I embarked on securing my home network while providing reliable VPN access. I had limited experience with Cisco’s IOS in the past so I was willing to make an attempt at taming an ASA (Adaptive Security Appliance) 5505. Of course my budget was limited so I opted for the base license (10 hosts). This is a limit I still do not quite understand. Some say its defined by ARP entries or XLAT’s. Honestly, I decided not to test the water.
I setup my network in a rather unique way. I kept my existing Airport Extreme with its current subnet and simply placed the entire router in a NAT on my ASA. This way my ASA will only ever see one host. This has some disadvantages but only in the configuration. For this example I will define the networks as (substitute yours in):
ASA Inside-Network = 10.1.0.0/24 ASA VPN-Network = 10.2.0.0/24 Airport Network = 10.3.0.0/24
It is important to note if this is your first time playing with an ASA it would be wise to attach the blue serial cable. It personally gave me the confidence to do anything I wanted without worrying about lossing the connection. I also setup my ASA completely via the CLI. I am no expert by any means, in fact I believe Cisco is currently emphasizing the ASDM however I just felt more comfortable in CLI. I do use the ASDM however I make it show me the commands before it sends them. This is for two reasons, one to teach me and two to prevent accidents.
I personally can attest to the vast amount of information on the internet about the ASA. This post is to help bring everything together into one place. I do not plan on explaining anything already available online. The configuration was done on ASA 9.0(2) but should work with anything 8.3 or higher (since the new NAT rules). These commands are expected to be issued on a factory default ASA.
The first thing you will need to do with your ASA is setup the basics (replacing the all-caps words):
hostname HOSTNAME enable password PASSWORD username USERNAME password PASSWORD privilege 15 aaa authentication http console LOCAL aaa authentication ssh console LOCAL http server enable http 10.1.0.0 255.255.255.0 inside ssh 10.1.0.0 255.255.255.0 inside ssh version 2 ssh timeout 5 console timeout 5 management-access inside clock timezone CST -6 clock summer-time CDT recurring dns domain-lookup outside dns server-group DefaultDNS name-server 126.96.36.199 name-server 188.8.131.52 ntp server 184.108.40.206 source outside prefer
Configure your VLAN addresses and setup DHCP server:
interface Vlan1 ip address 10.1.0.1 255.255.255.0 dhcpd address 10.1.0.30-10.1.0.50 inside dhcpd dns 220.127.116.11 interface inside dhcpd option 3 ip 10.1.0.1 interface inside dhcpd enable inside
Example of opening a port through the firewall (you of course also have to forward it through the Airport):
object network SSH-Server host 10.1.0.2 access-list outside_access_in extended permit tcp any object SSH-Server eq ssh object network SSH-Server nat (inside,outside) static interface service tcp ssh ssh access-group outside_access_in in interface outside
Note: The host is the Airport’s WAN IP. The address located on the subnet between the ASA and Router. This is because the Airport is performing NAT.
For the VPN portion of the configuration, I personally used the VPN wizard from the ASDM and it worked fine. Using OS X and iOS primarily, I chose to use IPSec. During the configuration I chose to do split tunneling which only redirects local traffic through the VPN and leaves the internet traffic through the client’s connection.
After you configure your VPN you might want to allow it to access the inside network:
object network inside-network subnet 10.1.0.0 255.255.255.0 object network vpn-network subnet 10.2.0.0 255.255.255.192 nat (inside,outside) source static inside-network inside-network destination static vpn-network vpn-network no-proxy-arp route-lookup
Block pings from hitting your outside interface with this:
icmp deny any outside
Enable scanning threat detection:
threat-detection scanning-threat shun except ip-address 10.1.0.0 255.255.255.0
To setup QoS first perform some speed tests at various times to gauge your actual bandwidth. You will also need to plan which traffic you wish to prioritize. We can only control what leaves our ASA. What comes in from your ISP has already traveled to its final destination and forcing the ASA to shape this traffic would be a waste. The argument says TCP will naturally kick in due to drop packets on the sender’s end and throttle down his send. I think it could have some advantages in paper however I have no real world evidence to support or refute anything nor do I plan on shaping the downstream traffic.
Here is a basic example of traffic shaping your outside interface’s upstream and prioritizing VoIP over IAX2:
class-map VoIP match port udp eq 4569 policy-map PriorityPol class VoIP priority policy-map OutPol class class-default shape average 1800000 service-policy PriorityPol service-policy OutPol interface outside
Note: The numbers used were calculated based on a 2Mbit upload.
To setup SNMP use the following (fill in the community, location and contact):
snmp-server host inside 10.2.0.2 poll community public version 2c snmp-server location Home snmp-server contact [email protected] snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
To enable logging with email alerts perform the following:
logging from-address [email protected] logging recipient-address [email protected] level critical smtp-server 10.1.0.3 logging enable asdm history enable logging asdm informational logging buffer-size 16384 logging timestamp logging list email-notification level errors logging list email-notification level notifications class auth logging list email-notification level notifications class config logging list email-notification level notifications class session logging list email-notification message 109033 logging list email-notification message 109034 logging list email-notification message 315004 logging list email-notification message 315011 logging list email-notification message 605004 logging list email-notification message 710002 logging list email-notification message 111001 logging list email-notification message 111004 logging list email-notification message 113005 logging list email-notification message 113012 logging list email-notification message 113015 logging list email-notification message 611101 logging list email-notification message 611102 logging list email-notification message 102001 logging list email-notification message 199001 logging list email-notification message 199009 logging list email-notification message 502103 logging list email-notification message 111008 logging list email-notification message 613003 logging list email-notification message 603108 logging list email-notification message 719019 logging list email-notification message 719020 logging list email-notification message 719022 logging list email-notification message 719023 logging list email-notification message 111010 logging device-id ipaddress outside logging monitor email-notification logging buffered email-notification logging mail email-notification logging class auth mail warnings logging class config mail warnings logging class session mail warnings logging class vpdn mail warnings
WCCP was something I quickly became a fan of and decided to jump right in. I am now running a dedicated Squid3 proxy VM that not only caches but also strips ads. By using the ASA’s feature and location I was able to transparently proxy the entire homes port 80 traffic. I decided not to touch SSL caching. The key to a proxy in THIS environment is the subnet. The proxy MUST be in the inside vlan subnet of the ASA (ex. 10.1.0.3).
After setting up a working squid3 simply add these settings to your ASA:
access-list wccp_redirect extended permit tcp object inside-network any eq www wccp web-cache redirect-list wccp_redirect wccp interface inside web-cache redirect in
If this still looks puzzling then you are probably missing the GRE tunnel needed. This is a great resource here: Cisco ASA and Squid with WCCP2.