configuring ASA in my topology

asa firewall configuration
Dear experts,

I am trying to figure out how users in vlan 10 and 20 will be able to access the IP 192.168.1.2. I have never configured ASA before and I need someone to help me in this lab.

My core is configured as layer 3 and SW1 is configured as layer 2 I want to pass the traffic over to the other side assuming the R2 belongs to internet.
core.rtf
hostname-SW1.docx
LVL 4
Habib ZakariaNetwork Solutions ArchitectAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AkinsdNetwork AdministratorCommented:
1st, 192.168.1.2 is a private address and wouldn't be accessible directly over the internet.

Interface security level change is all you probably need based on your configuration. Just set the security interface to 100
All the routes would be treated as connected routes so you won't really need to specify specific routes.
The addresses are private and won't need any NAT
You shouldn't need to configure an ACL, you can determine that by running a packet trace
packet-tracer input inside tcp 10.10.10.0 4444 192.168.1.2 4444 detailed

In real world, the internal interfaces would have a security level above 0, usually 100. These would be considered inside network. 192.168.1.1 would then be a gateway for the network to the internet
Lets assume the name of the interface 192.168.1.1 is outside and the actual int is E0/2

route outside 0.0.0.0 0.0.0.0 192.168.0.2

int e0/2
name if outside
security-level 0


Depending on you IOS version, you may be able to configure conventional route and if not you may need to use network objects to configure your NAT.
eg
nat (inside, outside) source dynamic any interface

Lastly, you will need to configure an access list to permit access on the outside interface since the security level is set to 0, meaning untrusted. 100 means trusted.
0
Habib ZakariaNetwork Solutions ArchitectAuthor Commented:
Hi Akinsd,

Yes these are all private IP addresses. I actually want to connect a that router interface to my enterprise network and I want to see how the firewall will be configured. I did not purchase the ASA yet. Is this topology correct or does it need someone routers or switches.

The other thing is that I really want users in vlan 10 to access the ip address 192.168.1.2 and this IP could be a web portal or FTP server .
0
Habib ZakariaNetwork Solutions ArchitectAuthor Commented:
The inside interface of the ASA , 10.50.20.2 has a security level of 100 and the outside interface of the ASA 192.168.1.1 has a security level of 0.  Will this work ?
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

Habib ZakariaNetwork Solutions ArchitectAuthor Commented:
I just using my pad to configure this PIX and I need some suggestions if I am doing it correct.

asa1(config)# int g0
asa1(config-if)# ip address 10.50.20.2 255.255.255.0
asa1(config-if)#no shut
asa1(config-if)#nameif inside

asa1(config)# int g1
asa1(config-if)#ip address 192.168.1.1 255.255.255.252
asa1(config-if)#no shut
asa1(config-if)#name if outside

what I want to know is that the workstation in vlan 10 with ip 10.50.10.2 can it ping the IP 192.168.1.1 or 192.168.1.2. Do I need more configuration on the ASA or in the core to make it ping successfully.
0
AkinsdNetwork AdministratorCommented:
The other thing is that I really want users in vlan 10 to access the ip address 192.168.1.2 and this IP could be a web portal or FTP server.
Well that IP is the IP of the interface and you can't use duplicate IPs on the same network. The alternative is if the router is running the web service.

Ideally, lets assume that your Web server has an IP of 192.168.1.200 and your actual point to point IP is 198.168.1.1 and 198.168.1.2. lastly, we'll assume there's another interface on the router that is 192.168.1.1
You would create a static NAT statement on the router that will forward traffic to the web server
So if someone from the internet types 198.168.1.2:80 (the 80 won't be necessary as that is the default for http) in a browser, the traffic would be directed to 192.168.1.200


what I want to know is that the workstation in vlan 10 with ip 10.50.10.2 can it ping the IP 192.168.1.1 or 192.168.1.2. Do I need more configuration on the ASA or in the core to make it ping successfully.
Because the security is set to 0, you will need an ACL to permit the traffic
eg
access-list outside_in extended permit ip 192.168.1.0 255.255.255.0 10.x.0.0 255.255.0.0
On the outside interface, apply the acl to the inward traffic.
This permits the traffic coming back in to the inside interface.
Remember that communication is a two way direction
0
Habib ZakariaNetwork Solutions ArchitectAuthor Commented:
I agree with what you suggested. The websever to be 192.168.1.200 and one to one IP between the routers to be 192.168.1.1 -- 192.168.1.2

I really need your assistance in the NAT configuration and the ACL.

Thanks,
0
Habib ZakariaNetwork Solutions ArchitectAuthor Commented:
ideally , the router R2  belongs to a different organizarion and I will not have access to it. I am just concern with the ASA configuration and I just want to restrict the access of the internal vlan to that webserver.
0
AkinsdNetwork AdministratorCommented:
I agree with what you suggested. The websever to be 192.168.1.200 and one to one IP between the routers to be 192.168.1.1 -- 192.168.1.2
If you noticed, I changed the IP on the point-to-point link to a public address instead (198.x.x.x)
This address would be assigned to you by your ISP.
If you have a direct cable connection from the ASA to the router (as your configuration depicts), you are not passing through the internet, meaning the router is part of your inside network (with a different name eg inside2). You can then set the security level to 100 since there's no traffic from the internet.
0
AkinsdNetwork AdministratorCommented:
the router R2  belongs to a different organization and I will not have access to it.
How you're connected to R2 determines on what to configure.
If R2 belongs to another organization, that means you have another interface to the internet unless you're connecting to the internet through the organization which means your connection is a LAN connection. If so, all you need like I mentioned would be to attach an ACL that permits the traffic back into your network.

If R2 belongs to the ISP, the IP address can never be a private address as you've shown.
The static NAT (port forwarding) would not be your responsibility as you won't have control over it.
May I suggest that you get the actual topology and work with that instead to avoid guessing.
Your current topology does not depict where the web server is. Based on the diagram above, and your comment that R2 is managed by someone else, and I'm assuming you can already access the internet, then there's nothing you can do with NAT on that web server. The NAT for the webserver would be on R2 based on what you've provided so far.
0
Habib ZakariaNetwork Solutions ArchitectAuthor Commented:
I am sorry I did not mention  the topology is as per what I am trying to achieve.

The router R2 is in the same facility that is shared with another firm. My access switch will connect to the ASA inside interface and R2 twill connect to ASA in the outside interface.  The other firm has a local Web portal that the users in vlan 10 and 20 want to access.

About Internet access the users in vlan 10 and 20 get it from another WAN link which is connected to the core.

I hope I have explained the situation.
0
AkinsdNetwork AdministratorCommented:
I see an interface on the ASA for VLAN 20, but not for VLAN 10.
You also have VLAN 10 attached to the 3560 which is connected to the 2960 via a trunk port.

This topology can't work. Answer the following questions and I'll refine it for you.
It's either there are subinterfaces on the firewall's interface connecting to the 2960 or the 2960 is distribution (which is not possible because it's a layer 2 switch) or the 3560 is the distribution (which also is not possible based on the diagram links).

I need a more accurate topology, otherwise we'll just be guessing stuff all over the place.

Are you modifying an existing network (if so, I need a diagram that represents current topology) or are you creating a new one.
Also, is the internal IP for the neighbor 192.168.1.0 /24?

See 2 workable examples below
(Note: Trunk port or sub-interfaces are both not supported on the ASA version available in packet tracer. To properly simulate the topologies, you will need to use a router but you won't have the nameif or security-level command. You'll be able to use those commands in a live ASA or GNS3).
ASA1ASA2
0
Habib ZakariaNetwork Solutions ArchitectAuthor Commented:
In a live production environment this Core is where all the SVIs are created what happens when another company put their our LAN and wants you to get a connection to one server. I can not make the core switch to work as layer 2.

What if I replace the ASA WITH A ROUTER? i dont care about the security levels for now I just want it to work with out changing the inside network.
0
AkinsdNetwork AdministratorCommented:
In a live production environment this Core is where all the SVIs are created what happens when another company put their our LAN and wants you to get a connection to one server.
Are you referring to the 3560 in your diagram as the core switch?
I can not make the core switch to work as layer 2.
Layer 3 switches have all the capabilities of layer 2. The layer 3 is an additional feature
What if I replace the ASA WITH A ROUTER? i dont care about the security levels for now I just want it to work with out changing the inside network.
I still don't know how your topology looks like. Let's lay the foundation (infrastructure) first before going any further. I didn't see any answer to my previous question
0
Habib ZakariaNetwork Solutions ArchitectAuthor Commented:
Its okay I am doing my own research lab.
0
AkinsdNetwork AdministratorCommented:
Ok,
If it's just a lab.
Replace the ASA with a router in Packet tracer and use any of the 2 topologies I pasted above.
Read a little more on subnetting and route distribution to understand the concept.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.