Cisco ASA 5520 configuration on two SITE, A and B


I am a network admin at a company.
So my company has Two SITE, A and B, and we are using internet from our ISP of 4 MB via optical fiber.

My IP are; 10.1.5.x with a subnet mask os

I'm using a Cisco Router 2800 series for the internet connection perimeter and just before my lan I got a Cisco ASA 5520, this is on Site A..all these equipment are correctly configured and working properly, as they were configured from the company where we bought the machines.

But as we got two Sites, therefore we bought as well two other Cisco router 2800 series and a Cisco ASA 5520, which I have to configure it at SITE B.

OBS; I got approx. 150 PCs on Site A and about 100 on Site B, all connected to my lan and internet, and on a dedicated domain.

My problem is that I'm kind of new to the ASA business and ain't got much experience.

So how can I configure the router and Asa on site B?

How does the configuration have to be set accordingly to the Site A configuration…so that both ASA and maybe routers can communicate each other?

How to configure the Routing protocol? The NAT, PAT etc and how can I implement VLAN on them, so i can segregate PCs from different departments so they don't see each other and don't send to others unnecessary traffic or broadcast?

Here is a SHOW RUN config from the ASA on Site A

ASA-FW# sh run
: Saved
ASA Version 7.0(8)
hostname ASA-FW
enable password      encrypted
passwd                encrypted
interface GigabitEthernet0/0
 description "Link-To-GW-Router"
 nameif outside
 security-level 0
 ip address
interface GigabitEthernet0/1
 description "Link-To-Local-LAN"
 nameif inside
 security-level 100
 ip address
interface GigabitEthernet0/2
 description "Link-To-DMZ"
 nameif dmz
 security-level 50
 ip address
interface GigabitEthernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 description "Local-Management-Interface"
 no nameif
 no security-level
 ip address
ftp mode passive
access-list OUT-TO-DMZ extended permit tcp any host eq smtp
access-list OUT-TO-DMZ extended permit tcp any host eq www
access-list OUT-TO-DMZ extended permit icmp any any log
access-list OUT-TO-DMZ extended deny ip any any
access-list inside extended permit tcp any any eq pop3
access-list inside extended permit tcp any any eq smtp
access-list inside extended permit tcp any any eq ssh
access-list inside extended permit tcp any any eq telnet
access-list inside extended permit tcp any any eq https
access-list inside extended permit udp any any eq domain
access-list inside extended permit tcp any any eq domain
access-list inside extended permit tcp any any eq www
access-list inside extended permit ip any any
access-list inside extended permit icmp any any
access-list dmz extended permit ip any any
access-list dmz extended permit icmp any any
access-list cap extended permit ip 255.255.25
access-list cap extended permit ip 255.255.25
no pager
logging enable
logging buffer-size 5000
logging monitor warnings
logging trap warnings
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
static (dmz,outside) tcp www www netmask 255.255.255
static (dmz,outside) tcp smtp smtp netmask 255.255.2
static (inside,dmz) netmask
access-group OUT-TO-DMZ in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
service-policy global_policy global
: end

I'm honestly sorry if my query may look simple, but I'm really worried about it.

So can anyone please, please do help me on this particular issue.

Update: What I want is to know is how I can make the two ASA 5520 plus the router 2800 communicate among them on the network? Please note that the two site are communicating already through the fiber optic connection.. but what about the other Asa 5520 and the router? Is the site to site IPSEC VPN the solution for them to communicate safely? How can I make it happen? How the configuration must be like.. remember as i said, the Sites are already communicating via the optical fiber connection… so from one building I can read and write on a file… so my problem is that now I'm left with another Asa 5520 plus a router 2800 for the other Site to be configured.. however what must I do? and how?

Best Answer

You have quite a lot of options with the equipment you have. The main limitation right now seems to be your lack of familiarity with the ASA platform. If time is limited, then you should probably seek support/consulting from where the ASAs were obtained. If money is more critical than time, then you need to study up on ASA VPNs.

A good place to start is the Cisco Press ASA book (ISBN 978-1-58705-819-6) which has walkthroughs for setting up VPNs amongst other things, as well as explaining the concepts. The documentation available online is also essential reading, but it can be a bit hard to find exactly what you need.

You may also want to upgrade the firmware and ASDM on your ASAs. Version 7 is quite old now, and the more recent ASDM interfaces are a little better IMO. Also, if the Site B ASA is a more recent purchase, it is very likely it has a more recent firmware. You will find life easier if they are both on the same version.

When reading the documentation, it is essential you are reading the documentation that matches your firmware version - there are quite different configuration syntaxes between version 7.0 and the most recent version (8.4).