Cisco ASA

Replies to This Discussion

Permalink Reply by Matt Simmons on April 20, 2010 at 2:12pm

I'm getting ready to do something similar, although I'm coming from a Juniper, but I suspect the implementation is going to play nicely. Incidentally, which model are you going with? I've only got the budget for the 5505, but I'm picking up the 50 user license.

Anyway, here are some resources that I've found:

Cisco's guides to configuring the ASA:
http://www.cisco.com/en/US/products/ps6120/products_installation_an...

Cisco's "Getting Started" guide:
http://www.ciscosystems.org.ph/en/US/docs/security/asa/asa71/gettin...

Here's a non-Cisco beginner's guide to the ASA CLI:
http://www.dslreports.com/faq/15785

Because it's nice to know what's going on in the network, here's a guide to setting up netflow:
http://www.plixer.com/blog/netflow/netflow-security-event-logging-w...

Off-device logging is important (to me anyway), so here's setting up remote syslog for the ASA:
http://ubuntuforums.org/showthread.php?t=1220569

Since it sounds like you're going to be using your box as a VPN endpoint, here's setting up user authentication against RADIUS:
http://www.cisco.com/en/US/products/ps6120/products_configuration_e...

and LDAP, in case you use Active Directory and don't have a RADIUS server:
http://www.cisco.com/en/US/products/ps6120/products_configuration_e...

If you come across anything interesting or fun, I'm very much interested. Thanks!

--Matt

• ▶ Reply

Permalink Reply by Christian Dinh on June 24, 2010 at 7:29pm

Matt,

Thought to share with you my ASA transition issue. See below and attached files.

I have a Cisco ASA which configured with three interfaces: LAN (100), DMZ (50), and WAN(0). In my LAN, I have two servers which host OWA/HTTPS (192.168.254.25) and RDP (192.168.254.3). All LAN hosts are NAT to overload the WAN interface. Same as hosts in the DMZ. Neither DMZ hosts nor LAN hosts have access to one another.

OWA is statically mapped from WAN address of x.x.x.2. RDP's static mapped address is x.x.x.3 from outside. I have set up a small lab (see attached file) that allowed me to access OWA and RDP via their public urls as well as public IP addresses. In addition, I have also able to RDP from the DMZ using the public URL and IP which mapped/connected to my internal RDP server (192.168.254.3).

The problem I am experiencing now and trying to figure out is why I am unable to connect to my internal OWA/HTTPS from the DMZ via its public URL and IP address. Please see the attached ASA config and the topology.

Let me know if you have any insights on this situation.

Attachments:

• lab_topology.png, 63 KB
• asa5510_6_24_10.txt, 5 KB

• ▶ Reply

Permalink Reply by Rob Atkinson on April 20, 2010 at 2:30pm

Which edition have you purchased? you will need the security plus licence to achieve what you want, I believe.

You have 2 options, you can use the ASDM (GUI) or the Command line to configure your ASA, I prefer the command line myself but the ASDM does do a reasonable job and also has a setup wizard.

Have a look at this link, some good info on using the ASA with ASDM http://www.ciscosecure.net/en/US/docs/security/asa/asa71/getting_st...

If you get stuck give me a yell happy to help you out.

• ▶ Reply

Permalink Reply by Christian Dinh on May 5, 2010 at 5:46pm

Rob, the security license that you are referring to, is that the software license or the actual hardware that equipped with the security module?

Unfortunately, I haven't rec'd the ASA yet as Cisco keeps pushing back their shipping date due to the shortage of inventories during the recession. I sure hope to get it sometimes....

• ▶ Reply

Permalink Reply by Isaac on May 8, 2010 at 3:20am

It's just a license key that enables the additional features. Cisco part# L-ASA5505-SEC-PL= is the license key your looking for. Maybe you could still get the security plus bundle as your 5505 is still backorded?

• ▶ Reply