>>>> You're off by two orders of magnitude. Most Cisco firewalls are in
>>>> teh 5
>>>> digit price tag.
>>>
>>> True. But not this particular one.
>>>
>>>
http://www.ebuyer.com/135532-cisco-asa-5505-firewall-edition-bundle-asa5505-50-bun-k9
>>>
>>
>> Ok. you got me. I usually don't deal with small-office/home-office gear.
>
> I was surprised myself. Our network switches cost about 3x what every
> other manufacturer wanted.
>
> (I soon discovered, however, that these "switches" are actually just
> 24-port *routers*...)
>
>>>> You don't need to be a Cisco Certified Internetwork Expert to figure it
>>>> out. The Cisco manuals are usually pretty easy to follow, and freely
>>>> available on their web site.
>>>
>>> Really? That might be worth reading...
>>>
>>
>> This is a good place to start:
>
> OK.
>
>> Note: Even though Cisco firewall appliances are now called ASAs, their
>> documentation still cals them PIXes all over the place.
>
> Yeah, we've still got a PIX 506e in the corner. Though damned if I know
> why; that thing was starting to become quite unreliable...
>
>>> From what I've seen, you telnet into the router, enter a password, and
>>> then enter lines of gibberish such as "enh eth gw all". You would
>>> *definitely* need a manual to figure out WTH that actually means, or
>>> what the name of the command you want is.
>>
>> Two things:
>>
>> First thing, typing ? at any point will list all the available commands
>> at that point.
>
> So... it's some kind of hierarchical menu system? (I had assumed that
> all commands are available all the time.)

Yes and no.

there are multiple modes.  Normal display mode, "enable" mode, where you 
can make some changes such as clear counters, logs or set certain 
parameters, and "Configure" mode where you make ... configuration changes.

The available commands vary for each mode, however what I meant whas that

? by itself will list all the commands you can type, while

show ?

will list all the stuff the show command can display, and

show interface ?

will list all the types of interfaces that can be displayed

etc...

>
>> Second thing, you don't have to enter gibberish. the commands are plain
>> english words. They can be abbreviated for speed, but
>>
>> sh ip int fa0/0 bri
>>
>> Is exactly the same as typing
>>
>> show ip interface fastethernet0/0 brief
>
> I see.
>
> I'm guessing that unless you do this kind of thing all day, you'll
> quickly forget what the name for each command is, and so you'll need the
> manual open constantly. (I really hope the manuals contain more than
> just a reference list of every command name and what it does...)
>

Configuration guides, command references, hardware installation 
checklists, etc... they're all in there.

>>> I'm still guessing that, between the configuration for routing to
>>> multiple LANs, multiple VPN endpoints, and remote access, adding a line
>>> that forwards SSH to a port on a desktop PC who's IP address is
>>> configured via DHCP is probably going to take some doing. (!)
>>
>> Routing for the multiple lans actually comes straigh out of the box. You
>> confiugre an ip address on all the interfaces and it will know that any
>> packets it receives whose destination is on another lan interface, it
>> will forward it (let's disregard security rules, for the moment!).
>
> Even though there's only one connection from the firewall to the
> (multiple) switches?

Then, there are mulitple "VLAN" interfaces created, so the above still 
stands.

>
>> Remote lans are handled the same way they would be on a Windows or Unix
>> machine. By either configuring a routing protocol, or by adding static
>> routes.
>>

>> On Windows, you'd type:
>>
>> route add 192.168.200.0 mask 255.255.255.0 192.168.1.1
>
> 1. I didn't know you could do that.
> 2. What does it do?
>

It tells your PC that there's a network called 192.168.200.0 somewhere 
voer there, and that to get ot it, you must forward the packets to 
192.168.1.1 and he'll take care of them.

On a pc with no VPN and only one NIC, that's pointless, but if you have 
more than one NIC on a server, or have "split-tunnelling" enabled on 
your VPN, you need to have those set up so that the machine knows on 
which interface it needs to send the packets.

>> VPN endpoints are not more complicated than on any other platform, but
>> that's a bit like saying that changing the transmission of a Formula One
>> is not more complicated than changing it on a Toyota... It may not Be
>> for a complete noob.
>
> Presumably you have to specify protocol types and encryption keys and so
> forth...
>

Yup.

>> Allowing inbound ssh connections will need that PC to have a static NAT
>> address, and therefore a static local IP address. Your Netgear or
>> Linksys home router can work around this because it also acts as the
>> DHCP server, so it knows to which MAC adress to send the traffic, but in
>> an entreprise where the firewall is a separate piece of hardware, there
>> is simply no way to do this.
>
> Quite. The only way this could work is if you wanted to /temporarily/
> forward SSH (probably on a different port number) to the IP address that
> my desktop PC /currently/ has.
>
>>> And we still have the minor issue that I don't have the password. :-P
>>
>> If you have physical access to the box, you can do a password recovery
>
> I am *so* not trying this! :-D
>
> Incidentally, I gather that there's two ways to control the ASA. One
> involves telnet. The other involves a serial cable...

Serial cable is required to give the machine its initial barebones 
config, after that, it's telnet or preferably ssh.  Since anyone could 
sniff the telnet password.

-- 
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/*    flabreque    */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/*        @        */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/*   gmail.com     */}camera{orthographic location<6,1.25,-6>look_at a }

Post a reply to this message