Cisco ASA in home network

[amrogers3]

I have an ASA I would like to implement in a home network.

Been doing some research and found the ASA can support 3 VLANs in "routed" mode. From what I have read, one of the VLANs can only talk to one other VLAN, similar to this

VLAN1 would be the one-way "Home" VLAN in my setup. I would like to setup a RADIUS server, SNORT on the SPAN port, NAS, and a WAP on VLAN2.

Anyone see any problems with this setup or have any recommendations?

 

[Vito_Corleone]

With the base license, you won't really be able to do what you want. There's another limitation, I believe it's interface-based. So you can get the VLANs, but not the third interface. Routing with an ASA can be a big PITA anyway. Use a router or L3 switch for this and let the ASA be a firewall.

 

[Macco]

Here's the show ver output from a base license asa

Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)53

Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"

asa5505 up 12 days 2 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
 0: Int: Internal-Data0/0    : address is d0d0.fdc3.e6b0, irq 11
 1: Ext: Ethernet0/0         : address is d0d0.fdc3.e6a8, irq 255
 2: Ext: Ethernet0/1         : address is d0d0.fdc3.e6a9, irq 255
 3: Ext: Ethernet0/2         : address is d0d0.fdc3.e6aa, irq 255
 4: Ext: Ethernet0/3         : address is d0d0.fdc3.e6ab, irq 255
 5: Ext: Ethernet0/4         : address is d0d0.fdc3.e6ac, irq 255
 6: Ext: Ethernet0/5         : address is d0d0.fdc3.e6ad, irq 255
 7: Ext: Ethernet0/6         : address is d0d0.fdc3.e6ae, irq 255
 8: Ext: Ethernet0/7         : address is d0d0.fdc3.e6af, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : 10
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
SSL VPN Peers                  : 2
Total VPN Peers                : 10
Dual ISPs                      : Disabled
VLAN Trunk Ports               : 0
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has a Base license.

Serial Number: XXXXXXXXXXXX
Running Activation Key: XXXXXXXXXXXXXXXXX
Configuration register is 0x1
Configuration has not been modified since last system restart.

I think the 10 hosts is the limitation Vito is talking about and not the interfaces as all 8 of the interfaces are in use on this one.

 

[Vito_Corleone]

No, I'm talking about SVIs, for lack of a better term. Not the physical interfaces. Try making another VLAN and interface on there.

It's been awhile, but I know there was something about the base license that should prevent this.

 

[Vito_Corleone]

I've got a base license ASA at home. I'll play with it later, if I remember.

 

[Macco]

asa5505# config t
asa5505(config)# interface vlan 3
asa5505(config-if)# nameif DMZ
ERROR: This license does not allow configuring more than 2 interfaces with
nameif and without a "no forward" command on this interface or on 1 interface(s)
with nameif already configured.
asa5505(config-if)# no forward interface vlan 1
asa5505(config-if)# nameif DMZ
INFO: Security level for "DMZ" set to 0 by default.
asa5505(config-if)# security-level 50
asa5505(config-if)# ip address 192.168.4.1 255.255.255.0
asa5505(config-if)# no shut
asa5505(config-if)# interface eth 0/7
asa5505(config-if)# switchport access vlan 3
asa5505(config-if)# no shut
asa5505(config-if)# exit
asa5505(config)# exit

But when I do show switch vlan I get this - so you may be right

asa5505# show switch vlan
VLAN Name                             Status    Ports
---- -------------------------------- --------- -----------------------------
1    inside                           up        Et0/1, Et0/2, Et0/3, Et0/4
                                                Et0/5, Et0/6
2    outside                          up        Et0/0
3    DMZ                              down      Et0/7

 

[Vito_Corleone]

Is eth0/7 connected? If not, that's why it's down.

I'm really not sure what I ran into before. I could be confused and it's just the lack of trunking ability. I don't use 5505s much anymore and when I did, it was just as EZVPN endpoints, so there was no need for more than two ints. I remember having to upgrade to a Sec+ license on one of them when we needed more interfaces, but again, it may have just been that we needed to trunk.

Edit: Ah, okay. Didn't see all that "no forward" shit. So if you use "no forward", that means you'll have three interfaces, but one of them can only talk to one of the other two. That was probably what I ran into before.

 

[Vito_Corleone]

the adaptive security appliance does not allow three fully functioning VLAN interfaces with the Base license on the ASA 5505 adaptive security appliance.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html#wp1051819

 

[amrogers3]

Is eth0/7 connected? If not, that's why it's down.

I'm really not sure what I ran into before. I could be confused and it's just the lack of trunking ability. I don't use 5505s much anymore and when I did, it was just as EZVPN endpoints, so there was no need for more than two ints. I remember having to upgrade to a Sec+ license on one of them when we needed more interfaces, but again, it may have just been that we needed to trunk.

Edit: Ah, okay. Didn't see all that "no forward" shit. So if you use "no forward", that means you'll have three interfaces, but one of them can only talk to one of the other two. That was probably what I ran into before.

Yep, that is what I was refering to in my first pic. Only two VLANs can talk to each other, the three can only talk to outside.

And from reading the config guide, apparently SPAN (mirroring) is not enabled on base license. I would have to buy the security+ license which I am not willing to spend $500 on.

 

[amrogers3]

With the base license, you won't really be able to do what you want. There's another limitation, I believe it's interface-based. So you can get the VLANs, but not the third interface. Routing with an ASA can be a big PITA anyway. Use a router or L3 switch for this and let the ASA be a firewall.

Hey Vito, thanks for reply.

I am going to have to route with ASA. I would rather use an L3 device but won't work for my setup. Couple reasons, I have a small place and those L3 routers are expensive, loud as crap, run hot, and take up a lot of space.

I am listening if you have any recommendations. Hopefully, if I do have to route with ASA it won't be terrible since I have less than 10 devices.

 

[Vito_Corleone]

Wow, I didn't even notice what the pic was trying to convey. Duh.

ASAs aren't cheap. How much are you looking to spend? How fast is your connection? You could probably do what you want pretty easily with an 800 series or 1811. You would be less limited and you could run IOS Firewall/CBAC.

If you want to go with the ASA, make sure you get a book. They can be a real bitch.

 

[amrogers3]

Wow, I didn't even notice what the pic was trying to convey. Duh.

ASAs aren't cheap. How much are you looking to spend? How fast is your connection? You could probably do what you want pretty easily with an 800 series or 1811. You would be less limited and you could run IOS Firewall/CBAC.

If you want to go with the ASA, make sure you get a book. They can be a real bitch.

I actually got to borrow an ASA for an extended period of time so that is what I have to work with. I would love to mess around with CBAC and the 800 series would also allow for port mirroring. Anyway, two questions:

1) any recommendations for config books on ASA?
2) any ideas on how to hook up a snort box to my network without buying sec+?

 

[mattjw916]

1) http://www.amazon.com/Cisco-ASA-All...8197/ref=sr_1_1?ie=UTF8&qid=1303958979&sr=8-1

2) Instead of running a SPAN port on the ASA grab just about any old POS Cisco switch and put it between the ASA and the cable modem. Isolate the two ports into a VLAN (not the native or management VLAN) and then span the port that leads to the ASA to another free switchport sending ingress and/or egress traffic to an IDS or whatever.

I'm not really familiar with Snort but if it has an "IPS" inline mode as well you can just use it as a bump in the wire in front of the ASA. I really only do Cisco IPS devices so I have no idea what Snort's options are.

 

[amrogers3]

1) http://www.amazon.com/Cisco-ASA-All...8197/ref=sr_1_1?ie=UTF8&qid=1303958979&sr=8-1

2) Instead of running a SPAN port on the ASA grab just about any old POS Cisco switch and put it between the ASA and the cable modem. Isolate the two ports into a VLAN (not the native or management VLAN) and then span the port that leads to the ASA to another free switchport sending ingress and/or egress traffic to an IDS or whatever.

I'm not really familiar with Snort but if it has an "IPS" inline mode as well you can just use it as a bump in the wire in front of the ASA. I really only do Cisco IPS devices so I have no idea what Snort's options are.

Thanks Matt, you recommend a cheap switch? Or would you recommend putting a hub between ASA and cable modem?

I researched SNORT's "inline" mode and I can't find where it is officially supported. I found a website of someone who is trying to create an inline mode but as of now, its not available. My options would have to connect a hub in-between the cable modem and the ASA or use a switch as you suggested.

I believe the Sec+ license lets you do a SPAN port but I dont have $500 for that.

 

[amrogers3]

Also, thanks for book recommendation.

 

[xphil3]

C2950 - cheap as hell

Matts second option is how 98% of the industry does this for IDS, the other 2% are old timers that still like to use taps. Taps are gay. It is officially supported and needed if you want to do IPS, but it doesn't sound like you want to do that. Stick with SPANing the ports connected to your "outside" VLAN.

 

[dashpuppy]

Good thread, posted to watch this get working

I currently do this with Untangle, however i have 4 interfaces.

1 subnet 192.168.2.x
2 subnet 192.168.3.x
3rd interface is wifi 192.168.50.x
4th is dmz

1 can talk to 2 and 2 can talk to 1 BUT 3 can't talk to either, however my laptop * wireless * can talk to 2 witch has my server & voip on.

 

[cymon]

'no forward' is nice for locking down wireless vlans - i use a configuration like that at a college radio station.

However, I would recommend against having the NAS on the ASA - it's only 100Mbit. Have the ASA connect into your switch, then connect the devices to that.