Topic 'Re: [Config] Cisco ASA 5505' in forum 'Cisco' - dslreports.com

Re: [Config] Cisco ASA 5505

Thu, 06 Sep 2012 22:21:53 EDT

HELLFIRE posted :

said by aryoba:

You'll get used to the new command at some point :D

Assumes one actually has to LEARN 8.3, which for me is strictly optional and somewhere at the bottom of the "to procrastinate" list aryoba :D

said by mbruno:

I do want the labs to be able to talk to one another, but just not use the IP space from the other labs.

It's too close to friday for me to do deep thinking on this... but I hear what you're saying mbruno.
I agree with aryoba that so long as this stuff's isolated from the main prod network and the users
are aware it's a LAB network with NO guarentees, I'd wash my hands of it all and move to the next forest fire.

Regards

Re: [Config] Cisco ASA 5505

Thu, 06 Sep 2012 16:37:19 EDT

aryoba posted : Unless the lab is a separated network and "not sharing" the production network IP scheme, anything happen in the lab stays in the lab.

Buying additional firewalls won't stop a situation of overlapping IP scheme though :)

Re: [Config] Cisco ASA 5505

Thu, 06 Sep 2012 12:28:42 EDT

mbruno posted : I do want the labs to be able to talk to one another, but just not use the IP space from the other labs. As with most users you can tell them until you are blue in the face of what sub-net and gateway to use but they still muck it up. I know what you are thinking, I can't stop the users from changing the IP address since it's a lab. To throw salt into the wound, management will not hold them accountable for anything. It is like the wild west at times working as a contractor for the government.

I guess the other thing I could do is buy an ASA5505 for each lab with the security pack. We are looking at three maybe four units. That way even if they try to use someone else IP space they can't!

Re: [Config] Cisco ASA 5505

Thu, 06 Sep 2012 09:00:22 EDT

aryoba posted :

said by HELLFIRE:

said by mbruno:

On top of this I want to be able to do one to one static mapping.

Static NATs are doable, just don't ask me how to do them in 8.3 and up... one word, UUUUUUUUUUGLY!!!!

It is not ugly, rather related commands are consolidated :)

You'll get used to the new command at some point :D

Re: [Config] Cisco ASA 5505

Wed, 05 Sep 2012 23:01:15 EDT

HELLFIRE posted : 5505 can't do multiple contexts, so you're looking at a 5510 minimum.

said by mbruno:

What I would like to do is segment the network so each lab has its only sub network to work from to keep all the labs separate.

Would LAB1 be able to talk to LAB2 and LAB3, LAB2 to LAB1 and LAB3, and so forth? If not, an alternative to try would
be to drop the 3 labs into different VLANs but the same security level, and use no same-security-traffic permit
intra-interface so that interfaces in the same sec level cannot talk to one another.

said by mbruno:

On top of this I want to be able to do one to one static mapping.

Static NATs are doable, just don't ask me how to do them in 8.3 and up... one word, UUUUUUUUUUGLY!!!!

My 00000010bits

Regards

Re: [Config] Cisco ASA 5505

Tue, 04 Sep 2012 15:27:39 EDT

aryoba posted : Ideally I would suggest to use Multiple Context where one Context is dedicated to each network (in this case, one Context is dedicated to Lab 1, 2, 3 accordingly). This way, each network has its own routing table and never share the same routing table. In other words, having Multiple Context in place is like having multiple virtual firewalls of one physical firewall.

Note that once you have an ASA to run Multiple Context, the firewall loses some features including static NAT/PAT. Since you wish to have such static NAT/PAT in place, then the use of Multiple Context will be incomplete without an additional box to just do the static NAT/PAT. If you have let's say two ASA firewalls, you can dedicate one to do Multiple Context and another one to do the static NAT/PAT.

When you only have one ASA firewall, then another solution is to set each network to be on different Security Level or different Security Zones. With this solution, you don't lose any firewall features so you can still do static NAT/PAT on the same ASA firewall however all networks share the same routing table though you still maintain some security.

In general, an ASA should be able to handle either solution however you may want to make sure that the ASA in question has proper license in order to support what you need to accomplish.

For the last question to regulate outbound or inbound traffic to whether response to certain protocols or have access to certain outside resources, this is a job for ACL (access-list and access-group commands to be exact). Simply create appropriate source and destination IP addresses, protocol, and TCP/UDP port numbers and apply to appropriate interface, then you should be good to go.

[Config] Cisco ASA 5505

Tue, 04 Sep 2012 12:41:34 EDT

mbruno posted : I have a question about the routing on the ASA5505 firewall and was hoping that someone here could answer it for me. So where I work we have multiple labs and everything is plugged in to one firewall. What I would like to do is segment the network so each lab has its only sub network to work from to keep all the labs separate.

So we have three labs and I will call them lab 1, Lab 2, and Lab3. I would like to have lab1 on 10.10.1.1 /24, lab2 on 10.10.2.1 /24 and lab3 on 10.10.3.1/24. On top of this I want to be able to do one to one static mapping. For example, if a computer from Lab1 has an IP of 10.10.1.5 then on the outside interface I would like to have IP display the IP of say 128.136.x.x and so on for each device on the network.

Can the ASA5505 handle this? I know a router could but we are not allowed to use a router on our network for internal stuff. I know this may sound stupid, but I didn't make up the rules I just have to follow them.

The other question I have about this is would I have to put in each port I wanted the computer to have access to? For example, if I want all the computers from Labs1,2 and 3 to be able to use the web, SFTP, SSH, SSL and Windows updates would I have to input a separate line for each Static mapping?

Thanks

Mbruno