, the servers are accessed using puclic addresses. With a 5505 you cant get a DMZ unless you pay for an extra license for the third Vlan. You can use one of the above subnets from your address space for your servers. You still need the static statements, but they will look like this assuming you use the .72-79 subnet.:
ststic  (inside,dmz) 111.222.333.73 111.222.333.73 netmask 255.255.255.255
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 35321834
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5512 LAN Config 16 131
Standard Naming Convention Policy - Servers, Routers, Switches, Firewalls 3 85
Bandwidth cap???? 8 98
Unable to enable HWIC 2FE 2 29
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question