|
I am in the process of upgrading my home/home office network and I have a thing for good equipment and slight 'overkill.' I was looking at the Pix 501 since I've deployed a few of them. While looking I came across the ASA 5505 and it appears to have a lot of kick rear end features/specs. Also looking in that price range at other entry level "small office" firewalls and none seem to compare (I won't touch the low end watchguards, also not a fan of sonicwall). That said, Has anyone had much experience with the ASA 5505 (or I guess the 5510)? Does it perform well for what it is? Any issues/problems with it? Thanks!
|
#
¿
Jul 30, 2007 22:27
|
|
|
|
| # ¿ Apr 24, 2024 05:54 |
|
|
^^ Thanks. none of those restrictions are important to me, so I should be OK. Also, pardon my n00bness, but the 10 user licenses refer to concurrent VPN connections, not devices/users accessing the internets at the same time? If that is how it works, how well does it handle the licenses? The only other concern is how stable the intel/OS X cisco VPN client is these days.
|
|
#
¿
Jul 31, 2007 03:55
|
|
|
update: while troubleshooting a Watchguard Edge device for a client today, I became so annoyed with it and the idea that ANYONE, much less a MANAGER* at my company would recommend such a pile of poo poo to one of our clients... that I placed my order for the ASA 5505 as soon as I got off the phone. Seriously, you shouldn't have to tell a client that: "when someone in your office can't get to the internet, please power cycle your brand new firewall" (that some rear end in a top hat didn't spec right for you guys) to allow that person to get on (while kicking someone else off) delslo fucked around with this message at 01:51 on Aug 1, 2007 |
|
#
¿
Aug 1, 2007 01:45
|
|
|
I have 2 questions relating to my ASA5505 that I had posted earlier about getting. 1) Comcast gives me a DHCP public IP, they said they won't offer static to home users. Is there a way/trick/whatever to get port forwarding to work with a dynamic IP on the outside interface? I already have a dyndns.org hostname pointing to the correct IP (updating using the windows client). The guy who was helping me had no clue how to do it because he couldn't just plug the outside IP in. For two examples, I'd like to forward: Port 3389 to 10.0.1.99 Port 22 to 10.0.1.22 2) I set up VPN using the wizard, installed the OS X client on my Macbook Pro, everything works GREAT. Split tunneling is very nice, 3DES is also nice, the whole thing connects very quickly and access to internal resources is nice and snappy. However, at one of my clients, I'm behind a Pix 515 firewall that has PPTP passthrough enabled and is the endpoint for a handful of site-to-site VPN connections. The issue is this: I can connect to my home VPN from behind the Pix, but I cannot access any resources (ping/RDC/shares/etc.). Any idea where the issue is or what needs to be fixed? Thanks! edit: I'd post my running config, but thanks to #2, I can't access the config from here.
|
|
#
¿
Aug 13, 2007 15:13
|
|
|
Girdle Wax posted:The cisco VPN is not using PPTP, it's using IPSec/L2TP so there's a couple of things to check: The ASA is set up to allow NAT traversal. Thanks guys, I'm going to take a look at the Pix first, if I can get to the ASA from here, I'll make the changes to that as well, if not, I'll have to wait till I get home.
|
|
#
¿
Aug 13, 2007 16:40
|
|
|
Tremblay posted:There is a bug that was fixed in ASA code. Basically PPTP + PAT == no no in 7.x code. It does work in 6.x but it turned the nat tables into spaghetti. What version of code is on the PIX and what is the ASA running? behold, my running config: code:3389 to 10.0.1.99 32767 to 10.0.1.99 (lol files) 22 to 10.0.1.22 What commands or changes would need to be run to make this happen? - Is there any way to also punch 1723 through for PPTP VPN? I have a few devices (iPhone) that I can't install the cisco vpn client on? If so, what changes would need to be made? - I still have the problem accessing devices over the VPN ONLY if I am behind a Pix 515 (also running 7.2). Based on this config, can you guys make any suggestions? - Anything else that should be cleaned out of this config? I know extra crap got added in troubleshooting. Thanks!
|
|
#
¿
Aug 24, 2007 18:50
|
|
|
Ray_ posted:I think a ASA 5505 would fit perfectly for you, but it is probably out of your price range at $450 or so. It does have a few 10/100 ports (that you can VLAN!) and a shitload of pretty cool firewall stuff. the ASA 5505 "base package" (10 users, 3DES, etc. etc.) is $391 from newegg... shipped, it comes out to ~$400
|
|
#
¿
Aug 25, 2007 15:57
|
|
|
OK, I've tried this a few times before with no luck, want to resolve this. I've got an ASA5505 running 8.0.3, ASDM 6.1.3. the outside interface is hooked up to a comcast cable modem that gives my ASA a DHCP address. This address is dynamic but it does not change that often. I am trying to do NAT/port forwarding for various services such as http, bit torrent, etc. I've just run the device through the ASDM startup wizard for a quick reset to defaults/quick setup and enable telnet management. I realize that ASDM sucks. I'm familiar enough with cisco CLI to get into it, run commands that are given to me and understand basically what they are doing, that's about it. Could someone please help me out (list of commands to run/etc. would be most helpful) based on the information below? ----------- Internal IP: 10.0.1.22 ports: 80 (HTTP); 51413; I can figure the rest out from that running config: -- : Saved : ASA Version 8.0(3) ! hostname ciscoasa domain-name coronabeach.local enable password LOLPASSWORD encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 10.0.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp setroute ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd LOLPASSWORD encrypted ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns server-group DefaultDNS domain-name coronabeach.local pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-522.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy http server enable http 10.0.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart no crypto isakmp nat-traversal telnet 10.0.1.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address 10.0.1.2-10.0.1.33 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum: : end asdm image disk0:/asdm-522.bin no asdm history enable ---------- Thanks in advance. After I get this working, I'll set up VPN aagain.
|
|
#
¿
Sep 6, 2008 22:40
|
|
|
|
| # ¿ Apr 24, 2024 05:54 |
|
|
I've been looking around to see if this is possible and haven't found much so wanted to ask here: I've got an ASA5505 running 8.2(5) that I would like to set up as a VPN client connecting to an OSX 10.7/Lion server's VPN service (L2TP/IPSec). I've got most of the config file for the device done, except for the "connect this ASA to that VPN server" bit. a) is this setup possible? b) If it is possible, can someone point me in the right direction towards making this work? The generic config strings would be wonderful. Thanks!
|
|
#
¿
May 31, 2012 20:21
|
|