# Using ASA 5505 as a front end firewall feeding 4 others



## siman008 (Aug 18, 2014)

I have been given a ASA5505 (ASA5505-BUN-K9 running 8.3(1)) and asked to set it up as a front end firewall with 4 further firewalls behind it. 

I can configure these but ASA 5505 is proving a problem (I have never really used them)

On the WAN side I have a subnet with 5 spare ip addresses (e.g. 83.123.456.80 /29) and I want ideally to setup each of the rear firewalls with their own ip address through the 5505's internal firewall - so they can each access the internet mostly out going traffic but not allow traffic internally to go between the separate lans. 

If that's not possible then I wanted to setup a NAT on ASA and just use one external IP and then 4 internal ones (+ one admin) if possible find some way of separating firewalls out so traffic cannot leak internally between them. 

Any ideas of how this could be done? 

Thanks!


----------



## Wand3r3r (Sep 17, 2010)

Welcome to TSF!

How many hosts are we talking about per firewall?

You can not have the ASA as a front end and use public ip for the firewalls behind the ASA.
If you have just the 4 firewalls connected to the same internet connection there is no chance of them communicating with each other due to ip addressing. You could further enhance this by putting a deny rule on each for a deny of the other 3's wan ips.

But this design indicates a lack of knowledge of designing secure networks. You would only have 4 firewalls for a large company and then each would have its own internet connection since it wouldn't be practical to have everyone going through one internet connection.

By the sounds of it the proper design should have been done using vlans not firewalls.


----------



## siman008 (Aug 18, 2014)

Hi thanks for the quick reply and your help!
ok 

Each firewall will only have 5-10 clients behind it. The firewall separation is to stop data leaking between them. We have a single 80mb adsl connection to the internet in the office. Not sure VLANs work here as I don't think the 5505 handles that many VLANs (happy to be wrong) also I am told that atleast one team wants to manage their own firewall rules so best we given each their own.

So am I right to think that I need 4 rules one for each that map the external ip to an internal one one and I need to use nat and allow all outgoing protocols and ports through the 5505? Sorry I haven't used one of these before so I might not have the right Cisco language.


----------



## Wand3r3r (Sep 17, 2010)

Forget using the ASA. It won't accomplish anything for you.

Your topology would be:
internet<>modem<>switch<>4 firewalls with each having a public ip address.

"The firewall separation is to stop data leaking between them"
Who came up with this concern?

The firewalls will be talking to the internet not each other so this concern is not valid. As I previously stated you can do the additional configuration of putting denies of the others ip addresses. But this really is overkill since the firewalls won't be talking to each other anyway.

The ASA in front of these 4 accomplishes nothing but add a single point of failure for all 4 networks.

I find it surprising that in a 5 to 10 user environment that someone would want to maintain their own firewall rules. Do they really understand what they are maintaining? They want to restrict internet access to certain sites?


----------



## Wand3r3r (Sep 17, 2010)

BTW ASA with the right license can support 20+ vlans but that was not the propose of the suggestion. If you have 4 offices using the same internet connection you could have put in a vlan capable switch which would isolate each office from the other due to the vlans. There would never be any "bleed over".

Putting in firewalls on the other hand you do so to control or monitor internet access. Vlans can't do that. But I still find that rather surprising because usually in small offices everyone wants full access with no limits and no accountability.


----------



## siman008 (Aug 18, 2014)

Thanks for your suggestions all really useful and I agree! I will go back and ask though I think I will just need to do get on and setup the 5505 and configure it for the firewalls.

Which I guess means setting up a NAT (or PAT) on the 5505 adding 4 rules and 4 objects mapping external IP address to internal and allowing for all ports to be allowed out?

thanks again for your help and speed of reply!


----------

