Implement ASA 5505 into existing network

B

Bedrock1977

n00b
Joined
Dec 20, 2010
Messages
61
Well it's time to remove the Linksys WRT160N from full-time operation as the main internet router. For some reason, the router will not open and sometimes close ports anymore. It is becoming quite an issue for me.

Long story short, I want to continue to use the Linksys, but only as a wifi hotspot around the house. I have a rack of Cisco routers and switches that I study with and one of the spare 1721 routers will become the main internet router. The ASA 5505 will be brought into the picture to provide firewall and port-forwarding services.

I'm looking for someone to provide a few "best practices" when it comes to properly implementing the ASA. Where do you place the firewall, in front of or behind the main internet router, etc.?

A little run down of what I have on our network. The DSL connection feeds the Linksys, and to the Linksys, I have one desktop computer, a Cisco Access Server for the rack, a D-LINK NAS unit, which I use with the built-in FTP server, and a web-power switch which I use to remotely control the power to the Cisco rack.

Ultimately, I want to be able to open ports to allow for RDP, FTP, as well as to be able to SSH into the Access Server for when I do studying remotely. I do not want to the rest of my internal network exposed to the outside, which I know can be taken care of with the ASA. As long as I can open ports for the programs that I need internally, I should be fine.

Any help you can give would be greatly appreciated!

Thanks!
 
The firewall goes on the outside of the router.

You should not open RDP to the internet. SSH and FTP....depends on how that machine is isolated and authenticated.

You probably should use the ASAs VPN capabilities to remotely access the network.

No one can even think of offering you specific config advice until you tell us the ASA software version. The syntax is different depending on the ASA software version.
 
I said RFP, because that is what I used to use to access my computer at home until I discovered TeamViewer.

The more I think about it, maybe it would be best to create a DMZ on the firewall and place the NAS unit and the Cisco Rack there?

I do not have the ASA in hand yet, but I will in the next day or so. I believe the software version is right around 8.3 or 8.4.
 
Why not just use the ASA to do the NAT for you? It doesn't do full routing, but for a home network it works fine.

If you do use a router, I recommend a "ISP -> Router -> Firewall -> Internal Network" setup.
 
ASA 5505 will do 150Mbps of throughput with both directions combined.

75/75 or 100/50

Agreed you can just use the ASA as your one device, unless you need significant L3 routing capabilities.
 
I may just do that, thanks.

Have you had performance issues in regards to internet speed or dropping connections, with the ASA? I've never used an actual Firewall before, but tried using an older 2520 Router to do NAT for me. It worked for less than a day, and after a certain point, would quit translating. I would have to shut down and power-on the router, before it would work again. It was rather flaking too when it came to obtaining and keeping a dynamically assigned address from the ISP.

One of the reason i went with the ASA is because it's newer technology, not to mention there are great training videos and books available compared to the PIX 501.
 
Mackintire said:
ASA 5505 will do 150Mbps of throughput with both directions combined.

75/75 or 100/50

Agreed you can just use the ASA as your one device, unless you need significant L3 routing capabilities.
Click to expand...

Quick question, what does lets say a Cisco 2901 do that an ASA cant accomplish? I see that OSPF, EIGRP etc are available on the ASA's
 
0V3RC10CK3D said:
Quick question, what does lets say a Cisco 2901 do that an ASA cant accomplish? I see that OSPF, EIGRP etc are available on the ASA's
Click to expand...

Different OS. They can do full EIGRP, OSPF, DMVPN, BGP (to some degree) etc. They also support many other interface types vs just ethernet on the ASA 5505s. Higher versions support some other interfaces, but not as many as the ISRs support.
 
It also depends a bit on the license and hardware add-ons.

The ASA's are for the most part bullet-proof when used correctly.

The ASA 5505 isn't all that new they were released in 2005 I think.

The models with an -X at the end like the 5512-X are new.

ASA 8.3 is the first version with the newer object orientated syntax.
 
The ASA I am getting has a Base License on it, but will double check when I get it. I'm really looking forward to using the ASDM on the device. The PIX 501 I have had a primitive GUI, but does not work with the modern browsers of today. At least I couldn't get it to work.
 
The ASA can handle lots of connections and a decent amount of bandwidth going through it. You can put 50+ pcs on a network behind it and it will still run strong. The ASDM on it isn't anything special though and feels kind of messy and cluttered. It's difficult to configure some things on it and you will almost always see an example done on CLI and not through the web interface. It's good for some of the graphs but beyond that I didn't think it was overly useful.

VPN would probably be the best idea to open first, but SSH or RDP on non standard ports simply to keep the bot traffic down should be okay for a home network. I personally wouldn't say that SSH or RDP is any more or less secure than one or another. Both feature encryption, can use some type of two factor authentication, and can definitely be restricted based upon needs (User limitations, lockout policies, etc). Ideally it would always be good to simply limit what IPs can even attempt a connection to those open ports but that isn't always the easiest thing to do.

I would probably steer away from FTP personally just because it's anonymous or non encrypted access to files on a machine. If you need file sharing SFTP would be a better choice. (Could be what you meant but just clarifying the difference)

If you're already using Teamviewer it would likely be just as easy to enable the VPN solution built into that and use that to make your connection to your network.
 
Good thoughts here...

As far as TeamViewer is concerned, I've only tried to use the VPN feature one time, but 99.9% of the time I use it to access my home PC from work. Apparently, the session is very well encrypted, and unless you have the specific key, no outsider is able to access it. That comes from the TeamViewer tech.

I was playing around with the PIX 501 that I have now, while waiting for the ASA to arrive. I was working on basic configurations, and I was going to see if I could get it on the internet. I connected the DSL modem to the outside interface, and issued the following command "ip address outside dhcp setroute". The modem never gave me an actual address. I know on the Linksys, it's configured for PPPoE and I had to enter the username and password to login to the ISP. Do I need to do something similiar on the PIX?
 
Just use the ASA as a static or DHCP ethernet only router.

It is not a true router but it does have the ability to route between broadcast domains.

I would actually recommend, if you havent purchased the ASA, instead to get a Cisco 1921/1941 series with IOS Zone Firewall... I think you will like it much much much much better.
 
I took my Cisco 5505 offline for about a year now. I bought a EdgeRouter + Ubiquiti UAP and never looked back. This is the best combo I've seen for home use. No matter what I throw at it I never have a problem. In fact, I'll sell you my 5505 if you want.
 
ElvisG said:
I took my Cisco 5505 offline for about a year now. I bought a EdgeRouter + Ubiquiti UAP and never looked back. This is the best combo I've seen for home use. No matter what I throw at it I never have a problem. In fact, I'll sell you my 5505 if you want.
Click to expand...

Same thing here as well. Went to a ERL with an OpenVPN Access Server VM behind it to replace my 5505 with AnyConnect. Works just as well.

That said I did like my 5505. I just wanted something new to play with.
 
Well I already have a 5505 coming my way...should have it Tuesday.

In the meantime, I am playing with this Pix 501. I have it connected directly to the DSL modem. Directly connected to the PIX is the desktop I am on right now. Also connected to the PIX is the old Linksys WRT160N, to give access to the wireless devices in the house. Currently, I am receiving DHCP address from the PIX on all wireless devices. I can ping 4.2.2.2 from each device. However, I am not able to access a website on any of the devices. I do have NAT enabled on the inside interface. Otherwise I wouldn't be typing this message now.

Here is the current config. Maybe someone here can figure out why I'm having problems. I attempted to enable RIP routing on the Linksys, thinking that had something to do with it.

Everything is on the 192.168.1.0 network. Please disregard the 192.168.20 network, as I was using that for testing purposes.

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl-outside permit icmp any any
access-list acl-outside permit tcp any interface outside eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl-outside in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group pppoe request dialout pppoe
vpdn group pppoe localname xxxxx
vpdn group pppoe ppp authentication pap
vpdn username xxxx password *********
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 216.146.35.240 216.146.36.240
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
 
You must log in or register to reply here.
Back
Top