Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASA 5505 ports

Status
Not open for further replies.
maximtory

maximtory

IS-IT--Management
Aug 24, 2009
4
US
I am trying to configure my asa 5505 to only allow company PC's connected to my internal LAN and keep other from unplugging ports from their PC's and connecting say a laptop. I was thinking about trying to put some type of port security or filtering on the MAC address, but need help doing so.

This is a small branch office which is part of the reason for the added security. Is there anything we can do to keep users from connnecting their personal devices and using the same static ip's we have set to the pc's?Thanks for all your help!
 
Sort by date Sort by votes
is the 5505 the only "switch" that you have or do you have something else plugged in downstream of it??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
You're going to want 802.1x running to protect ports on a switch. They will need a password to open the switch port to allow traffic to flow. The setup and maintenance is way more than you want for a small office, I'm guessing. It is pretty involved and requires extra hardware such as a RADIUS server and a manageable switch that supports 802.1x.

Take a look at my 2nd post in this thread for an idea -


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
No unfortunatley since this is only a small branch office, this is the only device we are using, there is no switches, we just use the 8 ports on the ASA 5505. Is there any way to secure access on these ASA's?
 
Upvote 0 Downvote
A cut through proxy will work for you but if people give out their passwords then it goes right around it. -

You could alternatively make all internal clients use a VPN to the ASA similar to this -

Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Does the second option you suggested dissallows people from connecting a personal laptop with a matching IP address to the network cable drop in their office to access the network?

We currently don't use any type of device VPN but are looking to setting that with our new ASA's to the PIX at our main office branch. It looks like the 2nd suggestion is how to set that up is that correct?

How does that prevent unauthorized PC connections? Thanks!
 
Upvote 0 Downvote
For both, IP or not doesn't matter. They will need to authenticate to the ASA before they can pass traffic.

For option #2 - It's similar to that setup but you will have to tweak it a bit. Basically no PC will be able to get to the internet without the cisco VPN client set up on that PC with the correct settings AND a proper username and password.

I think option #2 is overkill and the first option is the better choice. You should have an internet/network use policy that outlines what can and can't be done and the consequences. Have everyone sign it and keep it on file. Most importantly is to enforce it.

Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
314
AllenH12
AllenH12
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
583
intel233
intel233
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
443
gkreg
gkreg
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
628
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
160
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top