Understanding 5505 firewall-site to site and internet traffic
Hi,
My question is mutli-faceted. I apologize for the lengthy intro here but i think the info is necessary to understand where I am headed in this.
I am new to the cisco 5505. I have had very limited exposure to a 5510 that was preset. I have managed to make modifications to it here and there, but dont completely understand how it was put together. I learn by watching, listening, and gleaning what I can from others. I have had no formal training in CLI, but I have learned some of the commands. I know enough to be dangerous, but I respect my limitations.
That being said, I have been charged with setting up a 5505 at a remote site. I need to accomplish several things. Our ultimate goal is to use this device as a site to site with the 5510 at the corporate office. However, I need to accomplish this in baby steps, test, test real users and then maybe convert in full. Where I could outsource this in its entirety, that would preclude me from learning so I can address this in the future on my own.
We need to have this in place by the end of February 2013.
Currently the remote site is connected via a very slow (by todays standards) T1 line on a MPLS. Stable. Works, but slow. All internet traffic as well as work traffic is routed through that connection. We have added a 50mb cable connection (with static ips) to the office. First we want to set up the 5505 so that it can be used as follows:
1, Internet traffic can be routed out through this device and all other "work" traffic routed through the MPLS.
2, Test using this connection as a route out to the internet AND use it as a site to site VPN connection to the home office. (or anyconnect vpn)
I need to be able to have users in both environments. IE, some still using step 1 and some starting to use and test step 2.
3, long term, use this as the main connection per number 2, but add the IP address so that if the cable connection drops, the office can access internet via the VoIP T1 line as a life line.
In all cases, I dont want internet going through the home office as it currently is traveling.
I have done a lot of searching but so far have come up empty with answers.
Question 1: (This one probalby shows my ignorance the worst) - in using the 5505 firewall, will it segregate normal internet traffic from the VPN traffic when used by the workstation? Using the Gui, I didnt see where this was necessarily happening. Do I need to use CLI language (and what) to make this happen? Or is that a basic function that happens during the setup of the firewall using the GUI. Do I need to do some sort of "split tunneling"?
Question 2: Do I use this device as the Default gateway for both step 1 and 2/3) for normal use and then change the gateway on the Pcs to the VoIP network during emergency use,(that would bypass the firewall though or is there a way to have it route to that router if there is no connection through the Outside port? Or as long as I have some access to the device, can I make a change remotely to help accomplish this failsafe?
Question 3: We have 25 Anyconnect VPN licenses. Should we use these and not the Static site to site, if so, why or why not? They dont need to be used at all.
Question 4: In setting up the VoIP line for backup, would using that on the "DMZ" connection help in making this viable so that the device could still ultimately control the internet traffic?
Question 5: In setting up the VPN connections, unless i am getting the two methods confused, I will need the 5505 to hand out IP addresses for the vpn connection. I see in using a class c schema that i can use 92.168.0.0 to 192.168.255.0. So for instance, I could use 101.1.20.0 for the inside network Vpn addresses?? I need to stay away from 192.168.0.0 networks as we use that in our normal structure.
Reasons for setting this up:
Slow speeds over the T1.
increasing demand for Skype, Video conferencing etc that the T1 pipe couldnt adequately handle
Lack of backup pathways for downed connections - ie, backhoe chopping through wire at a construction site).
I read through the Getting started guides on both the 5510 and the 5505 and feel I can likely get the site to site setup (I have a list of all the Ip addresses i need for inside networks and outside networks etc.
additional notes:
I have to email ATT anytime I want a change made on the MPLS router, so doing as little to that as possible would be good.
I will be onsite for testing at the end of February and will have direct access to the home office via other methods to work on the asa5510 if any additional work needs to be done on it once i am onsite.
Thanks for taking the time to read through all of this. please forgive my lack of knowledge...
Dave
Thanks for getting back to me and so quickly!
1) I am not sure if I understand the “ACL” portion of your question, but this is how I want to access info via the VPN tunnel:
192.168.D.0 inside(NJ) to outside 5505 - 12.175.X.X to outside 5510 - 12.200.X.X to inside network (HQ)192.168.X.0. Routes are needed to find subnets 192.168.A.0, 192.168.B.0 and 192.168.C.0. The default gateway to those subnets right now is: 192.168.X.XX4 inside of HQ. This would be so that the NJ office could find resources of the other offices if needed. This will change as we wean off the MPLS. Inside the ASA 5505, the IP addresses are 192.168.D.0 for data, 10.X.X.0 for the Phone system. All other traffic would be sent out through the internet. Phone system uses the XOcomm conection to route phone traffic.
2) I did some reading on SLA. Thanks for pointing that out. For purposes of learning here, I am showing this as 12.175.XXX.XXX for Comcast and 12.200.XXX.XXX for XO comm.
4) I guess I would use an Outside 2 as that makes sense, in description, I would label them “ComCast” for outside 1 and “XOcomm” for outside 2.
5) I am still not sure I understand this part. Are additional IP addresses needed for the Site to site VPN to talk to the local hosts, or will it use the IP addresses assigned by the local server?
Next Steps
1- Configure the ASA5510 for the 5505 connection
2- Configure the ASA5505 for the 5510 connection
3- Configure SLA for Comcast and XOcomm outside connections
4- For this I need help….I think this is from step 1, but I need help to configure the internet to be segregated via my question from #1. Have I given enough information to do so? Please advise on ACL entries, and route statements needed so that NJ can talk to all the offices when using this connection, not just the Headquarters.
Thanks
dave
Similar Messages
-
AD sites and internet connectivity requirements
Hi All,
I am looking on setting up several AD sites on my lab environment. I run 2 physical Hyper-V servers in 2 sites. Per my understanding, 1 (or at least 1) DC in each site must be a bridgehead server to replicate out to other sites (inter).
For security reasons, my DCs have no internet connection but are on a private IP. They are not multi-homed. So for a >1 site setup to work, does this mean one DC must have an internet connection to talk to DCs in other sites? Is this not a bad practice?
Likewise, if I give the DC a 2nd NIC for internet connectivity, isn't this a bad idea?
Any guidance much appreciated.
ThanksAs long as you have routing enabled between your sites there is no need to establish internet connection on DC's. Also it is not recommend to have internet connection on DC's from security perspective. In addition I myself, never recommend to have multiple
NIC's on your DC's, you can configure a gateway between different subnets and use it in order to connect different subnets to each other.
Regards.
Mahdi Tehrani Loves Powershell
Please kindly click on Propose As Answer or to mark this post as
and helpfull to other poeple. -
I want to develop a proxy in windows phone 8 that will handle all data traffic emanating from phone(i.e. browser and Apps). The following procedures were carried out
a) Edited the Wifi settings http proxy and port to the loop back proxy running in the phone(i.e. 127.0.0.1) and the port in which we brought up the loop back proxy
b) We browsed pages and no request landed on the loop back proxy in the phone
Loop back proxy in phone is built using StreamSocketListener
Another observation is that:
If we edit Wifi settings http proxy and port to a http/https proxy running on server then when we browse pages from windows phone we are getting the requests to server. Why is this difference?
Is there a limitation to run http/https proxy on mobile phone as loop back proxy.
But there are apps in the market for windows phone that behaves as HTTP proxy like
http://www.windowsphone.com/en-us/store/app/smartproxy/75da629b-c0f3-4999-86a3-9559181d1299
Any help on the same would be appreciatedHi,
Thanks for your reply and we have used StreamSocketListener waiting on a port and ip is given as loopback.The same settings are done for Wifi access point but when we browse any page in IE the requests are not landing on to the loop back proxy.Any idea on
the same would be highly appreciated -
Functional difference between Blackberry and Internet Browser on the device
Hello:
Based on the following link, I understand the difference between the Blackberry and Internet browser (http://www.blackberryforums.com.au/forums/blackberry-general-discussion/2815-difference-between-brow...
I was wondering if there are any functional difference between the two, i.e. HTML rendering, images being broken, etc. Under Browser -> Options -> Browser Configuration, If I configure both the Blackberry and Internet browser the same way, will a particular URL behave the same?
I'm in the process of testing our mobile applications on different devices and would appreciate if you could provide the difference, if any between the 2 browsers.
Thanks:
VishalHey vishalt77,
Welcome to the BlackBerry Support Community Forums.
All BlackBerry smartphones will have Internet Browser for browsing the web.
However if you're on a BlackBerry Enterprise Server, you get the BlackBerry Browser which enables you to access internal websites and secured websites.
-ViciousFerret
Come follow your BlackBerry Technical Team on Twitter! @BlackBerryHelp
Be sure to click Like! for those who have helped you.
Click Accept as Solution for posts that have solved your issue(s)! -
Exchange Server 2010 Mailflow between Internet Facing-Site and No Internet Facing-Site
Hi all,
My environment there are two sites, Internet Facing-Site and No Internet Facing-Site.
The mail flow between them, it isn't working. The messages stuck in the queue.
Default Receive Connector No internet facing-site is configured, bellow:
Defaul....
- Transport layer....
-Basic Authentication...
- Exchange Server Authentication.
- Integrated windows....
Configuration the Internet Facing-Site, bellow:
From intenet
- Transport layer....
-Basic Authentication...
- Integrated windows....
And i configured a new receive connector on the Internet Facing-Site, follow bellow:
Sites
- Transport layer....
-Basic Authentication...
- Exchange Server Authentication.
- Integrated windows....
But, the messages yet stay stuck in the queue.
Queue error:
451 4.4.0 Primary target IP address responded with: “421 4.2.1 Unable to connect.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.
I'm needing help, pls.Please check SMTP traffic filtering/scanning enabled on the router/firewall. You can telnet even if the SMTP
traffic filtering/scanning enabled on the router/firewall. But emails will not pass through if the configuration is incorrect.
May be speed between sites causing this issue (not sure). Anyway please try changing the Tarpitinterval as a test.
To see the current setting "Get-ReceiveConnector | Select name,tarpitinterval "To set new value "Set-ReceiveConnector “<Connector-Name>”
–TarPitInterval:00:00:010"
Try restarting "MSexchange-Transport-sevice" on both servers as well
Can you send email one-way or
both ways not working?
MAS -
Move Internet facing site and remove Exchange site
Background:
I am running Exchange 2010 in native mode
I have multiple AD sites connected via WAN
I have two sites each with an Exchange CAS, HT, Mailbox server and internet connections
I have one Edge server in the DMZ at the internet facing site A
All mail currently flows in/out through site A via connectors
OWA is currently hosted on the CAS/HT server at site A
I have installed a new Edge server in the DMZ of site B and cloned the configuration.
I am planning the move of the internet facing site to the new site where the other Exchange CAS/HT server resides.
Once the mail flow is occurring correctly in/out site B, I need to move all mailboxes to site B and shut down the Exchange server at site A.
Questions:
When I create the Edge Subscription at the new site, it offers to create a new send connector. The CAS/HT server at site B already has a send connector to site A. Will the new send connector cause mail flow problems if it is pointing to
the new Edge server that is not yet updated on public DNS? I am trying to do this in stages and I am not ready to change mail flow to site B internet.
What needs to happen to move OWA to the Exchange server at site B?
Once site B is handling OWA, all mail flow, and all mailboxes have been moved to that site, can I simply shut down the site A Exchange server?
Thanks for any input on how best to plan this move. If there is any documentation for this specific scenario, I work well from instructions but have not seen anything on the internet.1. Sending can happen from both sites, regardless of where your MX records point. In fact, you don't need an MX record to send email - just to receive. So the new send connector in Site B won't cause issues with mail flow - messages will
go out B and come in A until you rehome your MX record.
2. In order to move OWA to Site B, your external records for your OWA site need to point to the external IP address that will connect to the Site B CAS (and hopefully, you have it behind a firewall of some sort).
3. Not quite - you need to move your OAB generation to the new site, and make sure that all CAS virtual directories in the new site are configured to handle the connections that currently go to Site A. See the following for what you need to do
to decommission your Site A Exchange servers - but where it says "Exchange 2013", think "Site A Exchange servers":
http://technet.microsoft.com/en-us/library/ee332361(v=exchg.141).aspx -
I try to log in to password protected sites and nothing happens but works fine on Internet Explorer. Can't get past log in page. I even had to use Internet Explorer to login to ask this question!
On the page where you enter username and password after entering and pressing "Log in" the page just stays in place. If you look at the error log you see
"Warning: Unknown property 'border-radius'. Declaration dropped.
Source File: https://support.mozilla.com/media/css/common-min.css?build=3fabbc0
Line: 1"Make sure that you do not block the referrer.
* http://kb.mozillazine.org/network.http.sendRefererHeader
Also make sure that you do not block cookies in Firefox or the firewall.
* [[Cookies]]
* [[Enabling and disabling cookies]] -
Issue with Internet facing site and Intranet sites
Hello All,
I have migrated the SP2013 environment using database attach method for our intranet site. We also working on the
SP2013 Internet facing site using the same content database as Internet site.
When I extended the web application for Internet facing site, zone to
Internet and these are the URLs: The Intranet website URL is
https://intranet.contoso.com/SitePages/home.aspx (Root Site) and
SP2013 Internet facing site http://contoso.com (not a root site and publishing site template)
However, I found on the http://contoso.com users can still access the
http://contoso.com/SitePages/home with same content as Intranet.
After done some Google search, bloggers mentioned to have move https://intranet.contoso.com/SitePages/home.aspx to another site collection so that Internet facing site can exist root site.
Can 2 we have to two root sites in same web application? I need the content database to be same so that managers can check
Internet facing site and after signing into SP2013, redirects to
Internet site.
Which is the best option to achieve this with same content database.
Please advice.
Regards,
Aroh
Aroh ShuklaBusiness Requirement:
Content Managers want to control internal Internet site (https://intranet.contoso.com) (with default zone, port 443, Root site) and also want to have SP2013 Internet site (with Internet zone
http://www.contoso.com (not a root site and publishing site template)), Anonymous access at Web Application level. I configured the site architecture
to have intranet zone as default zone and extended Web Application for Internet facing site with Anonymous site. This the current site architecture
Because content managers do not want to duplicate public site (Internet facing site) with will be shared with some lists that are stored in intranet site.
For e.g. a sub site named “News and Events” will be shared with Public site as well as Internet users. Therefore, if a manger wants to update a list in the public site, it should reflect in intranet site as well. Thus, managers
don’t want to have separate database but same content database.
Problem:
I have extended web application to have different Internet zone, the site URL looks this: http://www.contoso.com/sites/public with publishing template and Anonymous access. Managers want to have public site URL to be just
http://www.contoso.com and not http://www.contoso.com/SitePages/Home.aspx. As I am using path based site collection for extending site collection, I am
getting this URL http://www.contoso.com/SitePages/Home.aspx
We also tried host named site collection, but it does not provide anonymous access and keep on asking for user credentials.
Q1: We want to have Intranet and Public site with same content database as per business requirements, Shall I following link http://sharepoint.stackexchange.com/questions/81172/moving-content-db-for-a-site-collection-to-another-db-server?
Q2: Because I am constrained that I don’t want to have separate web application, (I know, its not regular requirement), how could achieve this requirements?
Q3: Do have to completely re-design web site architecture, with
www.contoso.com as main web application, then copy Intranet site collection and move this to
www.contoso.com/intranet using
Move-SPSite command
Any kind of pointer and help will be highly appreciated as I am struggling for 2 weeks to solve this.
Regards,
Aroh
Aroh Shukla -
Why can't I update or load new apps on my iPhone and iPad. It does not ask me for my password. I tried to sync from my laptop now I am unable to connect to any sites from internet explorer. When I try to update or load any app it tells me it is corrupt
You need to ask Apple for assistance with getting back into your old ID. To do this, click here and pick a method; if that page doesn't list one for your country or you're unable to resolve this issue through the Account Security team, fill out and submit this form.
(118441) -
The question is above I repaired my hardrive and the iweb site is from an old time machine back-up. In the web my site is up to date and I want to update my computer stored iWeb site to the site in internet ?
You need to copy and paste the content from the published files back into iWeb and recreate any missing pages since iWeb has no import facility.
-
I downloaded norton internet security and it says I need firefox 4 to opperate correctly. I went to your site and downloaded lateset version and Norton still doesn't work . How do I get version 4 so that my computer and I are protected?
How can I go back to version 3? Thanx.
-
iPhone 4 used to connect to internet site when email had reference to the site and I requested it. iPhone stopped doing this. How do I get it to resume doing it?
Have you tried restarting or resetting your iPhone?
Restart: Press On/Off button until the Slide to Power Off slider appears, select Slide to Power Off and, after It shuts down, press the On/Off button until the Apple logo appears.
Reset: Press the Home and On/Off buttons at the same time and hold them until the Apple logo appears (about 10-15 seconds). No data will be lost. -
When the Wifi is connected, the iphone seems to search for some site and if firewall does not allow the access to that site, it disconnects the connection to Wifi. Can anyone help on this?
Hi SBEG2015,
I'm sorry to hear you are having these issues with your iPhone. Based on your description of what has happened and the symptoms you are seeing, you may need to have your iPhone evaluated and/or serviced. You may find the following page helpful:
Apple - Support - Service Answer Center
Regards,
- Brenden -
I would like to import Security Trusted Sites and Popup Settings from Internet Explorer
We are setting Firefox up on our Resource Room Computers and do not want to re-enter trusted sites and popup settings. How can I import them?
Please help me get rid of this Pop up, it is driving me mad. I tried to access the forum on your address BUT the Conduit sight would not allow.
Please can anyone help.
Lorry M
Date: Tue, 11 Mar 2014 13:08:12 -0700
From: [email protected]
To: <removed personal infomration>
Subject: Re: I would like to remove an annoying popup from Adobe Flash Player everytime I access the Internet and I would like to remove an annoying popup from Adobe Flash Player everytime I access the Internet and
Re: I would like to remove an annoying popup from Adobe Flash Player everytime I access the Internet and
created by m_vargas in Using Flash Player - View the full discussion
Hello,
Flash Player does not display pop-ups. If you are experiencing this behaviour you most likely have malware installed on your system. You'll want to scan your system with anti-malwareand anti-virus software.
Maria
Please note that the Adobe Forums do not accept email attachments. If you want to embed a screen image in your message please visit the thread in the forum to embed the image at http://forums.adobe.com/message/6200618#6200618
Replies to this message go to everyone subscribed to this thread, not directly to the person who posted the message. To post a reply, either reply to this email or visit the message page: Re: I would like to remove an annoying popup from Adobe Flash Player everytime I access the Internet and
To unsubscribe from this thread, please visit the message page at Re: I would like to remove an annoying popup from Adobe Flash Player everytime I access the Internet and. In the Actions box on the right, click the Stop Email Notifications link.
Start a new discussion in Using Flash Player at Adobe Community
For more information about maintaining your forum email notifications please go to http://forums.adobe.com/thread/416458?tstart=0.
removed personal email address -
What is the best approach to setup intranet and internet sites in SharePoint 2013?
I am planning to setup a internet and intranet website for one of our client. What is the best approach to setup this kind of environment?
Some of the users (registered users) from the internet should be able to access information in the intranet site. I have created two web applications for intranet and internet. Is it the right way to go forward?
Thanks in advance! :)
LMHi Laemon,
Creating two separate web applications, one for Internet site and the other for Intranet is the right thing you have done.
1. To properly plan creation of your web application, site collection and website is of utmost important to ensure you build your site in a professional and most recommended way. Go through this article from Technet that would help you plan your site in
SharePoint 2013.
https://technet.microsoft.com/en-us/library/cc263267.aspx
2. Planning and choosing the right authentication type is also a very important decision. I recommend you to go through the below article if you have not already gone through.
Plan for user authentication methods in SharePoint 2013
3. Plan for licensing for your SharePoint 2013 Internet Facing Website.
Licensing Internet Sites Built on SharePoint 2013
SharePoint 2013 licensing for Internet facing sites
4. To grant access to registered users to Intranet site (as you mentioned in question), if you created both web applications in same farm (same domain) then that would be easy to grant access using Site Permission with Windows Authentication enabled for
both web application. If both web applications are created on different domains then If there is a two-way trust in place, and the SharePoint servers have the necessary port access to the remote domain's Domain Controller, then it is automatic. If it is a
one-way trust, then you need to follow these directions:
http://technet.microsoft.com/en-us/library/cc263460(v=office.12).aspx
If there is no domain trust in place, then you either need to create one, or look at alternative technologies,
such as ADFS.
Please remember to upvote if it helps you or
click 'Mark as Answer' if the reply answers your query.
Maybe you are looking for
-
Canon XM2 no longer recognised since upgrade to Leopard
Can someone please help me understand why my Canon XM2 (PAL GL2), which worked perfectly under 10.4), is no longer being recognised in Leopard??? I've got an urgent job to complete this weekend and couldn't even get the footage off my camera last eve
-
A magnet fell on my macbook "late 2007 series black" and it stopped working. When i start my macbook up it sits on the white screen. i tried inserting the snow leopard disk to do a clean install but the disk ejects and all i see is the pointer. i eve
-
Color picker in iOS 8 app built against AIR 16 not showing up correctly
I am using Flash CS6 to publish a coloring book app for Android and iOS. As of AIR SDK 15, the ColorPicker no longer shows up correctly in iOS, though the code continues to work correctly on Android. I have tried both AIR 15 and 16, and neither works
-
Hi guru's I am new to the xi,please explain me documentation in xi part.
1) I have done file to idoc scenario. in this what is the documentation part in xi . where we have to wtite in xi.?
-
Hi all, For some reason, every time I go to my camera or gallery it says I have to insert my memory card to take a picture or view pictures. I have never inserted a memory card into my phone, so I have no idea why it is prompting me to do this. I loo