Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Deploying ASA5505 on a SBS 2003 network (Converting from Dual to Single-NIC operation)

Posted on 2013-06-05
7
Medium Priority
?
416 Views
Last Modified: 2013-06-11
Dear Experts,

Scenario:

We have a ‘SBS 2003 Standard – SP2’ machine on an HP Proliant ML350 G4 hardware. Its running our Exchange, AD, NAT/Firewall, DHCP, DNS, SharePoint, Remote Access (VPN), SQL, Printing & File server and internet. There is no ISA installed. I have purchased a Cisco ASA5505 to deploy between the internet router and network switch. We also have a Windows 2003 Standard server (virtual) for redundancy and have assigned it Sec DC, Sec DNS roles and global catalogue.
Current Network :  Internet Router --> Server’s-NIC1(Public/External_IP)  [=]  Server’s-NIC2-(Internal_IP)  --> Switch --> Workstations
Planned network:  Internet Router --> ASA5505-Firewall  --> Switch --> Server and Workstations

Plan:

1.

Convert the server from dual-NIC to Single-Nic mode.

2.

Phase one: Configure ASA5505 to do NAT and firewall function and deploy it. Also configure a VPN pass-through so SBS 2003 can carry on serving VPN clients

3.

Phase 2:  Configure ASA5505 to do VPN function

4.

Phase 3: Install VPN clients on client machines

Questions:

1.

I need a user guide which clearly explains all the steps involved in converting the SBS 2003 server to Single-NIC mode.

2.

ASA5505 is my first ever firewall – any links/user guides to configure it for the first time will greatly help

3.

SBS 2003 also performs DNS. Will the SBS 2003 keep it’s DNS role? Or it should also be given to ASA5505Thanks for any input. Other tips/ideas will also be greatly appreciated.  
Regards,
Abid
0
Comment
Question by:Abid Muhammad
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 18

Assisted Solution

by:fgasimzade
fgasimzade earned 501 total points
ID: 39221764
0
 
LVL 2

Accepted Solution

by:
Munkymajik888 earned 501 total points
ID: 39221890
Hi

3. ASA's cannot act as a DNS server - they will route DNS requests however you couldnt point the SBS server to the ASA as a forwarder and leave it be.

The VPN config is relativley simple on the ASA if you use the GUI (ASDM) and the VPN Wizard.

there is also a wealth of guides out there for this

RE the SBS server nic config.

In a nutshell you want to break any RAS or routing entires that you have but preserve the internal network IP - your server will become just another host on your network (but providing DHCP and DNS to hosts)

just imagine a home network where you have a pc connecting to the router as its default gateway. instead of your server being the default route for your internal network it will be another host - not too sure on the step by steps for this for the purposes of documentation but i could defo do it if i was sitting infront of the server and could see the config etc.
0
 

Author Comment

by:Abid Muhammad
ID: 39222569
Many thanks guys,

I have now got the answers to Question 2 (initial configuration) and 3 (DNS). My Firewall has also arrived and it has a CD with lots of documentation and also a printed quick-start guide which was very helpful. The Youtube link is also proving to be a very good resource.

However, I still need instructions on how to do the dual to single-NIC as this is a production server and being a SBS it runs the core of our IT so I need to be very careful with it.

On another note, because the SBS-2003 is working as the default gateway at the moment so we lose internet connectivity if the server is down. I believe once the ASA5505 is deployed it will start working as the default gateway and we will continue to have internet even if the SBS2003 is down.

I am still confused about certain things which I am hoping to find an answer for once I have managed to run the Start-up Wizard on ASDM and enter some details to have a play with the configs etc.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 12

Assisted Solution

by:Gary Coltharp
Gary Coltharp earned 498 total points
ID: 39225586
You firewall configuration on SBS 2003 is most likely handled by the RAS service. To get rid of the config, clear and reconfigure RAS and disable the secondary interface. Then after your ASA is configured, re run the internet connection wizard to use a local router.

Your plan seems to imply you will be doing VPN on both windows and the ASA? Can you clarify?
0
 

Author Comment

by:Abid Muhammad
ID: 39226494
Hi gcoltharp,

I am willing to just put the hardware firewall (will pre-configure it) in place after I have converted the server from dual-to-single NIC.

I don't want the ASA to do the VPN at this stage and just forward the VPN requests to SBS2003. Just so that I get more time and understanding of things.

Once all is settled then I will configure ASA5505 to do the VPN and will install the VPN clients on end user machines so they start using the new VPN-utility.

Once ASA5505 has taken the VPN role fully I will remove the VPN function from SBS2003.

This is just what I think I will (and be able to) do to make things easy and not break the whole system. Does it make sense?
0
 
LVL 12

Expert Comment

by:Gary Coltharp
ID: 39226504
It makes sense... I would just let RAS handle the VPN always but the Cisco client is marginally more secure.  Just one or the other, cant do both.
0
 

Author Comment

by:Abid Muhammad
ID: 39237181
Thanks for the help everyone. Closing this post and will post any new - more specific questions in a new post.

Kind regards,
Abid
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question