Small office network with Cisco firewall

scott46 · Mar 27, 2016

Hello all: First off, I am not a network guy. Our non-proit literacy center just moved from a different location. We have had two separate W7 networks: Student network- 10 computers which go direct to the internet via a Netgear 24 port switch, then to a port on our Comcast gateway; Staff network- 4 computers that connect to a Windows 2008 server and to the switch. We want to install a Cisco ASA5505 firewall on the staff side so students go to the internet through the Netgear switch and Comcast gateway and staff go to the internet through the firewall and then to the Comcast gateway.

Connecting the 4 staff computers the same way as the student computers to the Netgear switch allows staff to access data on the server and the internet. When I plug the staff network into the Cisco firewall, then to the Comcast gateway means we can access the internet but not the sever. Before the move, the server was assigned a static IP address. To get it to work at the new location and using the same setup as the students prior to installilng the firewall, we changed the server to DCHP. When I install the Cisco firewall on the staff side I can no longer get to the server but can get to the internet. I know nothing about static IP or DHCP but I know what they mean. The Cisco installation software asks if we want static or DHCP for vlan1 (outside network), vlan2 (inside network), vlan3 (DMZ). No frickin idea.

Being a non-profit, we have little money to pay someone who knows what they are doing so I am trying to learn. Any suggestions?

kanewolf · Mar 27, 2016

Q1: Does the Windows 2008 server need to be accessible to the students, staff, or both?

scott46 · Mar 27, 2016

Server is for staff only. Students access only the internet.

Yimman · Mar 28, 2016

scott46 :

Hello Scott46,

I will try to keep this as simple as possible.

Is your Windows Server on the same subnet as your staff host devices?
Is your server connected directly to the router or a switch? -> Was not fully clear.
What VLAN is your Server using?
What VLAN are your host devices using?
Are the students on their own VLAN?
Are you using access control lists (ACL) to route employee traffic to the router and students directly to the gateway?

If you can reply with the output of show run from both the switch and ASA it can help me to identify exactly why you cannot access the server. Also include the subnet for the server and employee networks. To get the subnet open the network manager and find the ip address and subnet--something like 192.168.0.10 and subnet of 255.255.255.0.

**Remove any usernames and password fields prior to pasting your response**

scott46 · Mar 29, 2016

Yimman :

scott46 :

Hello Scott46,

I will try to keep this as simple as possible.

Is your Windows Server on the same subnet as your staff host devices?
Is your server connected directly to the router or a switch? -> Was not fully clear.
What VLAN is your Server using?
What VLAN are your host devices using?
Are the students on their own VLAN?
Are you using access control lists (ACL) to route employee traffic to the router and students directly to the gateway?

If you can reply with the output of show run from both the switch and ASA it can help me to identify exactly why you cannot access the server. Also include the subnet for the server and employee networks. To get the subnet open the network manager and find the ip address and subnet--something like 192.168.0.10 and subnet of 255.255.255.0.

**Remove any usernames and password fields prior to pasting your response**

scott46 · Mar 29, 2016

Yimman :

scott46 :

Hello Scott46,

I will try to keep this as simple as possible.

Is your Windows Server on the same subnet as your staff host devices?
Is your server connected directly to the router or a switch? -> Was not fully clear.
What VLAN is your Server using?
What VLAN are your host devices using?
Are the students on their own VLAN?
Are you using access control lists (ACL) to route employee traffic to the router and students directly to the gateway?

If you can reply with the output of show run from both the switch and ASA it can help me to identify exactly why you cannot access the server. Also include the subnet for the server and employee networks. To get the subnet open the network manager and find the ip address and subnet--something like 192.168.0.10 and subnet of 255.255.255.0.

**Remove any usernames and password fields prior to pasting your response**

scott46 · Mar 29, 2016

Yimman :

Yimman, ignore the student piece. Those go directly from the computers to the Comcast box through a switch. There is no connection between student and staff networks. I probably shouldn't have even mentioned it.

Staff have four computers. Three computers connect direct to a 16 port Netgear switch then to the Comcast box on individual cables. The server and my computer connect through a switch in my room then to the 16 port Netgear switch, then to the Comcast box. I want to replace the 16 port Netgear switch with the Cisco firewall.

The rest of your question about subnets and vlans I don't understand. I've tried to find some on-line tutorials that would help but I have been unable to. Maybe I'm asking the wrong questions.

I have diagrammed our current network but I don't see a way to share that here.

Yimman · Mar 29, 2016

Your question is good and I understand what you are asking. Your response provided me enough information to make a mental topology of your network. Without further information, I do not believe that the problem is with your ASA. It sounds as though either your computer and the server are not on the same network, different VLANs, or there is something wrong with the server.

To check the IP address for your server and computer type cmd into Windows Run. On the command prompt type ipconfig. You may get a lot of a little output; however, the results you are looking for will be at the top of the output. A subnet mask (255.255.255.0) means that any devices with the ip range of 192.168.0.0 through 192.168.0.255 is the same network. 255 means that the numbers must match exactly and 0 represents 0 to 255. 192.168.1.10 does not match and your switch would not be able to communicate with the device.

A great starting point once you get the addresses of your computer and the server is to try to ping one from the other. Again from cmd type ping [address]. I would type ping 192.168.0.10. If you get a reply, it means that traffic from your computer is reaching the server. You can also try it from the other employee computers to confirm that the problem is not with the cables or other physical equipment.

VLANs are a bit more difficult to fully explain and requires the use of the ASA to transfer data between devices that maybe on the same switch. You can find excellent videos on YouTube by CBTNuggets that will help you understand the technology and give you a good reference point from which to start troubleshooting the problem.

I know it is a lot of information. Let me know if you need any additional assistance and I will gladly follow up.

Yimman

scott46 · Mar 31, 2016

Yimman :

Your question is good and I understand what you are asking. Your response provided me enough information to make a mental topology of your network. Without further information, I do not believe that the problem is with your ASA. It sounds as though either your computer and the server are not on the same network, different VLANs, or there is something wrong with the server.

To check the IP address for your server and computer type cmd into Windows Run. On the command prompt type ipconfig. You may get a lot of a little output; however, the results you are looking for will be at the top of the output. A subnet mask (255.255.255.0) means that any devices with the ip range of 192.168.0.0 through 192.168.0.255 is the same network. 255 means that the numbers must match exactly and 0 represents 0 to 255. 192.168.1.10 does not match and your switch would not be able to communicate with the device.

A great starting point once you get the addresses of your computer and the server is to try to ping one from the other. Again from cmd type ping [address]. I would type ping 192.168.0.10. If you get a reply, it means that traffic from your computer is reaching the server. You can also try it from the other employee computers to confirm that the problem is not with the cables or other physical equipment.

VLANs are a bit more difficult to fully explain and requires the use of the ASA to transfer data between devices that maybe on the same switch. You can find excellent videos on YouTube by CBTNuggets that will help you understand the technology and give you a good reference point from which to start troubleshooting the problem.

I know it is a lot of information. Let me know if you need any additional assistance and I will gladly follow up.

Yimman

The 4 staff computers seem to ping to the server ok but they take a pretty long time to log on to the server after a user enters their logon and password. I'm going to make up some numbers so our ip address isn't public but here is what I see:

Server: IPv4 - 25.1.25.110, subnet 255.255.255.0

But our server is set to DHCP. Does this matter? Won't the IP address change on a reboot?

Yimman · May 28, 2016

Scott,

Were you able to resolve the problem you were having?

It is best practice to assign a static IP address to your server within the subnet of the other devices on your switch. Starting over on some of the logic, I do not remember a lot of what I typed earlier, the server should be on the DMZ zone interface. BUT if you have it connected to the switch with your four employee computers, then they should never had a problem accessing the server.

For DMZ interface the server should have its own address that is not on the same subnet as the employee computers. Think 192.168.2.100 -> Server on DMZ and 192.168.1.1-4 -> employee computers on the switch connecting to your LAN zone interface. Either way do not use DHCP for your server.

If you resolved this already, perfect. If you have not let me know the following:

1) Internal IP address of server
2) DHCP pool for your internet network
3) What is your server connected to (ASA or switch) and port numbers
4) Is there any reason for Internet traffic to access your 2008 server?

On a network of your size, I would recommend not using DHCP at all and managing each device with a static IP. Since you are using an ASA 5505, I also recommend putting the server on the DMZ zone and not directly in connection with your switch/employee devices. This is for security reasons.

You can use the following example to setup your network:

-Disable DHCP on your ASA: from global config enter 'no dhcpd'
-Confirm that your zones have an IP address and are tied into your interfaces: you can use show run to confirm this
-Assign ip addresses to each computer. Example:
--Host: 192.168.1.2 through 4
--Gateway: 192.168.1.1 -> This is the IP address of your LAN interface on the ASA
--Subnet: 255.255.255.0
---This is just an example and you can use whatever address ranges that you want.

ASA devices by default allow LAN -> DMZ traffic so there is no extra settings that you need to enter, unless you need traffic to originate from the server to the hosts. Then you will need to create a rule to allow DMZ -> LAN traffic. This can also be found on the Cisco website.

Thanks,

Yimman

scott46 :

scott46 · May 28, 2016

Yes, I worked with Cisco for a little over an hour (plus about two hours waiting for them to call) but it all got settled last week.. I did have to set a static IP address for the server but they did the rest. All is good. Thank you for your suggestions.

Yimman :

Scott,

Were you able to resolve the problem you were having?

It is best practice to assign a static IP address to your server within the subnet of the other devices on your switch. Starting over on some of the logic, I do not remember a lot of what I typed earlier, the server should be on the DMZ zone interface. BUT if you have it connected to the switch with your four employee computers, then they should never had a problem accessing the server.

For DMZ interface the server should have its own address that is not on the same subnet as the employee computers. Think 192.168.2.100 -> Server on DMZ and 192.168.1.1-4 -> employee computers on the switch connecting to your LAN zone interface. Either way do not use DHCP for your server.

If you resolved this already, perfect. If you have not let me know the following:

1) Internal IP address of server
2) DHCP pool for your internet network
3) What is your server connected to (ASA or switch) and port numbers
4) Is there any reason for Internet traffic to access your 2008 server?

On a network of your size, I would recommend not using DHCP at all and managing each device with a static IP. Since you are using an ASA 5505, I also recommend putting the server on the DMZ zone and not directly in connection with your switch/employee devices. This is for security reasons.

You can use the following example to setup your network:

-Disable DHCP on your ASA: from global config enter 'no dhcpd'
-Confirm that your zones have an IP address and are tied into your interfaces: you can use show run to confirm this
-Assign ip addresses to each computer. Example:
--Host: 192.168.1.2 through 4
--Gateway: 192.168.1.1 -> This is the IP address of your LAN interface on the ASA
--Subnet: 255.255.255.0
---This is just an example and you can use whatever address ranges that you want.

ASA devices by default allow LAN -> DMZ traffic so there is no extra settings that you need to enter, unless you need traffic to originate from the server to the hosts. Then you will need to create a rule to allow DMZ -> LAN traffic. This can also be found on the Cisco website.

Thanks,

Yimman

scott46 :

Search

Small office network with Cisco firewall

scott46

Distinguished

kanewolf

Titan

scott46

Distinguished

Yimman

Reputable

scott46

Distinguished

scott46

Distinguished

scott46

Distinguished

Yimman

Reputable

scott46

Distinguished

Yimman

Reputable

scott46

Distinguished

TRENDING THREADS

Latest posts

Moderators online

Share this page