Cisco ASA 5505.

[spoon_]

Is anyone using ASA 5505/5510 at home for their cable connection at all?

If you do please speak up!


Adrian

[Jay]

not for cable no but I do have my ADSL on a 5505

[Shad]

It only has 10/100mb ports doesn't it? Starting to be a limit for cable connections assuming you're looking for top speeds.

How does it compare to the RV220W?

[spoon_]

Thanks guys, I managed to figure out how to NAT in IOS > 8.3 - they've completely change things around.

The only issue I now have is with DNS, all of my resources point at the DC for local name resolution and DC has a conditional forwarder pointing back at ASA. Not when DNS query passes from the DC to ASA and out to my ISP servers on the way back it gets blocked and resolution doesn't happen...

One way around this is to deploy local DNS to just forward DNS queries. Its a shame ASA cannot do forwarding, kinda understandable as its a firewall not a router.

Been reading some way around it using static NAT but haven't actually tried any workarounds.

Are you guys experiencing similar issues?

It would, obviously, not be a problem if I didn't have a DC and pointed at public DNS server but that's not the case.

@Shad

Yeah its 100Mbps but there is nothing stopping you from using two ports for untrusted VLAN and a switch in between? Just a thought though..

[badass]

Thanks guys, I managed to figure out how to NAT in IOS > 8.3 - they've completely change things around.

The only issue I now have is with DNS, all of my resources point at the DC for local name resolution and DC has a conditional forwarder pointing back at ASA. Not when DNS query passes from the DC to ASA and out to my ISP servers on the way back it gets blocked and resolution doesn't happen...

One way around this is to deploy local DNS to just forward DNS queries. Its a shame ASA cannot do forwarding, kinda understandable as its a firewall not a router.

Been reading some way around it using static NAT but haven't actually tried any workarounds.

Are you guys experiencing similar issues?

It would, obviously, not be a problem if I didn't have a DC and pointed at public DNS server but that's not the case.

That sounds completely wrong to me.

If it's a windows DC, conditional forwarding isn't necessary. Just use a plain forwarder. Use your ISP's DNS servers as the forwarders or Googles etc (8.8.8.8 and 8.8.4.4)

On the ASA, Simply allow DNS from the DC to the outside world - you don't even need to specify protocols, ports etc - use "DNS" in the ACL on the inside interface instead of UDP 53 and it should work. IIRC, the 5505 will allow the responses through the outside interface without the ACL but I may be wrong.

If you're having trouble using the ASA as a pseudo DNS server, doing the above avoids using it for DNS at all and is nice and simple.
Static NAT in this case isn't necessary - only if you are publishing services to the internet

[spoon_]

Few things here.

On 2008/R2 DCs you need to be able to resolve the name of whatever you're forwarding to so public DNS won't work (static A records doesn't help either)

Terminology failed me here, its a plain forwarder I meant not conditional.

On ASA, as far as I know, once you set a rule to get out through WAN you don't need one to get back in - it automatically allows this in.