Nextelco:ASA1

From its-wiki.no
Jump to: navigation, search

ASA 1

ASA1 is the responsible of analysing and filtering all the connections originated in Internet which want to reach the CNOC. At the same time it creates an IPsec VPN (layer 3) connections to all ASA-Africa devices in order to provide communication between CNOC and end-users, CPEs and BSs sitting behind ASA-Africa device. All the traffic to Internet generated by end-users behind ASA2 will go through it. At the same time, it will prevent any connection to the Internet generated by the CNOC, the Application Server and other equipment like BSs or CPEs. The next Figure shows how it will be connected.


ASA 1 Connection


Initial setup

ASA 1 came with cnocasa configuration. These are the steps we followed to save the configuration: 

cnocasa(config)#copy startup-config disk0:
Destination filename [startup-config]?cnocasa_startup-config_20140524
cnocasa(config)#copy running-config disk0:
Destination filename [startup-config]?cnocasa_running-config_20140524
cnocasa#write erase
Erase configuration in flash memory? [confirm]
cnocasa#reload
Proceed with reload? [confirm]

After saving the configuration and recoverying its initial state, ASA starts with the oldest image it finds in disk0. In this case the ASA software version 8.2(5) and ASDM version 6.4(5). If there is any newer software version is convenient to change it. Unfortunately there is no any newer software version in disk0 and we do not have a Cisco account to download it.


Specifications

This device has the following specifications:

  • Hardware
    • ASA5505
    • 512MB RAM
    • CPU Geode 500 MHz
    • Internal ATA Compact Flash 128MB
    • BIOS Flash Firmware Hub @ 0xffe00000 1024KB
  • Licensed features for this platform:
    • Maximum Physical Interfaces : 8
    • VLANs : 3, DMZ Restricted
    • Inside Hosts : 50
    • Failover : Disabled
    • VPN-DES : Enabled
    • VPN-3DES-AES : Enabled
    • SSL VPN Peers : 2
    • Total VPN Peers : 10
    • Dual ISPs : Disabled
    • VLAN Trunk Ports : 0
    • Shared license : Disabled
    • AnyConnect for Mobile : Disabled
    • AnyConnect for Cisco VPN phone : Disabled
    • AnyConnect Essentials : Disabled
    • Advanced Endpoint Assessment : Disabled
    • UC Proxy Sessions : 2
    • Botnet Traffic Filter : Disabled
  • This platform has a Base license.
  • Serial Number : JMX16264094


Required capabilities

  1. Two VLAN
    1. VLAN 1 for inside
    2. VLAN 2 for outside
  2. Minimum of two interfaces, up to three
    • If Internet and VSAT are connect trough the same interface
      1. Ethernet 0/0 for outside (Internet & VSAT)
      2. Ethernet 0/1 for inside (CNOC)
    • If Internet and VSAT are connect trough different interfaces
      1. Ethernet 0/0 for outside (Internet)
      2. Ethernet 0/1 for outside (VSAT)
      3. Ethernet 0/2 for inside (CNOC)
  3. NAT for traffic originated by CNOC (inside --> outside)
  4. Ping functionality from inside to outside (inside --> outside)
    1. echo
    2. echo-reply
    3. time-exceeded
    4. unreachable
    5. traceroute


Configuration

The official configuration guide for this software version, 8.2(5) can be found here.

Modules for SPAM filtering

CISCO VPN sec

Botnet traffic filter by CISCO

ASA5505-BOT-1YR=

Discussion

Virus interface should be at the ASA-Africa which is in Congo. The challenge then is that every satellite ground station needs an own ASA.


Return to the Technology page.

Retrieved from "https://its-wiki.no/index.php?title=Nextelco:ASA1&oldid=20475"