# Help with setup of Cisco ASA 5505



## greens85 (Jul 7, 2009)

Hi all,

I have recently purchased an ASA 5505 firewall and want to configure it to allow VPN & Remote Desktop Connection into my network.

My proposed network setup is:

Internet --> Linksys Router --> Cisco ASA 5505 Firewall --> Switch --> (Server/Printer/Workstations)...

All the computers on the network will be running a static IP's within the scope of 192.168.1.xxx (The router being 192.168.1.1).

I have a public/static IP address.

Basically all I'm trying to achieve is VPN and RDC that when the user logs in their credentials are checked against Active Directory and the firewall allows them into the network.

Hope that is clear...

Can anyone advise?


----------



## bilbus (Aug 29, 2006)

First off .. remove the linksys router ... the ASA is a router/firewall


----------



## bilbus (Aug 29, 2006)

you can setup the vpn client to check against AD, but i don't think directly. I think you need to use AAA via radius.


----------



## greens85 (Jul 7, 2009)

bilbus said:


> First off .. remove the linksys router ... the ASA is a router/firewall


Is it essential that the router be removed from the setup? There are two reasons why I ask: 

1) While the majority of the workstations will be wired into the network one laptop will work from wireless. The reason being it will connect via Remote Desktop Connect whether in the office or working from home. Therefore we need a wireless router to hand out IP's via DHCP for the laptop, while the rest of the workstations will work from a static IP.

2) The line into the office is DSL, rather than an Ethernet port. This means that it is physically impossible for me to connect the ASA 5505 to our internet connection.

Would it not be possible to run the router as a DHCP server and turn off DHCP on the firewall, set the outside IP on the firewall to the routers internal IP then set the routers external IP to the static IP provided by our ISP?

As for Active Directory validation, I'm not sure what AAA via Radius is... but what I can tell you is that I am running SBS 2008? Not sure if that helps. In worst case scenario im guessing I could validate via firewall and then direct onto the appropriate static IP?


----------



## bilbus (Aug 29, 2006)

1. If you use the router like that, you will not be able to use the wireless anyhow .. since the router will not be on the same network as the second router. Just plug the wireless router's lan port into the switch, turn off dhcp, change it's ip address, and don't plug in the linksys router's wan port and you will now have a access point, not a router.

2. Linksys routers are not modem ... you still have a modem in the mix.

3. I don't know if cisco has AD intergratrion, i know it has radius.


----------



## greens85 (Jul 7, 2009)

bilbus said:


> 1. If you use the router like that, you will not be able to use the wireless anyhow .. since the router will not be on the same network as the second router. Just plug the wireless router's lan port into the switch, turn off dhcp, change it's ip address, and don't plug in the linksys router's wan port and you will now have a access point, not a router.
> 
> 2. Linksys routers are not modem ... you still have a modem in the mix.
> 
> 3. I don't know if cisco has AD intergratrion, i know it has radius.


So if I understand this correctly (and I probably don't!). The setup would resemble something like:

Internet --> ASA 5505 --> Switch --> Linksys Router (Wireless Access Point) --> Machines on the LAN

OR

Internet --> ASA 5505 --> Linksys Router (Wireless Access Point) --> Switch --> Machines on the LAN

A couple of questions:

1) When you say plug the wireless routers lan into the switch, are you talking about running a cat5 from the port marked 'Internet' or from one of the ports marked 'Ethernet'? The ports I'm referring to here are on the back of the particular router I have.

2)... By '...don't plug in the linksys WAN port' I would assume that whatever the answer to the above is... I make sure the other ports contain no Ethernets. I realize this is basics but I just want to make sure I fully understand here, so apologies for that.

3) If I turn off DHCP, how will the laptop be able to get an IP address each time it enters the building? Assuming you are talking about turning off the DHCP on the router (wireless access point) and not on the ASA 5505?

I'm not sure I understand how there will still be a modem in the mix either... 

If you can picture that coming into the office is a standard phone line (UK) and then an ADSL splitter, then the DSL line currently runs from the splitter to the back of a Netgear modem router... however if the ASA 5505 was the first point of contact from the line in.. there would be no where to place the DSL line... so how would I even receive the internet in the first place?

Thanks for your time, and sorry about all the questions!


----------



## bilbus (Aug 29, 2006)

internet, modem, asa, switch, both computers and linksys get pluged into switch.

You plug no cables into the internet port of the linksys. You plug a cat 5 cable from the lan port on the linksys to the standalone switch you have.

Yes, turn off dhcp on the linksys and keep it on the ASA. It will hand out ips to the wired and wireless clients.

You need to locate your dsl modem, and that gets put in the mix. If your modem is a router/modem then change the router/modem to bridged mode.


----------



## greens85 (Jul 7, 2009)

bilbus said:


> internet, modem, asa, switch, both computers and linksys get pluged into switch.
> 
> You plug no cables into the internet port of the linksys. You plug a cat 5 cable from the lan port on the linksys to the standalone switch you have.
> 
> ...


I didnt think the ASA had wireless capabilities! Therefore didnt think it would hand out an IP to the wireless laptop!

So if by my understanding... the ASA is given the public/static IP presumably on the outside line.... two Vlans are setup one of which goes to the switch then from the switch we have a WAP (linksys router) & all the computers on the LAN...

Which will look something like so:

Internet --> Modem --> ASA w/DHCP --> Switch --> WAP w/ no DHCP
--> Computers w/ Static IP's (set within the scope of the ASA ip range).

That is my understanding of it.... hope I am getting somewhere near!


----------



## greens85 (Jul 7, 2009)

Hi,

I have recently found out that we have a direct connection in... so we can now rule out the modem part :smile:

I have attached a diagram of what I think you mean from your posts... would you be kind enough to take a look and let me know if I am on the right lines?

Many thanks for your time.


----------



## bilbus (Aug 29, 2006)

the asa does not have wireless capabilities, but clients connect to the WAP, and then are now reachable to the ASA, and will hand out an IP.

So for short, as long as your connected to the network wired or wirelessly .... you can dhcp an address from the ASA


----------



## bilbus (Aug 29, 2006)

the asa does not have wireless capabilities, but clients connect to the WAP, and then are now reachable to the ASA, and will hand out an IP.

So for short, as long as your connected to the network wired or wirelessly .... you can dhcp an address from the ASA

As for your picture, correct except laptop, it should be connecting to the AP, not the ASA


----------



## greens85 (Jul 7, 2009)

bilbus said:


> the asa does not have wireless capabilities, but clients connect to the WAP, and then are now reachable to the ASA, and will hand out an IP.
> 
> So for short, as long as your connected to the network wired or wirelessly .... you can dhcp an address from the ASA
> 
> As for your picture, correct except laptop, it should be connecting to the AP, not the ASA


Thanks for taking the time to review my picture 

The only thing I don't understand now is how the laptop would obtain a IP via DHCP from the AP... 

I understand that the ASA would happily hand an IP out to the AP or have one statically assigned by myself, but I think i'm struggling with how the AP then 'passes' a dynamic IP onto the laptop when the AP actually has DHCP turned off 

I guess my question is...how does the AP in turn then hand out a dynamic IP to the laptop?

Is it a case of, the ASA would pass a dynamic IP into the AP and this in turn would then pass that onto the laptop? If this is so, I'm assuming I have to set a static IP for the AP much like I have shown in my picture? 

I want everything to have a static IP barring the laptop, I'm assuming this isn't a problem. As I believe I can set a range within the ASA... so I could take out so many IP's out the range for static use.... is this correct thinking on my part?

Once again, many thanks for your help... greatly appreciated.


----------

