Difference between revisions of "Nextelco:ASA1"

From its-wiki.no
Jump to: navigation, search
(ASA 1)
(Configuration)
 
(7 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
= ASA 1 =
 
= ASA 1 =
  
[[Nextelco:ASA1|ASA1]]  is the responsible of filtering all the connections that want to reach the [[Nextelco:CNOC_Norway|CNOC]] from the Internet. At the same time it provides connectivity to all [[Nextelco:ASA-Africa|ASA-Africa]] through IPsec VPNs (layer 3). All the traffic to Internet generated by end-users behind [[Nextelco:ASA2|ASA2]] and Billing System will go through it. At the same time, it will prevent any connection to the Internet generated by the [[Nextelco:CNOC_Norway|CNOC]], the [[Nextelco:AAA|AAA]] server, [[Nextelco:DHCP|DHCP]] server and other equipment like base stations or CPEs. The next Figure shows how it will be connected.
+
[[Nextelco:ASA1|ASA1]]  is the responsible of analysing and filtering all the connections originated in Internet which want to reach the [[Nextelco:CNOC_Norway|CNOC]]. At the same time it creates an IPsec [[Nextelco:VPN|VPN]] (layer 3) connections to all [[Nextelco:ASA-Africa|ASA-Africa]] devices in order to provide communication between [[Nextelco:CNOC_Norway|CNOC]] and end-users, [[Nextelco:CPE|CPE]]s and [[Nextelco:BS|BS]]s sitting behind [[Nextelco:ASA-Africa|ASA-Africa]] device. All the traffic to Internet generated by end-users behind [[Nextelco:ASA2|ASA2]] will go through it. At the same time, it will prevent any connection to the Internet generated by the [[Nextelco:CNOC_Norway|CNOC]], the [[Nextelco:Application_Server|Application Server]] and other equipment like [[Nextelco:BS|BS]]s or [[Nextelco:CPE|CPE]]s. The next Figure shows how it will be connected.
 +
 
  
 
[[File:ASA1_connection.png|center|ASA 1 Connection]]
 
[[File:ASA1_connection.png|center|ASA 1 Connection]]
 +
 +
 +
== Initial setup ==
 +
ASA 1 came with cnocasa configuration. These are the steps we followed to save the configuration:
 +
cnocasa(config)#copy startup-config disk0:
 +
Destination filename [startup-config]?cnocasa_startup-config_20140524
 +
cnocasa(config)#copy running-config disk0:
 +
Destination filename [startup-config]?cnocasa_running-config_20140524
 +
cnocasa#write erase
 +
Erase configuration in flash memory? [confirm]
 +
cnocasa#reload
 +
Proceed with reload? [confirm]
 +
After saving the configuration and recoverying its initial state, ASA starts with the oldest image it finds in disk0. In this case the ASA '''software version 8.2(5) and ASDM version 6.4(5)'''. If there is any newer software version is convenient to change it. Unfortunately there is no any newer software version in disk0 and we do not have a Cisco account to download it.
 +
 +
 +
== Specifications ==
 +
This device has the following specifications:
 +
* Hardware
 +
**ASA5505
 +
**512MB RAM
 +
**CPU Geode 500 MHz
 +
**Internal ATA Compact Flash 128MB
 +
**BIOS Flash Firmware Hub @ 0xffe00000 1024KB
 +
* Licensed features for this platform:
 +
** Maximum Physical Interfaces : 8
 +
** VLANs : 3, DMZ Restricted
 +
** Inside Hosts : 50
 +
** Failover : Disabled
 +
** VPN-DES : Enabled
 +
** VPN-3DES-AES : Enabled
 +
** SSL VPN Peers : 2
 +
** Total VPN Peers : 10
 +
** Dual ISPs : Disabled
 +
** VLAN Trunk Ports : 0
 +
** Shared license : Disabled
 +
** AnyConnect for Mobile : Disabled
 +
** AnyConnect for Cisco VPN phone : Disabled
 +
** AnyConnect Essentials : Disabled
 +
** Advanced Endpoint Assessment : Disabled
 +
** UC Proxy Sessions : 2
 +
** Botnet Traffic Filter : Disabled
 +
* This platform has a Base license.
 +
* Serial Number : JMX16264094
 +
 +
 +
== Required capabilities ==
 +
# Two VLAN
 +
## VLAN 1 for inside
 +
## VLAN 2 for outside
 +
# Minimum of two interfaces, up to three
 +
#* If Internet and VSAT are connect trough the same interface
 +
#*#  Ethernet 0/0 for outside (Internet & VSAT)
 +
#*#  Ethernet 0/1 for inside (CNOC)
 +
#* If Internet and VSAT are connect trough different interfaces
 +
#*#  Ethernet 0/0 for outside (Internet)
 +
#*#  Ethernet 0/1 for outside (VSAT)
 +
#*#  Ethernet 0/2 for inside (CNOC)
 +
# NAT for traffic originated by CNOC (inside --> outside)
 +
# Ping functionality from inside to outside (inside --> outside)
 +
## echo
 +
## echo-reply
 +
## time-exceeded
 +
## unreachable
 +
## traceroute
 +
 +
 +
== Configuration ==
 +
The official configuration guide for this software version, 8.2(5) can be found [http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config.html here.]
 +
 +
== Modules  for SPAM filtering ==
 +
[http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6823/product_data_sheet0900aecd80402e4f_ps6120_Products_Data_Sheet.html CISCO VPN sec]
 +
 +
Botnet traffic filter by [http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_bulletin_c25-526545.html CISCO]
 +
 +
ASA5505-BOT-1YR=
 +
 +
=== Discussion ===
 +
Virus interface should be at the [[Nextelco:ASA-Africa|ASA-Africa]] which is in Congo. The challenge then is that every satellite ground station needs an own ASA.
 +
  
 
Return to the [[Nextelco:Technology|Technology]] page.
 
Return to the [[Nextelco:Technology|Technology]] page.

Latest revision as of 15:11, 25 May 2014

ASA 1

ASA1 is the responsible of analysing and filtering all the connections originated in Internet which want to reach the CNOC. At the same time it creates an IPsec VPN (layer 3) connections to all ASA-Africa devices in order to provide communication between CNOC and end-users, CPEs and BSs sitting behind ASA-Africa device. All the traffic to Internet generated by end-users behind ASA2 will go through it. At the same time, it will prevent any connection to the Internet generated by the CNOC, the Application Server and other equipment like BSs or CPEs. The next Figure shows how it will be connected.


ASA 1 Connection


Initial setup

ASA 1 came with cnocasa configuration. These are the steps we followed to save the configuration: 

cnocasa(config)#copy startup-config disk0:
Destination filename [startup-config]?cnocasa_startup-config_20140524
cnocasa(config)#copy running-config disk0:
Destination filename [startup-config]?cnocasa_running-config_20140524
cnocasa#write erase
Erase configuration in flash memory? [confirm]
cnocasa#reload
Proceed with reload? [confirm]

After saving the configuration and recoverying its initial state, ASA starts with the oldest image it finds in disk0. In this case the ASA software version 8.2(5) and ASDM version 6.4(5). If there is any newer software version is convenient to change it. Unfortunately there is no any newer software version in disk0 and we do not have a Cisco account to download it.


Specifications

This device has the following specifications:

  • Hardware
    • ASA5505
    • 512MB RAM
    • CPU Geode 500 MHz
    • Internal ATA Compact Flash 128MB
    • BIOS Flash Firmware Hub @ 0xffe00000 1024KB
  • Licensed features for this platform:
    • Maximum Physical Interfaces : 8
    • VLANs : 3, DMZ Restricted
    • Inside Hosts : 50
    • Failover : Disabled
    • VPN-DES : Enabled
    • VPN-3DES-AES : Enabled
    • SSL VPN Peers : 2
    • Total VPN Peers : 10
    • Dual ISPs : Disabled
    • VLAN Trunk Ports : 0
    • Shared license : Disabled
    • AnyConnect for Mobile : Disabled
    • AnyConnect for Cisco VPN phone : Disabled
    • AnyConnect Essentials : Disabled
    • Advanced Endpoint Assessment : Disabled
    • UC Proxy Sessions : 2
    • Botnet Traffic Filter : Disabled
  • This platform has a Base license.
  • Serial Number : JMX16264094


Required capabilities

  1. Two VLAN
    1. VLAN 1 for inside
    2. VLAN 2 for outside
  2. Minimum of two interfaces, up to three
    • If Internet and VSAT are connect trough the same interface
      1. Ethernet 0/0 for outside (Internet & VSAT)
      2. Ethernet 0/1 for inside (CNOC)
    • If Internet and VSAT are connect trough different interfaces
      1. Ethernet 0/0 for outside (Internet)
      2. Ethernet 0/1 for outside (VSAT)
      3. Ethernet 0/2 for inside (CNOC)
  3. NAT for traffic originated by CNOC (inside --> outside)
  4. Ping functionality from inside to outside (inside --> outside)
    1. echo
    2. echo-reply
    3. time-exceeded
    4. unreachable
    5. traceroute


Configuration

The official configuration guide for this software version, 8.2(5) can be found here.

Modules for SPAM filtering

CISCO VPN sec

Botnet traffic filter by CISCO

ASA5505-BOT-1YR=

Discussion

Virus interface should be at the ASA-Africa which is in Congo. The challenge then is that every satellite ground station needs an own ASA.


Return to the Technology page.

Retrieved from "https://its-wiki.no/index.php?title=Nextelco:ASA1&oldid=20475"