Firewall for traffic shaping and bandwidth

Hi all,
I want one basic firewall for my small office. I have 15 to 20 users in my office. Please suggest me which firewall suitable for me? Please help me. Thanks

Hi Sandeep,
I guess this is mainly for day to day general work activities like browsing etc. You can go with ASA5505 with 50User license. In future if number of users grow, you can upgrade the license as well with no additional hardware costs.
hth,
MS

Similar Messages

Firewall for traffic shaping

Hi all,
I want one basic firewal which can manage traffic shaping. I am implimenting it in my small office around 15 to 20 users or more. Please suggest me which firewall is suitable for my office?. thanks

Hi Sandeep,
The ASA5505 is a basic firewall which supports traffic shaping and it is suitable for the number of users. Here is more infomration about traffic shaping and QoS
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html
You can also compare the differente models
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~tab-a,
Thanks,
Itzcoatl

QoS Traffic shaping and peak shaping

Hi,
Could somebody tell me what is the difference between traffic shaping and peak shaping?
Kind Regards.

Standard traffic shaping (the shape average command) will keep the average rate of the traffic to the limit you specify, which should be the committed rate of your circuit.
Peak shaping will also do traffic shaping (using queues, etc), guaranteeing a minimum rate, but will allow traffic to levels to burst above your configured (committed) rate.
From the documentation:
Traffic shaping limits the rate of transmission of data. In addition to using a specifically configured transmission rate, you can use Generic Traffic Shaping (GTS) to specify a derived transmission rate based on the level of congestion.
You can specify two types of traffic shaping; average rate shaping and peak rate shaping. Average rate shaping limits the transmission rate to the CIR. Using the CIR ensures that the average amount of traffic being sent conforms to the rate expected by the network.
Peak rate shaping configures the router to send more traffic than the CIR. To determine the peak rate, the router uses the following formula:
peak rate = CIR(1 + Be / Bc)
where:
â¢Be is the Excess Burst size.
â¢Bc is the Committed Burst size.
Peak rate shaping allows the router to burst higher than average rate shaping. However, using peak rate shaping, the traffic sent above the CIR (the delta) could be dropped if the network becomes congested.
If your network has additional bandwidth available (over the provisioned CIR) and the application or class can tolerate occasional packet loss, that extra bandwidth can be exploited through the use of peak rate shaping. However, there may be occasional packet drops when network congestion occurs. If the traffic being sent to the network must strictly conform to the configured network provisioned CIR, then you should use average traffic shaping.
Examples
The following example sets the uses average rate shaping to ensure a bandwidth of 256 kbps:
shape average 256000
The following example uses peak rate shaping to ensure a bandwidth of 300 kbps but allow throughput up to 512 kbps if enough bandwidth is available on the interface:
bandwidth 300
shape peak 512000

Traffic Shaping and Priortization in ASA

Hi Everyone,
I read that traffic prioritixation is always applied outbound direction when traffic is trying to leave the ASA.
Also i read that traffic Shaping can be applied to all outgoing traffic on a interface.
need to know if traffic shaping and priortization means same thing in ASA ?
There direction is always outbound?
Regards
MAhesh

Hello Mahesh,
Not sure I get it but let me see if I can help,
Priority traffic: Basically allows you to split the interface into 2 different queues, one for low latency traffic and the other for best effor traffic. The one being on the Priority queue will always get served first.
Traffic Shapping:It's the buffering QoS techique that allows you to configure a limit of bandwith that you will provide to a certain traffic class, when you reach that limit the traffic that goes over the limit will be placed into a software queue, where it will be "holded". That's the different between traffic shapping and policing as whit traffic policing you will drop the offending traffic, with shapping you will hold it (so this is not good for Low latency traffic).
Now regarding the direction Traffic shapping can only be done on the outbound direction as queuing is an outbound process.
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura

Which TCP/UDP ports need to be opened on a firewall for adobe reader and flashplayer?

Which TCP/UDP ports need to be opened on a firewall for adobe reader and flashplaer to operate properly? This would include updating, linking, and any subset of features.

The Acrobat Family uses TCP HTTP/HTTPS for all traffic. The following processes and ports may be active on a Windows client machine:
AdobeARM.exe - automatic updates - port 443
AcroRd32.exe - brand messages - port 443
AcroRd32.exe - links in documents - anything specified in the URL
Acrobat.exe - brand messages - port 443
Acrobat.exe - links in documents - anything specified in the URL
AdobeCollabSync.exe - Tracker review data - port 443
The same ports are used by the program components on OS X.
There are no inbound listening ports for any elements of the Acrobat Family. Automatic updates are not pushed and there are no server processes within the software.

Traffic shaping and BW reservation/prioritization - L2 header included?

Hi,
This question might seem to be dumb but I will still ask.
On ISR platform, does it take into consideration of the L2 header size when specifying the bandwidth? Please see below for the configuration. My question is the rates configured in "shape", "priority" and "bandwidth".
policy-map TEST
class class-default
shape average 512000
service-policy TEST-nested
policy-map TEST-nested
class Voice
priority 60
<... some other classes>
class class-default
bandwidth 100
I am asking because in the "show policy-map interface xxx" output, I see that number of bytes matched in each class does include the L2 header size.
Thanks!

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
"So is "priority" same as the "bandwidth" which only assigns the dequeuing weights?"
No, priority is the keyword for LLQ. Traffic in the LLQ is always has absolute priority over all other traffic. Although there's only one LLQ, each LLQ class also has its own implicit policer.
"Traffic exceeding the "priority" or "bandwidth" configured will fall in the "class-default" and will be handled equally with the traffic in that class, correct?"
No. Traffic always says in the matched class. The class-default class if the class that matches "none-of-the-above". You always have a class-defaut. (I.e. it doesn't have to be explicitly defined, but when explicitly defined, you have set different options.)
"Another question which is irrelevant, is that what queuing does class-default use?"
By default, FIFO.
"Should I use "fair-queue"?"
I personally like FQ in all classes that support it, but insufficient information to say whether you you use it.
"I know that "fair-queue" cares for the DSCP dynamically."
Not post HQF. (Which should be the case on a 39xx router.)
"Does it also care about packet size or smaller packets get better treatment than big TCP file transfer packet?"
Yes and no. FQ monitors bandwidth usage. In theory, a single small packet gets "better" treatment vs. a single large packet because the former consumes less bandwidth. However, if the sum consumption of a sequence of small packets equals the single large packet, the transmission rate from two queues should be about equal (I'm also assuming the two flows are prioritized the same).

CRS traffic shaping and policing

Hello,
i just moved services from GSR 12404 to CRS1/8 and there is no possibility do add service-policy to L3 subinterface.
RP/0/RP0/CPU0:XXX#conf t
Fri Dec 9 09:25:55.690 CET
RP/0/RP0/CPU0:XXX(config)#interface tenGigE 0/0/0/0.900
RP/0/RP0/CPU0:XXX(config-subif)#service-policy input 300mbps
RP/0/RP0/CPU0:XXX(config-subif)#commit
Fri Dec 9 09:26:06.587 CET
% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
RP/0/RP0/CPU0:XXX(config-subif)#show configuration failed
Fri Dec 9 09:26:11.842 CET
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.
interface TenGigE0/0/0/0.900
service-policy input 300mbps
!!% 'qos_ea' detected the 'fatal' condition 'QoS is not supported on sub-interfaces'
end
Any help ?

Actualy it is possible to match VLAN on physical interface and make something like this.
interface TenGigE0/0/0/0
service-policy input customers-qos
service-policy output customers-qos
interface TenGigE0/0/0/0.100
desc customerA
interface TenGigE0/0/0/0.101
desc customerB
class-map match-any vlan100
match vlan 100
end-class-map
class-map match-any vlan101
match vlan 101
end-class-map
policy-map customers-qos
class vlan100
police rate XXX mbps
   conform-action transmit
   exceed-action drop
class vlan101
police rate XXX mbps
   conform-action transmit
   exceed-action drop
This works perfect.

Configuring QoS for FIOS Router MI-424WR: Traffic Priority and Shaping

Please only read on if you are an experienced internet user familiar with setting the advanced QoS and Firewall settings for the MI-424WR and make use of wireless adaptors from a PC to provide connectivity.
This is my first post and my first week since I moved from Time Warner Cable over to FIOS for iNet (plus HDTV and phone).     While all my services work, the router as delivered and setup is not optimum for internet quality of service. Instead it was probably out of the box optimized for HDTV and telephone to satisfy most customers and reduce support overhead.   The average FIOS consumer is multimedia sensitive, but that is not so in my genre of internet consumer.   Here in lies the core of my reason for seeking help from like minded and experienced users in this community.
One of the main driving forces in my switching to FIOS was to improve my multiplayer gaming experience where ultra low ping latency and high upload data rates dramatically affect the quality of connection and thus gameplay.    The cable internet service from TimeWarner was providing solid 2MB/1MB down/up data rates with no issues like what Im having now with FIOS.   Again the reason for the switch was both financial and in hope of gaining better data rates and quality of service.   Now with FIOS Im getting about 24/15 down/up data rate on the Extreme FIOS 25/25 plan when measured from my house to Los Angeles server (50 miles away) via Speedtest.net or DslReports.com/tests.     Latency wise, the ping has gone down from 150 to 50ms when measured to my friends who I connect to online that are on the East coast.   The data rate and latency has greatly improved in going from Cable to FIOS.   So far, so good.
Where the problem shows up now, is that now I get an internet "hiccup" every 5-10 minutes that lasts about 1/2 to 2 seconds.   For the average internet user that just streams multimedia or cruises on the net; this is probably undetectable or noticed.   I never had this problem over the same PCs connected wirelessly to my DLINK DGL-4500 Gaming Router when my ISP was TimeWarner's cable service.    Now, using the FIOS and MI-424WR router with everythings being the same; Im experiencing this degregation in quality of service.    Even putting the PC's IP into the DMZ doesnt make any difference, so it is not related to port forwarding.    The issue is squarely in the lap of FIOS and this router as delivered and configured.    This is where the "game" is a foot, and where I need expertise in an area Im new to.
I am not new to being hands on with inet trouble shooting asI have been setting up my own home network (I work from home over VPN to work) for decades; I would like to leverage the skills of those who are experts in the area that I think can address this issue.   That being QoS and the other device class mechanisms of this router.   Its my guess that this periodic hiccup can be minimized and even eliminated using these advanced features of this all-in-one TV/iNet/Tele router.
With that context being laid down, this hiccup doesnt show up if:
a. I connect two PCs connected to the same ethernet hub of the MI-424WR (traffic just over the LAN and not WAN)
b. When I was on Cable with my own gaming router wirelessly DHCP connected to my PC and using port forwarding or using the DMZ.
The hiccup does exist when:
a.  Going from internet through the MI-424WR to the wireless DHCP connected PC with port forwarding
b. Even putting the wireless DHCP connected PC into the MI-424WR's DMZ has no effect
I did read the manual and tried some QoS pritority and shaping and managed to reduce how often the hiccup occured, but I was just making guesses at the settings.   I put in the IP for the PCs I use for my gaming applications (which are very ping and jitter sensitive) into the QoS priority (value 7) and shaping GUI.    Im hoping someone with experience can tell me exactly how to use it and what settings to input.   Im not clear on the device and connection types offered in the QoS menus.
Another thing, is I couldnt find settings for the turning on/off the ICMP echo.   But I assume this is on because it can be pinged by folks on the net to my WAN IP.
Here is the manual for the Verizon provided M424WR router (Current Version of firmware: 20.10.7)
download link
Here are the QoS traffic priority and shaping values Ive been experimenting with:
Click to view QoS Traffic Priority
Click to view QoS Traffic Shaping
And why it matters to have a solid and stable inet connection for internet gaming? The hiccup causes slewing or jitter which equates to positional errors in the 3D world that ruins the smooth gameplay that is needed for high end gaming.
Heres a snapshot of me flying the wing of another flight simmer who is on the East coast and me on the West coast.
Click to view
Thank you in advance.
Thomas "AV8R"
MSEE

TMAS wrote:
the router as delivered and setup is not optimum for internet quality of service. Instead it was probably out of the box optimized for HDTV and telephone to satisfy most customers and reduce support overhead.
That's not accurate. VZ telephone service does not go through the Actiontec. Also, there are no default settings for QOS in the Actiontec since QOS is rarely needed with FIOS upload speeds.
TMAS wrote:I get an internet "hiccup" every 5-10 minutes that lasts about 1/2 to 2 seconds.
   You should not be experiencing periodic "hiccups". Something is clearly amiss.
TMAS wrote:
With that context being laid down, this hiccup doesnt show up if:a. I connect two PCs connected to the same ethernet hub of the MI-424WR (traffic just over the LAN and not WAN)
The hiccup does exist when:
a.  Going from internet through the MI-424WR to the wireless DHCP connected PC with port forwarding
b. Even putting the wireless DHCP connected PC into the MI-424WR's DMZ has no effect
Lets see. The issue shows up on a wireless connection, but not a wired connection. You think this is a QOS issue and not a wireless issue why? Have you tried changing the wireless channel? It very possible you have neighbors on the same channel. Is the DGL-4500 wireless still on? Could that be interfering?TMAS wrote:
Another thing, is I couldnt find settings for the turning on/off the ICMP echo.
The settting to enable/disable ICMP echo is on the Firewall/Remote Administration page.
TMAS wrote:
Here are the QoS traffic priority and shaping values Ive been experimenting with:Click to view QoS Traffic Priority
Click to view QoS Traffic Shaping
The traffic proirity settings you linked are applied only to your wireless connections. QOS between the router and your wireless PC will only serve to prioritize traffic between the router and that PC and have no affect on your internet traffic. Assuming you are not running browsers, VOIP and other traffic from that PC while you're gaming, then that will not accomplish anything. i.e. You're giving your only traffic highest priority, but that traffic is not competing with anything (except other nearby wireless connections on the same channel).
On the traffic shaping screenshot, you have broadband ethernet checked, but according to your other thread, your WAN connection is Broadband Coax, not Broadband ethernet.

Bandwidth Shaping for limiting Video and Audio Streaming

Hi,
How do I setup this on the SRP527W?
I already block most of the video stuff on the internet.
But I want to make this one more step.
Thanks
Best Regards,
Mr. Simon Yee
Document Control
Budi Feed Sdn. Bhd.(827186-P)
Lot 11940, Jalan Perajurit 1,
Off Jalan Perajurit,
Kampung Tengah,
Telok Gong,
42000 Port Klang,
Selangor Darul Ehsan.
Tel :-- 603-3134 1081
Notice of Confidentiality:
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender immediately by return electronic transmission and then immediately delete this transmission, including all attachments, without copying, distributing or disclosing same.

Hello Mr Yee,
I found a link from the cisco site where you could find the configuration steps for Traffic Shaping.
http://www.cisco.com/en/US/docs/ios/12_0/qos/configuration/guide/qcgts.html
hope you find this answer useful, if it was satisfactory for you, please mark the question as Answered.
Thank you

Gigabit EtherSwitch 10/100/1000BASE-TX autosensing EHWIC Traffic Marking and Shaping

Hi all,
i need to know an information about this module.
Gigabit EtherSwitch 10/100/1000BASE-TX autosensing EHWIC
I found on docs that it supports the SWDRR mechanism for queueing, but does it support also
traffic shaping and marking ?
i cannot find this info and i'd be thankful if someone knows it or can point me where this info is.
Thanks a lot
smaikol

ok, at least Jack is doing better now. Don't know why, I just play around with limits.conf, /etc/pam.d/su and deleted the content of /dev/shm directory.
Now the settings are the same as before, but I'm getting far less xruns and luckily without these disturbing plopps.
Last edited by redbit (2009-01-07 15:52:36)

Traffic-shaping for delay sensitive traffic

Hello, I would like to verify the use of a traffic-shaping policy within an MQC. I was told that you need to apply a shaping policy in order for QoS to always be engaged and not simply during times of congestion. This apparently is critical when you have apps like VoIP.
On a similar note, i remember reading up on Ciscopress that you might NOT want to subject VoIP to any form of Shaping as this introdues delay and can cause Jitter.
Below is a sample config. If you can post an authoritative source on CCO that explains this I would greatly appreciate it.
Regards,
-Mike
policy-map QoS-Policy
class realtime
priority 512
police 512000 conform-action transmit exceed-action drop
class preferred
bandwidth remaining percent 40
random-detect dscp-based
class missioncritical
bandwidth remaining percent 39
random-detect dscp-based
class trans-apps
bandwidth remaining percent 16
random-detect dscp-based
class general
bandwidth remaining percent 1
random-detect dscp-based
class class-default
bandwidth remaining percent 4
random-detect dscp-based
policy-map shape-20MB
class class-default
shape average 2000000
service-policy QoS-Policy
interface Serial0/0/0
service-policy output shape-20MB

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I was told that you need to apply a shaping policy in order for QoS to always be engaged and not simply during times of congestion.
Nope.
You only need to shape when you're dealing with a path where you know the end-to-end bandwidth is less the the egress interface's physical bandwidth and where you cannot manage congestion further downstream along the end-to-end path.
On a similar note, i remember reading up on Ciscopress that you might NOT want to subject VoIP to any form of Shaping as this introdues delay and can cause Jitter.
Semi-true.
The problem can be mitigated by decreasing the shaper's Tc. Also, if shaper doesn't account for L2 overhead (and I believe many do not), you'll need to shape "slower" than the nominal bandwidth. The major problem with the latter, L2 overhead varies, as a percentage, based on packet size. So, you can either allow for worst case, which will best guarantee VoIP service, but tends to give up much of the available bandwidth, or you can shape for average case, which will make VoIP latency and jitter more variable but usually not so much to exceed its service requirements.
You can also bypass shaping for some traffic, but then you need to shape all your other traffic even slower to guarantee the non-shaped traffic bandwidth is always available. As you're effectively reserving this bandwidth, it then becomes unavailable for your other traffic even when unused.
An example of the latter:
policy-map QoS-Policy
class preferred
bandwidth remaining percent 40
random-detect dscp-based
class missioncritical
bandwidth remaining percent 39
random-detect dscp-based
class trans-apps
bandwidth remaining percent 16
random-detect dscp-based
class general
bandwidth remaining percent 1
random-detect dscp-based
class class-default
bandwidth remaining percent 4
random-detect dscp-based
policy-map shape-20MB
class realtime
priority 512
police 512000 conform-action transmit exceed-action drop
class class-default
shape average 1950000
service-policy QoS-Policy
interface Serial0/0/0
service-policy output shape-20MB
NB: BTW, the above doesn't account for L2 overhead, and I wouldn't recommend it for other reasons, but it should show how you can bypass the shaper.

DNS for internal network and Firewall ports?

Hello,
I don't know were to begin, so I guess I'll start with my setup.
I have Mac OS X server 10.5.7 running DNS, Firewall, Mail, iChat, RADIUS, VPN, SMB. Behind an Airport Base Station in DMZ.
My DSN setup is just for the server and local clients. I'm also setup to forward my ISP DNS.
My question is do I need to open any ports in the firewall. I currently have my local subnet 172.16.4.x to allow all. The "Any" subnet to allow DNS outbound. Is this correct or am I creating a security risk?
I dont want the public to be able to use my DNS server. (I would like to ONLY allow my local network, and VPN users.)
Thanks!
Message was edited by: Robert LaRocca

I always recommend going with a hardware device (including the base station) over IPFW when running a server.
The main reason is that when you're running behind a NAT device (such as the AirPort Base Station), ALL incoming traffic is blocked unless you specifically enabled it via port forwarding. A positive security model.
In contrast, Mac OS X Server will open firewall ports based on the services you're running, without regard to whether that service should be publicly accessible or not.
You then have to go through the motions of securing each service to either block external traffic at the service level (e.g. by telling the application what addresses it can listen to), or at the network level (by configuring the firewall to block external access). This is a bad security model since each service is public by default and you have to go out of your way to secure it.
Also bear in mind that you might not think this is a problem today since you can just configure IPFW and be done, but what about next week? or next month? or next year when you add another service. Will you remember to reconfigure the firewall to secure it then?

Traffic Shaping for perticular traffic

class-map match-any SYSLOG-CMAP
match access-group name SYSLOG-ACL
policy-map SYSLOG-PMAP
class SYSLOG-CMAP
shape average 250000
interface GigabitEthernet0/1
ip address 1.1.1.1 255.255.255.252
ip flow ingress
load-interval 30
duplex full
speed 100
service-policy output SYSLOG-PMAP
Router1#show policy-map int GigabitEthernet0/1
GigabitEthernet0/1
Service-policy output: SYSLOG-PMAP
    Class-map: SYSLOG-CMAP (match-any)
      712495474 packets, 394564809213 bytes
      30 second offered rate 41000 bps, drop rate 23000 bps
      Match: access-group name SYS-LOG-ACL
        712495474 packets, 394564809696 bytes
        30 second rate 41000 bps
      Queueing
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/152567902/0
      (pkts output/bytes output) 559927554/295263742429
      shape (average) cir 250000, bc 1000, be 1000
      target shape rate 250000
    Class-map: class-default (match-any)
      3774914087 packets, 1413482437872 bytes
      30 second offered rate 2796000 bps, drop rate 0 bps
      Match: any
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/19837/0
      (pkts output/bytes output) 3817743535/1477901813111
=====================================================
Hi everyone,
In the above configuration, I configured traffic shaping to shape the syslog traffic to certain limit. My question is, Can I apply traffic shaping to perticular traffic ? What will happen to the remaining traffic ? We have ethernet hand-of to provider but total bandwidth we can use is 8M, which is controlled by ISP. We just send all the traffic without any shaping.
Thanks

Traffic shaping only works from the source. there is no way (other than policing - i.e., discard) to shape through the cloud.
If you tried to pace the traffic through the cloud, it's got to be buffered somewhere, causing latency, and ultimately discarded frames after the buffers fill.
Policing allows the traffic through until some threshold occurs (traditional frame = DE set at Bc, discard at Be), then the traffic is dropped.
FWIW
Scott

Understanding 5505 firewall-site to site and internet traffic

Hi,
My question is mutli-faceted. I apologize for the lengthy intro here but i think the info is necessary to understand where I am headed in this.
I am new to the cisco 5505. I have had very limited exposure to a 5510 that was preset. I have managed to make modifications to it here and there, but dont completely understand how it was put together. I learn by watching, listening, and gleaning what I can from others. I have had no formal training in CLI, but I have learned some of the commands. I know enough to be dangerous, but I respect my limitations.
That being said, I have been charged with setting up a 5505 at a remote site. I need to accomplish several things. Our ultimate goal is to use this device as a site to site with the 5510 at the corporate office. However, I need to accomplish this in baby steps, test, test real users and then maybe convert in full. Where I could outsource this in its entirety, that would preclude me from learning so I can address this in the future on my own.
We need to have this in place by the end of February 2013.
Currently the remote site is connected via a very slow (by todays standards) T1 line on a MPLS. Stable. Works, but slow. All internet traffic as well as work traffic is routed through that connection. We have added a 50mb cable connection (with static ips) to the office. First we want to set up the 5505 so that it can be used as follows:
1, Internet traffic can be routed out through this device and all other "work" traffic routed through the MPLS.
2, Test using this connection as a route out to the internet AND use it as a site to site VPN connection to the home office. (or anyconnect vpn)
          I need to be able to have users in both environments. IE, some still using step 1 and some starting to use and test step 2.
3, long term, use this as the main connection per number 2, but add the IP address so that if the cable connection drops, the office can access internet via the VoIP T1 line as a life line.
In all cases, I dont want internet going through the home office as it currently is traveling.
I have done a lot of searching but so far have come up empty with answers.
Question 1:     (This one probalby shows my ignorance the worst) - in using the 5505 firewall, will it segregate normal internet traffic from the VPN traffic when used by the workstation? Using the Gui, I didnt see where this was necessarily happening. Do I need to use CLI language (and what) to make this happen? Or is that a basic function that happens during the setup of the firewall using the GUI. Do I need to do some sort of "split tunneling"?
Question 2:     Do I use this device as the Default gateway for both step 1 and 2/3) for normal use and then change the gateway on the Pcs to the VoIP network during emergency use,(that would bypass the firewall though or is there a way to have it route to that router if there is no connection through the Outside port? Or as long as I have some access to the device, can I make a change remotely to help accomplish this failsafe?
Question 3:     We have 25 Anyconnect VPN licenses. Should we use these and not the Static site to site, if so, why or why not? They dont need to be used at all.
Question 4:     In setting up the VoIP line for backup, would using that on the "DMZ" connection help in making this viable so that the device could still ultimately control the internet traffic?
Question 5:     In setting up the VPN connections, unless i am getting the two methods confused, I will need the 5505 to hand out IP addresses for the vpn connection. I see in using a class c schema that i can use 92.168.0.0 to 192.168.255.0. So for instance, I could use 101.1.20.0 for the inside network Vpn addresses?? I need to stay away from 192.168.0.0 networks as we use that in our normal structure.
Reasons for setting this up:
Slow speeds over the T1.
increasing demand for Skype, Video conferencing etc that the T1 pipe couldnt adequately handle
Lack of backup pathways for downed connections - ie, backhoe chopping through wire at a construction site).
I read through the Getting started guides on both the 5510 and the 5505 and feel I can likely get the site to site setup (I have a list of all the Ip addresses i need for inside networks and outside networks etc.
additional notes:
I have to email ATT anytime I want a change made on the MPLS router, so doing as little to that as possible would be good.
I will be onsite for testing at the end of February and will have direct access to the home office via other methods to work on the asa5510 if any additional work needs to be done on it once i am onsite.
Thanks for taking the time to read through all of this. please forgive my lack of knowledge...
Dave

Thanks for getting back to me and so quickly!
1) I am not sure if I understand the “ACL” portion of your question, but this is how I want to access info via the VPN tunnel:
192.168.D.0 inside(NJ) to outside 5505 - 12.175.X.X to outside 5510 - 12.200.X.X to inside network (HQ)192.168.X.0. Routes are needed to find subnets 192.168.A.0, 192.168.B.0 and 192.168.C.0. The default gateway to those subnets right now is: 192.168.X.XX4 inside of HQ. This would be so that the NJ office could find resources of the other offices if needed. This will change as we wean off the MPLS. Inside the ASA 5505, the IP addresses are 192.168.D.0 for data, 10.X.X.0 for the Phone system. All other traffic would be sent out through the internet. Phone system uses the XOcomm conection to route phone traffic.
2) I did some reading on SLA. Thanks for pointing that out. For purposes of learning here, I am showing this as 12.175.XXX.XXX for Comcast and 12.200.XXX.XXX for XO comm.
4) I guess I would use an Outside 2 as that makes sense, in description, I would label them “ComCast” for outside 1 and “XOcomm” for outside 2.
5) I am still not sure I understand this part. Are additional IP addresses needed for the Site to site VPN to talk to the local hosts, or will it use the IP addresses assigned by the local server?
Next Steps
1-         Configure the ASA5510 for the 5505 connection
2-         Configure the ASA5505 for the 5510 connection
3-         Configure SLA for Comcast and XOcomm outside connections
4-         For this I need help….I think this is from step 1, but I need help to configure the internet to be segregated via my question from #1. Have I given enough information to do so? Please advise on ACL entries, and route statements needed so that NJ can talk to all the offices when using this connection, not just the Headquarters.
Thanks
dave

Question on best practice for NAT/PAT and client access to firewall IP

Imagine that I have this scenario:
Client(IP=192.168.1.1/24)--[CiscoL2 switch]--Router--CiscoL2Switch----F5 Firewall IP=10.10.10.1/24 (only one NIC, there is not outbound and inbound NIC configuration on this F5 firewall)
One of my users is complaining about the following:
When clients receive traffic from the F5 firewall (apparently the firewall is doing PAT not NAT, the client see IP address 10.10.10.1.
Do you see this is a problem? Should I make another IP address range available and do NAT properly so that clients will not see the firewall IP address? I don't see this situation is a problem but please let me know if I am wrong.

Hi,
Static PAT is the same as static NAT, except it lets you specify the protocol (TCP or UDP) and port for the local and global addresses.
This feature lets you identify the same global address across many different static statements, so long as the port is different for each statement (you CANNOT use the same global address for multiple static NAT statements).
For example, if you want to provide a single address for global users to access FTP, HTTP, and SMTP, but these are all actually different servers on the local network, you can specify static PAT statements for each server that uses the same global IP address, but different ports
And for PAT you cannot use the same pair of local and global address in multiple static statements between the same two interfaces.
Regards
Bjornarsb

Firewall for traffic shaping and bandwidth

Similar Messages

Maybe you are looking for