ASA 5550 behind ASA 5505

Discussion in 'Cisco' started by Dogg Child, Jun 7, 2010.

  1. Dogg Child

    Dogg Child Guest

    Hi all,

    excuse me at first if i don't explain this properly, i'll try...
    I have one internet link, and two ASA5505's, and two "networks" that need
    access from and to internet.
    The main idea is that 1st 5505 would be configured with 3 interfaces -
    In,Out, DMZ.
    Through DMZ i would forward all traffic from one public ip (exmpl. x.x.x.5)
    to 2nd 5505. Basically DMZ on 1st 5505 would be connected to Out interface
    on 2nd 5505, and not filtering anything.
    Out interf. on 1st 5505 would have other pub ip (exmpl. x.x.x.4).
    Behind both 5505's i have different subnets that requiers some access from
    and to the internet.

    q1: Would that kind of wiring and connecting work?

    q2: if that would work, is it possible to configure / limit speed/bandwidth
    for DMZ "link"?

    q3: i guess when 2nd 5505 initiate IPsec tunnel (site-to-site) that the 1st
    one wouldn't be aware of that (licence issues?) ?

    q4: all services that needs to be accessible from the internet behind 2nd
    5505 would be accessible if configured only on 2nd 5505 ?

    that's it so far, i hope i wouln't bother you anymore.

    Tnx in advance & regards,
    --


    ....
    :: Dogg.Child:::Honored.member.of.The.Wu-Tang.Clan ::

    dogg[AltGr+V]nkc-sisak.hr
    ....
     
    Dogg Child, Jun 7, 2010
    #1
    1. Advertising

  2. "Dogg Child" <dogg[AltGr+V]@nkc-sisak.hr> wrote:

    > Hi all,
    >
    > excuse me at first if i don't explain this properly, i'll try...
    > I have one internet link, and two ASA5505's, and two "networks" that need
    > access from and to internet.
    > The main idea is that 1st 5505 would be configured with 3 interfaces -
    > In,Out, DMZ.
    > Through DMZ i would forward all traffic from one public ip (exmpl. x.x.x.5)
    > to 2nd 5505. Basically DMZ on 1st 5505 would be connected to Out interface
    > on 2nd 5505, and not filtering anything.
    > Out interf. on 1st 5505 would have other pub ip (exmpl. x.x.x.4).
    > Behind both 5505's i have different subnets that requiers some access from
    > and to the internet.
    >
    > q1: Would that kind of wiring and connecting work?


    Yes, I believe so. But I don't understand why you need the second 5505.

    > q2: if that would work, is it possible to configure / limit speed/bandwidth
    > for DMZ "link"?


    You can set the port speed to 10 Mbps or 100 Mbps.

    > q3: i guess when 2nd 5505 initiate IPsec tunnel (site-to-site) that the 1st
    > one wouldn't be aware of that (licence issues?) ?


    Yes, the first 5505 is just passing the traffic.

    > q4: all services that needs to be accessible from the internet behind 2nd
    > 5505 would be accessible if configured only on 2nd 5505 ?


    Yes, if the first one is configured for full access.
     
    Jyri Korhonen, Jun 8, 2010
    #2
    1. Advertising

  3. Dogg Child

    Dogg Child Guest

    Tnx for reply, my answers/questions are below.

    --


    ....
    :: Dogg.Child:::Honored.member.of.The.Wu-Tang.Clan ::

    dogg[AltGr+V]nkc-sisak.hr
    ....


    "Jyri Korhonen" <> wrote in message
    news:U2rPn.17427$...
    > "Dogg Child" <dogg[AltGr+V]@nkc-sisak.hr> wrote:
    >
    >> Hi all,
    >>
    >> excuse me at first if i don't explain this properly, i'll try...
    >> I have one internet link, and two ASA5505's, and two "networks" that need
    >> access from and to internet.
    >> The main idea is that 1st 5505 would be configured with 3 interfaces -
    >> In,Out, DMZ.
    >> Through DMZ i would forward all traffic from one public ip (exmpl.
    >> x.x.x.5) to 2nd 5505. Basically DMZ on 1st 5505 would be connected to Out
    >> interface on 2nd 5505, and not filtering anything.
    >> Out interf. on 1st 5505 would have other pub ip (exmpl. x.x.x.4).
    >> Behind both 5505's i have different subnets that requiers some access
    >> from and to the internet.
    >>
    >> q1: Would that kind of wiring and connecting work?

    >
    > Yes, I believe so. But I don't understand why you need the second 5505.


    second 5505 is needed for other "project" and "routing + VPN's"

    >
    >> q2: if that would work, is it possible to configure / limit
    >> speed/bandwidth for DMZ "link"?

    >
    > You can set the port speed to 10 Mbps or 100 Mbps.


    Can i for example from 10Mbps internet link "give" only 2 Mbps to 2nd 5505?

    >
    >> q3: i guess when 2nd 5505 initiate IPsec tunnel (site-to-site) that the
    >> 1st one wouldn't be aware of that (licence issues?) ?

    >
    > Yes, the first 5505 is just passing the traffic.


    Great.

    >
    >> q4: all services that needs to be accessible from the internet behind 2nd
    >> 5505 would be accessible if configured only on 2nd 5505 ?

    >
    > Yes, if the first one is configured for full access.


    Full access, you mean that full access is enabled on DMZ "port" only. And
    other "inside" ports are using firewall rules configured for them only.?
     
    Dogg Child, Jun 8, 2010
    #3
  4. Dogg Child

    Morph Guest

    Morph, Jun 8, 2010
    #4
  5. Dogg Child

    Morph Guest

    In the message <> Morph wrote:

    | In the message <hulf94$5ac$-com.hr> "Dogg Child"
    | <dogg[AltGr+V]@nkc-sisak.hr> wrote:
    |
    | | Can i for example from 10Mbps internet link "give" only 2 Mbps to 2nd 5505?
    |
    | http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/qos.html

    Traffic shaping must be applied to all outgoing traffic on a physical
    interface or in the case of the ASA 5505, on a VLAN. You cannot
    configure traffic shaping for specific types of traffic.
     
    Morph, Jun 8, 2010
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Peter
    Replies:
    1
    Views:
    908
    Peter
    Dec 29, 2003
  2. Replies:
    1
    Views:
    3,460
  3. Replies:
    1
    Views:
    3,220
    kcallanan
    Jul 16, 2008
  4. Steffen Mauch
    Replies:
    0
    Views:
    2,627
    Steffen Mauch
    Nov 14, 2008
  5. Dogg Child

    Re: ASA 5505 behind ASA 5505

    Dogg Child, Jun 7, 2010, in forum: Cisco
    Replies:
    0
    Views:
    733
    Dogg Child
    Jun 7, 2010
Loading...

Share This Page