dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
4546

fcisler
Premium Member
join:2004-06-14
Riverhead, NY

fcisler

Premium Member

ASA5505 with Security Plus routing

Ok i'm stuck...i'm tired and cannot look at this clearly.

I know the ASA5505 base does not support trunk ports or routing between internal vlans - two things I need. We purchased the Security Plus license and applied it successfully. Have three VLANS:

VLAN1 192.168.2.1/24 (Data)
VLAN2 10.0.0.1/24 (Voice)
VLAN100 Public WAN IP's

I also have IPSec VPN running but what I want to do to learn this better is to start from the ground up.

ASA Version 7.2(4)
!
interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
  nameif voice
  security-level 100
  ip address 10.0.0.1 255.255.255.0
!
interface vlan100
  nameif outside
  security-level 0
  ip address X.X.X.X 255.255.255.248
!
interface Ethernet 0/0
 switchport access vlan 100
!
interface Ethernet 0/1
 switchport access vlan 1
!
interface Ethernet 0/2
 switchport access vlan 2
!
 

This should be my absolute minimum config, correct?

WAN = Port 0
Data (192.168.2.1) = 1
Voice (10.0.0.1) = 2
Assuming I also have
access-list internal extended permit udp any any eq domain
access-list internal extended permit tcp any any eq www
access-group internal in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
 
set, where X = gateway, then my data (inside) interface should be able to get out to the internet?

Now to expand upon that, how would I add rules that:
1) Allow routing (without NAT) between 10.0.0.1/24 and 192.168.2.1/24
2) Restrict access to the voice (any from data -> 10.0.0.10)
3) Allow Voice to access the internet AND use one of the public IP's I have (different from data)
4) Get SIP working! I need to forward ports 10000-20000 or some absurd range to get the managed voice system to work. I'd prefer to use a different IP from their data (see #3)
5) Allow traceroute anywhere.

Thanks in advance!
meta
join:2004-12-27
00000

meta

Member

"An ASA is not a router"

You will also need a command to the affect of:
same-security-level inter-interface permit

You will need to probablly define ACLs permitting traffic as necessary. Log in to the ASA and run a terminal monitor command to watch for what its dropping. If you determine you need that traffic to pass, permit it.

VOIP does not work well through a firewall. Do not try to use port address translation in a data firewall for voice traffic. Session border controllers (voice firewalls) such as Cisco unified border element are there to fill that role.

Based on the requirements and experience posted, i would suggest you get a router and put an ACL on it. If you need to send VOIP, use public addresses on the voice stream endpoints or tunnel it to the remote location.

fcisler
Premium Member
join:2004-06-14
Riverhead, NY

fcisler

Premium Member

said by meta:

"An ASA is not a router"

You will also need a command to the affect of:
same-security-level inter-interface permit
I will try that command.

The ASA is not a router but I need it to function in a limited capacity as one. There is no budget for any further devices and this is what i must use. The traffic between the subnets will be very minimal - occasional configuration and possibly HUD in the future.
said by meta:

VOIP does not work well through a firewall. Do not try to use port address translation in a data firewall for voice traffic. Session border controllers (voice firewalls) such as Cisco unified border element are there to fill that role.
I understand I'm trying to use a less-then-ideal piece of equipment for this purpose but this is what i'm stuck with. This current scenario work fine through any consumer grade Linksys (Cisco) or even a ALIX with pfSense/M0n0wall. I actually have a ALIX running a ipSec VPN tunnel to another ASA5505.

Are you really telling me that I cannot accomplish this? Again - not ideal situation - but how can I make it work?

Cisco unified border element is not supported on my device either. There is NO WAY to forward a range of ports?
said by meta:

Based on the requirements and experience posted, i would suggest you get a router and put an ACL on it. If you need to send VOIP, use public addresses on the voice stream endpoints or tunnel it to the remote location.
Again budget does not allow for this. I bought security plus licensing for this very specific purpose. This building is also "green" - one of the major concerns is minimalistic equipment to get the job done (their words, not mine).

I cannot tunnel to the remote location - it's a SIP provider and I wouldn't even ask this of them.

I have a configuration in which everything works EXCEPT the sip ports (10000 - 20000) and routing between voice and data.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to fcisler

MVM

to fcisler
quote:
VOIP does not work well through a firewall. Do not try to use port address translation in a data firewall for voice traffic. Session border controllers (voice firewalls) such as Cisco unified border element are there to fill that role.
Something on my 'to look up sometime I'm bored and not busy' has been to do an ASA with a full DMZ like so:

»www.cisco.com/en/US/docs ··· dmz.html

except without NAT'ting the addresses. I suspect you could write your NAT rules such that voice traffic
doesn't get NAT'd, but I've yet to figure out the nuts-and-bolts details. Figured I'd point it out as a
starting point.

Regards
meta
join:2004-12-27
00000

1 edit

meta to fcisler

Member

to fcisler
The key issue is that an ASA is not strictly a layer3 device. It is a layer 7 device. It tries to read the traffic going through it (such as SIP) and inspect it. In doing so, it may or may not permit the return traffic, and it may not correctly permit the RTP traffic.

That said, you can attempt to de-brain it. If you write an ACL permitting the specific traffic in both directions on both interfaces, create static xlates for all of those RTP ports, and have the full possible range of ports that SIP will attempt to broker RTP streams on, you might be able to get it through.

Cisco attempts to provide voice conduit service through phone-proxy stuff, but when interoperating with non-cisco gear (eg, avaya phone to asterisks provider) there are oodles of bugs with false session teardowns.

Consumer grade equipment isnt trying to be that "smart". The ASA is a security appliance, its designed to secure the network by understanding the L7 traffic flows going through it, and to correctly permit traffic you will need to ensure that it understands the protocol.

Some people have VOIP working with some services on a limited bassis through an ASA. Its simply not a good idea because you will spend far more time troubleshooting why you get random one way audio or dropped calls than to simply use the correct equipment.

TL;DR : 3 options -> Use something less smart than an ASA, de-brain the ASA, or dont NAT voip traffic through the ASA.

edit:
I got my morning bug list email, at least 3 open VOIP related bugs. Here is one:
CSCsm51105 Bug Details 
SIP: The BYE doesn't go through when outside phone calls inside phone  
Symptom: The BYE doesn't go through when outside phone calls inside phone.
Conditions: Interface PAT is configured
Workaround: None
Status: Open 
Severity: 3 - moderate 
Last Modified: In Last 3 Days 
Product: Cisco ASA 5500 Series Adaptive Security Appliances 
 

fcisler
Premium Member
join:2004-06-14
Riverhead, NY

fcisler to HELLFIRE

Premium Member

to HELLFIRE
Thanks for the link, i'll look into that
fcisler

fcisler to meta

Premium Member

to meta
Thank you for the in depth explanation.

Unfortunately it appears that I'll be best off using two separate devices.

I guess Cisco's solution to this is to buy a more expensive device which supports Unified Border Element?

I'm rather upset that I've spent this much time on this issue and Cisco's answer is "more money" on other devices - instead of giving the device the ability to "dumb itself down".
meta
join:2004-12-27
00000

meta

Member

If you are familiar with all the features, you can deffinetly de-brain it. But at that point why buy an ASA? If you truly want "dumb NAT/PAT" that just forwards ports without inspecting the traffic, just use a router. What do you need the ASA for?

I wouldnt buy a unified border element box unless you planned on terminating a good number of calls or doing transcoding. You would probablly be much better off terminating all the voip on a single asterisks box with a public IP address facing the internet. Just have the internal phones register to it and use it like a voip PBX. It costs next to nothing (vmware) and solves all the problems without touching the network.

fcisler
Premium Member
join:2004-06-14
Riverhead, NY

fcisler

Premium Member

Because a couple of people at this office see "Cisco" and think it's the greatest thing since sliced bread? I really don't know.

I usually don't sell alot of Cisco gear to SMB's...the markup is insane and most places would (will) balk at the price. Is saving a couple hundred dollars on a switch worth it? Well it may be slower but they don't care - they see the bottom line. After dealing with the ASA series too I don't see too many business' who would benefit off of it compared to a SBC or small server with a software distribution.

At my 9-5, however, it's a different story. There's two 6513's and two 6509's in this building....

All of the internal phones register to a trixbox like setup and the ipsec connection is their primary inbound/outbound DIDs.

If I threw a second NIC in the machine I could assign it a public IP and keep the internal subnet for the actual phones. That may work...i'm going to take a look at some alternatives.

Thanks for the help!
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to fcisler

MVM

to fcisler
said by fcisler:

At my 9-5, however, it's a different story. There's two 6513's and two 6509's in this building....
I'm afraid to ask, but is that equipment on any sort of support contract or is it reclaimed from eBay?
Pretty sure we all have our share of stories of people who buy only for the brand name, and swear up and
down the street when it fails epicly or doesn't do what they want out of the box. It just ends up
hurting us who have to support / fix / redesign it the most *sighs*

Regards

fcisler
Premium Member
join:2004-06-14
Riverhead, NY

1 edit

fcisler

Premium Member

All equipment is fully covered and bought brand new. Each 6513 also has 2x SUP720-3B for MPLS. 6509's have SUP720's. My 9-5 is local government

Don't get me wrong: If you have the money and are willing to spend it then I like Cisco. Same as any other large manufacturer. For 90% of SMB out there it's cheaper to buy almost any competitor (or even two for redundancy) and their "advantage" to buying Cisco equipment is nothing.

OVERKILL
join:2010-04-05
Peterborough, ON

1 edit

OVERKILL to fcisler

Member

to fcisler
Curious as to who's idea it was to use an ASA for this purpose in the first place? Depending on the volume of traffic, something like an 881 or 891 may have worked......... For a fraction of the price.

I understand the problem when being "stuck" with a less than ideal piece of equipment for a given task, but at the same time, whoever made the decision to purchase this product for this task should have known better and done their research beforehand.

fcisler
Premium Member
join:2004-06-14
Riverhead, NY

fcisler

Premium Member

Product was purchased by previous management company (they are a software company, don't know why they set this up). I'm guessing they purchased it for it's VPN functionality.

Now that they spent $$ on it they want to use it. If I tell them that they should (have) purchased XY and Z they will simply say "Well it's been working, make it work". They also have two other offices with these units (base, not security plus).

The easy solution is an "upgrade" to their equipment (security plus). This will at least allow me to communicate between the two VLANs (at a MINIMUM I need this functionality).

So far it appears that my planned route is to use a linksys to with a static IP for the WAN connection to the voice network and then apply a static route on the voice server to use an interface on the ASA. I think this should cause me the least amount of headache.

OVERKILL
join:2010-04-05
Peterborough, ON

OVERKILL

Member

They have put you in a very unfortunate position then. I imagine explaining to them their folly would be futile as well, correct?

Good luck with your efforts. One could always try selling off this unit to pick up something like an 891 that would actually do what you need.... Though I assume that isn't an option either?
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to fcisler

MVM

to fcisler
@OVERKILL
I'm curious what dealers you've been looking at because my searches show
an ASA5505 with SecPlus versus an 891 (both brand new, no SMARTnet) are
roughly the same price to within 10s of dollars.

I do agree though whoever made the purchase decision got some pretty bum
info, probably took a look at the marketing brochure and followed the
managerial dictum of "if it doesn't fit, you're not jumping down the throats
of the people who actually know what they're doing enough."

Regards

fcisler
Premium Member
join:2004-06-14
Riverhead, NY

fcisler

Premium Member

Herein lies a problem I deal with quite frequently: Someone at the business knows something - usually just enough to f*ck themselves horribly and not admit to it. They want a say in everything.

This company is a medical office. They bought software which they wanted to use in all their offices. Apparently the software company also sold them and set up ASA5505's. The rest of the network is absolutely incorrect. No DHCP, no domain, all standalone clients running as every different user - etc etc. It's a horrible mesh of garbage. Luckily the people there realize that it's not right and they need a company to fix it and manage it.

We picked up this client and one of the first challenges was wiring a new building. We accomplished that and got everything setup. All I was told is that they had a "Cisco VPN router" that they had spent "alot of money on" and when they were ready to move all I had to do was move the physical device over.

Who does this info/order come from? I'd say I'm still trying to figure it out but i'd be lying. Someone there asks someone else who then plays telephone until a "just do it" order gets put down. No one knew the actual answer or cared to find out - but they wanted me out of their hair.

Never mind that they neglected to tell the ISP that they were moving (oh you need coax to hook up a cable modem?).
Never mind that they didn't sign the porting papers for their SIP trunk. (it's not critical, right??!!)
Never mind that someone there "knew better" and decided to make one of the analog lines the main DID (so your main DID is POTS and you have no rolling...ok)
Never mind that they cut my analog line count from 6 to 2 (No...i didn't do MY homework and give the elevator guy a dedicated line, 2x for fire/alarm, one dedicated fax, two backup analog for phone system)

Getting a rush order in for coax worked - until they tried to hook their old equipment up and nothing worked. New static IP range and hardware and were good to go. Oh wait. The radiology machine doesn't work? Oh...a call to GE finds out that they ACL certain subnets and the change left them stranded...

Oh...but there's no SIP trunk. OK - I'll use the analog lines. Oh you needed a certificate of occupancy? Yeah then the fire alarm guy needs his POTS lines - disconnects mine.

Make it work? Ok here's a SIP trunk to my office. Where's the SIP paperwork for YOU? Oh you still haven't signed it....

This is a 3 ring circus unfortunately...

OVERKILL
join:2010-04-05
Peterborough, ON

OVERKILL

Member

I feel your pain.

My employer purchased a doctors office about a year ago, and so I took over IT operations there as well. Their system had been setup and managed by a software vendor and well, some of the stuff had me less than thrilled. Luckily, since we OWN the business, changing out equipment was not a problem. I have an 861 handing the routing and VPN duties. Luckily, there was no VoIP to attend to.

Cleaning up somebody else's mess can be a real chore; often with the largest obstacles being people, not equipment.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to fcisler

MVM

to fcisler
We seem to have semi-hijacked the thread into a gripe-fest, so
going back to your original requirements fcisler, probably the
simplest way to get this to work and keep you sane is this:

ISP
|
|
Layer 2 switch --> (PUB IP #2) --> [VOIP box] --> 10.0.0.0/24 VOICE network
|
|
(PUB IP #1)
[ASA]
192.168.2.0/24 network DATA network

I don't know if you want any interconnect between your 10.0.0.0
network and your 192.168.2.0 and it sounds like TPTB are wanting
this to work without a COMPLETE and THOROUGH requirements analysis
and redesign from the ground-up.

So that reduces the list of problems to 1 to let traceroute anywhere...
I'll have to take a look at the ASA command reference, in IOS it'd
simply be a case of building an inbound ACL similar to this

»www.cisco.com/en/US/tech ··· 76.shtml

but I forget if it'd be the same commands for the ASA.

Regards
meta
join:2004-12-27
00000

1 edit

meta

Member

Click for full size
HELLFIRE, we deffinetly need to get you a copy of visio.

Attached pictures for prettyness ;-P
HELLFIRE
MVM
join:2009-11-25

1 edit

HELLFIRE to fcisler

MVM

to fcisler
@deepblackmag
Please don't let my mad Notepad and MSPaint skills die...

Regards