Announcement

Collapse
No announcement yet.

new ASA, how to add to network?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • new ASA, how to add to network?

    we bought an ASA5510
    currently deployed is an 1841 router with 2xT1 lines (there's a card which takes two rj45 coming in from Verizon as T1s).

    I read here that some recommend not using the router and using the ASA for routing AND firewall.

    I would love that, but my ASA doesnt have a WAN card, just the built in 4 ports.

    Can i use 2 of the 4 ports for this purpose?

    Anyways i am guessing not - in this case how do i use the 1841 as a "modem" for the T1 and transfer as much of the functionality to the ASA?

    or in other words, how do i use the ASA in my network now that i have it?

  • #2
    Re: new ASA, how to add to network?

    The ASA's don't support the WIC cards so you can't terminate your T-1's on it as the WIC is also your CSU/DSU for the circuits. What you could do is keep the router in place just to route (Remove any firewall,filtering and nat configs) and use your ASA for the firewall role. It really depends on how the ISP hands off the circuit to you. I assume your router is acting as the CSU/DSU and connects directly to the smartjack from verizon.

    I also recommend using the ASA's firewall over the router's if you can. The routers ZBPF is very good but that is done all in software where on the ASA it has more resources and alot more options.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: new ASA, how to add to network?

      YES! 100% agreed, what i wanted to confirm, thank you.

      So now,

      I only have 1 T1, so i can not play with the configuration too much.
      Where do i find a simple tutorial on how to configure and connect the ASA to the router and network?

      i can clean the nats and firewall from the router, my question is about the part of how do i make the router "aware" of the ASA and the ASA of the router?

      I know there is and out, so it would be:
      T1--router--(out)--ASA--(in)--LocalSwitch--InternalNetwork

      ?

      this is my routers code:
      Current configuration : 8886 bytes
      !
      ! No configuration change since last restart
      !
      version 12.4
      service timestamps debug datetime msec
      service timestamps log datetime msec
      service password-encryption
      !
      hostname ROUTER
      !
      boot-start-marker
      boot-end-marker
      !
      logging buffered 16384 debugging
      enable secret 5 SECRETSECRET
      enable password 7 SECRETSECRET
      !
      aaa new-model
      !
      !
      aaa authentication login default local line
      !
      aaa session-id common
      !
      resource policy
      !
      clock timezone zone -5
      clock summer-time EDT recurring
      mmi polling-interval 60
      no mmi auto-configure
      no mmi pvc
      mmi snmp-timeout 180
      ip subnet-zero
      ip cef
      !
      !
      ip inspect name fw1 ftp
      ip inspect name fw1 udp
      !
      !
      ip flow-cache timeout active 1
      !
      !
      !
      crypto pki trustpoint TP-self-signed-4134114475
      enrollment selfsigned
      subject-name cn=IOS-Self-Signed-Certificate-4134114475
      revocation-check none
      rsakeypair TP-self-signed-4134114475
      !
      !
      crypto pki certificate chain TP-self-signed-4134114475
      certificate self-signed 01

      382477F0 368EAA05 DF51FCD6 05889CC4 87B9916C 12094A04 1EAE344C 80AC4207

      quit
      username usernamepassword 7 pwpw
      !
      !
      controller T1 0/0/0
      framing esf
      linecode b8zs
      channel-group 0 timeslots 1-24
      !
      controller T1 0/0/1
      framing esf
      linecode b8zs
      channel-group 0 timeslots 1-24
      !
      !
      !
      !
      interface MFR1
      mtu 4470
      no ip address
      no ip redirects
      no ip proxy-arp
      encapsulation frame-relay IETF
      no ip mroute-cache
      load-interval 30
      no arp frame-relay
      frame-relay multilink bid to gw
      frame-relay lmi-type ansi
      !
      interface MFR1.500 point-to-point
      ip address addressX.X.X.X 255.255.255.252
      no ip redirects
      no ip proxy-arp
      ip nat outside
      ip virtual-reassembly
      no cdp enable
      no arp frame-relay
      frame-relay interface-dlci 500 IETF
      !
      interface FastEthernet0/0
      ip address 172.16.1.2 255.255.248.0 secondary
      ip address addressY.Y.Y.Y 255.255.255.0
      no ip redirects
      ip mtu 1412
      ip nat inside
      ip virtual-reassembly
      ip route-cache flow
      ip tcp adjust-mss 1360
      duplex auto
      speed auto
      no mop enabled
      !
      interface FastEthernet0/1
      no ip address
      ip nat outside
      ip virtual-reassembly
      duplex auto
      speed auto
      !
      interface Serial0/0/0:0
      mtu 4470
      bandwidth 1536
      no ip address
      no ip redirects
      no ip proxy-arp
      encapsulation frame-relay MFR1
      no arp frame-relay
      !
      interface Serial0/0/1:0
      mtu 4470
      bandwidth 1536
      no ip address
      no ip redirects
      no ip proxy-arp
      encapsulation frame-relay MFR1
      no arp frame-relay
      !
      interface ATM0/1/0
      no ip address
      no atm ilmi-keepalive
      dsl operating-mode auto
      !
      ip classless
      ip route 0.0.0.0 0.0.0.0 MFR1.500
      ip flow-export source FastEthernet0/0
      ip flow-export version 9
      ip flow-export destination 172.16.1.5 9996
      !
      no ip http server
      ip http secure-server
      ip nat pool swimpool addressZ.Z.Z.Z addressZ.Z.Z.Z54 prefix-length 24
      ip nat pool ovrld addressY.Y.Y.Y addressY.Y.Y.Y netmask 255.255.255.0
      ip nat inside source list 120 pool swimpool overload
      ip nat inside source route-map nonat interface MFR1.500 overload
      ip nat inside source static 172.16.1.18 addressY.Y.Y.Y8
      ip nat inside source static 172.16.1.79 addressZ.Z.Z.Z79
      ip nat inside source static 172.16.1.84 addressZ.Z.Z.Z84
      ip nat inside source static 172.16.1.86 addressZ.Z.Z.Z86
      ip nat inside source static 172.16.1.89 addressZ.Z.Z.Z89
      ip nat inside source static 172.16.1.104 addressY.Y.Y.Y04
      ip nat inside source static tcp 172.16.1.105 105 addressY.Y.Y.Y05 105 extendable
      ip nat inside source static 172.16.1.105 addressY.Y.Y.Y05
      ip nat inside source static 172.16.1.108 addressY.Y.Y.Y08
      ip nat inside source static 172.16.1.111 addressY.Y.Y.Y11
      ip nat inside source static tcp 172.16.1.112 80 addressY.Y.Y.Y12 80 extendable
      ip nat inside source static tcp 172.16.1.113 1433 addressY.Y.Y.Y13 1433 extendable
      ip nat inside source static tcp 172.16.1.117 20 addressY.Y.Y.Y17 20 extendable
      ip nat inside source static tcp 172.16.1.117 21 addressY.Y.Y.Y17 21 extendable
      ip nat inside source static tcp 172.16.1.117 22 addressY.Y.Y.Y17 22 extendable
      ip nat inside source static tcp 172.16.1.22 80 addressY.Y.Y.Y20 80 extendable
      ip nat inside source static tcp 172.16.1.122 25 addressY.Y.Y.Y22 25 extendable
      ip nat inside source static 172.16.1.126 addressY.Y.Y.Y26
      ip nat inside source static tcp 172.16.1.128 3389 addressY.Y.Y.Y28 3389 extendable
      ip nat inside source static 172.16.1.129 addressY.Y.Y.Y29
      ip nat inside source static tcp 172.16.1.130 3389 addressY.Y.Y.Y30 3389 extendable
      ip nat inside source static 172.16.1.131 addressY.Y.Y.Y31
      ip nat inside source static 172.16.1.249 addressZ.Z.Z.Z49
      ip nat inside source static 172.16.1.250 addressZ.Z.Z.Z50
      ip nat inside source static 172.16.1.251 addressZ.Z.Z.Z51
      ip nat inside source static 172.16.1.252 addressZ.Z.Z.Z52
      ip nat inside source static 172.16.1.253 addressZ.Z.Z.Z53
      !
      logging trap debugging
      access-list 100 permit tcp 172.16.0.0 0.0.255.255 any
      access-list 100 permit ip 172.16.0.0 0.0.7.255 any
      access-list 100 permit ip 172.16.0.0 0.0.0.255 any
      access-list 101 permit icmp any any echo
      access-list 101 permit icmp any any echo-reply
      access-list 101 permit icmp any any unreachable
      access-list 101 permit icmp any any time-exceeded
      access-list 101 permit tcp any any established
      access-list 101 permit tcp any any eq telnet
      access-list 101 permit gre any any
      access-list 101 permit esp any any
      access-list 101 permit ahp any any
      access-list 101 permit udp any any eq isakmp
      access-list 101 permit udp any any eq non500-isakmp
      access-list 101 permit udp any eq domain any
      access-list 108 deny ip host 199.15.116.9 any
      access-list 108 deny ip host 114.80.100.142 any
      access-list 108 deny ip host 219.218.160.10 any
      access-list 108 deny ip host 121.14.212.114 any
      access-list 108 deny ip host 68.68.30.215 any
      access-list 108 deny ip host 58.56.159.226 any
      access-list 108 deny ip host 222.243.214.75 any
      access-list 108 deny ip host 222.189.238.121 any
      access-list 108 deny ip host 113.6.247.116 any
      access-list 108 deny ip host 219.235.7.49 any
      access-list 108 deny ip host 121.205.88.237 any
      access-list 108 deny ip host 218.53.151.177 any
      access-list 108 deny ip host 96.44.169.147 any
      access-list 108 deny ip host 121.11.69.227 any
      access-list 109 deny ip host 172.16.172.249 any
      access-list 119 permit ip 192.168.99.0 0.0.0.255 any
      access-list 120 deny ip host 172.16.1.47 any
      access-list 120 deny ip host 172.16.1.67 any
      access-list 120 deny ip host 172.16.1.106 any
      access-list 120 deny ip host 172.16.1.113 any
      access-list 120 deny ip host 172.16.1.114 any
      access-list 120 deny ip host 172.16.1.117 any
      access-list 120 deny ip host 172.16.1.125 any
      access-list 120 deny ip host 172.16.1.18 any
      access-list 120 permit ip 172.16.0.0 0.0.7.255 any
      access-list 120 deny ip host 172.16.1.124 any
      access-list 120 deny ip host 172.16.1.243 any
      access-list 120 deny ip host 172.16.1.90 any
      access-list 120 deny ip host 172.16.1.91 any
      access-list 120 deny ip host 172.16.1.104 any
      access-list 120 deny ip host 172.16.1.122 any
      access-list 120 permit tcp any host addressY.Y.Y.Y30 eq 3389
      access-list 120 deny ip host 192.168.168.118 any
      access-list 120 deny ip host 172.16.1.2 any
      access-list 121 deny ip host 192.168.99.1 any
      access-list 130 deny ip 172.16.0.0 0.0.7.255 192.168.1.0 0.0.0.255
      access-list 130 permit ip 172.16.0.0 0.0.7.255 any
      access-list 132 permit ip 192.168.0.0 0.0.7.255 any
      snmp-server ifindex persist
      disable-eadi
      route-map nonat permit 10
      match ip address 130
      !
      !
      !
      control-plane
      !
      !
      line con 0
      password 7 xxxxxxxxxxxxxxxxxxxxxx
      line aux 0
      password 7 xxxxxxxxxxxxxxxxxxxxxx
      line vty 0 4
      password 7 xxxxxxxxxxxxxxxxxxxxxxxx
      !
      scheduler allocate 20000 1000
      ntp clock-period 17178373
      ntp server 192.5.41.40
      ntp server 192.43.244.18
      end

      Comment


      • #4
        Re: new ASA, how to add to network?

        The "outside" interface on the ASA connecting to the routers "inside" interface would be on the same subnet. So they can arp for each other directly. You could use a crossover cable and connect them directly but I would put a switch in between them.

        You would add a default route pointing to the routers "inside" interface on the ASA. I assume the router already has a route for unknown networks already going towards your ISP's next hop. You would then need more specific routes for all networks behind the ASA on the router as well.

        Example:

        If you had the 192.168.1.0/24
        192.168.2.0/24
        192.168.3.0/24 behind the ASA then you could summarize those on the router as 192.168.0.0/16 (This is assuming there is no 192.168.0.0/16 networks upstream from the router. If the T1 is used just for internet access then a static default route on the router pointing to the next hop ISP device is sufficient as well as adding a route for your internal networks pointing to the ASA



        On ASA:


        route outside 0 0 X.X.X.X (where x is the "inside" interface on the router)



        On Router:



        ip route 0.0.0.0 0.0.0.0 X.X.X.X (Where X is your ISP next hop device)
        ip route 192.16.0.0 255.255.0.0 X.X.X.X (Where X is your ASA "outside" interface)
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment

        Working...
        X