Need help Exposing my Server at home to da Internetz

[RedBird!]

Dear all,

 

I need help exposing my Dell Server, which hosts a VM, on which Minecraft Server is running on Ubuntu.

In addition to that i wanted to expose my NAS as FTP Server as well (Synology).

 

My Network looks like this...

 

WAN------Modem-----ASA 5506X Firewall------Router-----------LAN----------Router in AP Mode---------Server

 

I could use some help setting up the Cisco ASA as well ^^

 

Pretty new to this

[+BudMan MVC]

Well since you running clearly a double nat.. You would need to forward the port on your ASA to your Router wan IP.. Then on your router forward that port to the Server IP.

 

I personally would not suggest you have these devices that your exposing to the internet on your lan network, you should really place them in an isolated segment... Why are you using the 2nd router?  The ASA is all that is needed.. There is no reason for that 2nd router..

[RedBird!]

Hey Budman thanks for the quick reply.

 

Im essentially using it as a Switch. Where my Main PC, Server and my Synology is connected in my Office.

I have only 1 Ethernet line going from my living room, where the ASA and the Router sits to my office.

 

And the Server needs to be in my office...

 

Is that not possible to do it in this given Scenaro ?

[RedBird!]

13 minutes ago, BudMan said:

Well since you running clearly a double nat.. You would need to forward the port on your ASA to your Router wan IP.. Then on your router forward that port to the Server IP.

 

I personally would not suggest you have these devices that your exposing to the internet on your lan network, you should really place them in an isolated segment... Why are you using the 2nd router?  The ASA is all that is needed.. There is no reason for that 2nd router..

How do you mean in a seperate segment ?

 

Do you mean DMZ? If so, cant i just tell the router to put the Server's IP into a DMZ?

 

I want to use the ASA only as a Firewall, not as a router.

 

Or am i understanding something wrong ?

[sc302 Veteran]

Router and firewall are the same thing in this case. So the aaa routes as well as provides some more advanced firewall features that a typical router does not. If your modem has the capability, put it into bridge mode so that the Cisco asa does all filtering. The cable modem is usually a firewall/router as well so you would need to put it into bridge mode to have the asa perform the tasks you want easily. 

 

Understand, for home and small business use router=firewall.  Business firewalls generally have more features that you can add on or purchase. Ips/ids, gateway antivirus and content filtering, ssl vpn, adding in blacklist blocking and regional blocking, as well as permitting traffic from certain ip ranges and blocking everyone else. Stateful inspection as well as other filtering and traffic inspection. Home use and many small businesses don’t need that so an off the Best Buy shelf router is sufficient or the one the isp provides is good enough. 

 

Fwiw, when routers first came to market as high speed internet was in its infancy they were called firewalls. Some dumb ass in marketing changed the name to router and it has stuck. It is like calling something as complex as a car a piece of sheet metal and calling Tesla’s cars. They are both cars just one has more technology in it than the other or at least is capable of more. 

[RedBird!]

8 minutes ago, sc302 said:

Router and firewall are the same thing in this case. So the aaa routes as well as provides some more advanced firewall features that a typical router does not. If your modem has the capability, put it into bridge mode so that the Cisco asa does all filtering. The cable modem is usually a firewall/router as well so you would need to put it into bridge mode to have the asa perform the tasks you want easily. 

 

Understand, for home and small business use router=firewall. 

Well...   I have an ARRIS Modem, which is already set in bridge mode, which routs the traffic to my Netgear Router.

 

So should i set the Netgear in AP Mode and let the ASA handle Routing, Forwarding and Firewall services ?

[sc302 Veteran]

Put the asa in front of the netgear and don’t use the internet port on the netgear.  Put a piece of tape over that port so you know it is off limits.  Give the netgear another ip on the subnet so it can still be managed and disable dhcp. Have the asa hand out addresses. 

 

also check my edit above 

[RedBird!]

Thank you so much for your support. Do you know how to setup the ASA ?

 

Well i will use the Netgear then as a switch with DHCP, since the ASA lacks enough ports for all the devices ^^

 

So it will look like this:

 

WAN--Modem (Bridge)--ASA--Netgear (in Switch Mode)--Netgear (in Switch Mode)--Server

[sc302 Veteran]

Sure do. It is what I use at work.  But try using the Asdm first. Then ask your questions. 

[sc302 Veteran]

That is about right but do not use dhcp on the netgear. Asa will be dhcp server. 

[RedBird!]

OK thank you

 

I will try and tell you the result.

[RedBird!]

13 minutes ago, sc302 said:

Sure do. It is what I use at work.  But try using the Asdm first. Then ask your questions. 

I already downloaded and installed asdm. But i really dont know how to set it up. I saw somewhere a web interface with a much more ease of use interface (actual GUI) of the asdm. How do i access that?

[sc302 Veteran]

Adsm is the GUI interface. Connect to the default ip of the asa and follow the setup wizard. 

 

It is either Adsm or cli. There is no other interface.  Adsm is GUI and can be attached to by using a browser and typing in the ip of the asa. 

[RedBird!]

4 minutes ago, sc302 said:

Adsm is the GUI interface. Connect to the default ip of the asa and follow the setup wizard. 

 

It is either her Adsm or cli. 

Ok. I will probably contact Cisco and see if they can help me get the settings of the setup wizard correctly.

[+BudMan MVC]

Where did you get this ASA?  Do you have smartnet with cisco for this device..  Your not going to be able to open a tac case for support with cisco without a support contract..

 

At a loss to why that would of been product of choice if no idea how to use it?

 

As a side note - your prob going to want to get a smart switch to use with that ASA so you can leverage vlans.. Using some soho router as just a switch works - but I have doubt it will support vlans.. Maybe running say dd-wrt on the device will add vlan features.  But depends on the hardware dd-wrt is running on.. Since I didn't see which make and model of router(s) your using can not say.

 

If your going to jump to the level of network that ASA can do - your going prob want a smart switch, and AP that actually can do vlans vs just some soho router being used as AP.

[sc302 Veteran]

The asa 5506 is capable of 5 vlans with the basic license, 30 with security plus.  I wouldn't worry too much about vlans yet...lets get him up right so he can start walking. 

 

 

follow the video to setup change ip as needed  (fyi: outside interface you may want to utilize dhcp from your isp...the command is "ip address dhcp"):

 

[+BudMan MVC]

True but why use a Porsche to tow box of ###### around?

 

Thats what his network is going to be with the ASA in front and garbage behind it

[sc302 Veteran]

20 minutes ago, BudMan said:

True but why use a Porsche to tow box of ###### around?

 

Thats what his network is going to be with the ASA in front and garbage behind it

It is a little baby asa...I wouldn't call it a porsche with inspection limited to about 750Mbps, vpn limited to 100Mbps, and IPS limited to 125Mbps.  Not exactly a porsche, maybe a well optioned Toyota.  The user needs to get it up first before he can start planning out vlans, having trouble with what comes after powering it on.

[RedBird!]

8 hours ago, BudMan said:

Where did you get this ASA?  Do you have smartnet with cisco for this device..  Your not going to be able to open a tac case for support with cisco without a support contract..

 

At a loss to why that would of been product of choice if no idea how to use it?

 

As a side note - your prob going to want to get a smart switch to use with that ASA so you can leverage vlans.. Using some soho router as just a switch works - but I have doubt it will support vlans.. Maybe running say dd-wrt on the device will add vlan features.  But depends on the hardware dd-wrt is running on.. Since I didn't see which make and model of router(s) your using can not say.

 

If your going to jump to the level of network that ASA can do - your going prob want a smart switch, and AP that actually can do vlans vs just some soho router being used as AP.

I bought it from Cisco and yes i have the basic license.

Thanks for the Vid..  No reply from Cisco yet though...

 

[+BudMan MVC]

Buying it from cisco doesn't mean you got smartnet with it

 

I agree its a baby and can not really push any data.. But compared to your typical soho device its a freaking Porsche...

And they want you to pay extra for the bells and whistles, etc..

You should of bought a netgate appliance and run pfsense - way easier to use... And no such limits on number of vlans, etc. etc.

[RedBird!]

14 hours ago, BudMan said:

Buying it from cisco doesn't mean you got smartnet with it

 

I agree its a baby and can not really push any data.. But compared to your typical soho device its a freaking Porsche...

And they want you to pay extra for the bells and whistles, etc..

You should of bought a netgate appliance and run pfsense - way easier to use... And no such limits on number of vlans, etc. etc.

Isnt that a solution from switzerland ?

What about ubiquiti?

[sc302 Veteran]

Bud man knows pfsense better than anyone.  Ubiquity is a good alternative too. 

 

Cisco not really meant for beginners. Or those without support contracts.  

 

Though you can go with their small business line....it is a little easier as it does use http out of the box. 

[+BudMan MVC]

Yea a little USG from unifi would of worked better as well than that cisco.

 

No pfsense is not from Switzerland... Maybe your thinking of https://www.open.ch/en/index.php

 

But that is a managed service sort of product - that yeah places box on your network and does some really cool stuff with it.. Not very well known as of yet in the US from understanding.. But we recently had a sit down with at work..

 

Netgate/Pfsense is here https://store.netgate.com/SG-3100.aspx

Prob would of been a good box - prob cheaper than that ASA as well..

 

To unifi something as cheap as https://www.ubnt.com/unifi-routing/usg/

would of been good as well - and can do dpi and application management... But when you turn that on the speed drops into the dirt... But they make bigger boxes... And they also provide switches and AP..

 

You could also run pfsense on your own hardware, or even as a VM etc..

[grunger106]

Does the basic licence of the 5506X even come with FirePower features? Haven't used an ASA of the X generation

 

What's ASDM like? Hopefully nothing like the Java based mess that was CCP back in the day 

 

Agree with what others have said - there's not much point having a ASA upfront and plugged into a flat network with nothing to manage behind it.

You can pickup HP 1810-24 or 1920-24 relatively inexpensively these days and they are solid switches for the money (no proper CLI though :( ) and the Ubi APs are generally well liked and support VLAN tagging.

 

I used to run Cisco ISRs at home until relativity recently, but moved to a Sophos XG running as VM on one of my ESXI hosts, it has it's quirks, but the free licence is quite generous (limited to 2 Cores 6GB RAM) as it gives you pretty much all the UTM features on a perpetual licence.