*Coder Blog

Life, Technology, and Meteorology

Month: September 2008

Wireless Network

When upgrading to the ASA 5505 router, I was left in a situation where there would be two routers on my home office network: the ASA acting as a main wired router, and my old Linksys router acting as a host for wireless clients. The ASA was connected to the cable modem to my provider, and I set the internal network to 192.168.1.0. The wireless router was a host on that internal network with a WAN IP of 192.168.1.5 and a LAN network of 192.168.5.0. This works fine when accessing hosts on the internet, but it was less than ideal when trying to access the wired internal network from a wireless computer. Because of the firewall and NAT happening on the Linksys device, wireless devices were second-class citizens on the LAN.

There was this little radio button the Linksys router that would switch the device from Gateway mode to Router mode. Hmm, that looked promising, so I tried it. This was nice, because NAT was no longer active…a host on the 192.168.1.0 network could talk to a host on the wireless 192.168.5.0 network. The drawback was that I would have to add a separate route from wired hosts to send traffic to the 192.168.5.0 network through 192.168.1.5 instead of the default ASA gateway at 192.168.1.1. With the relatively small size of my network here, that’s not much of a problem, but I still felt there should be a better way.

Since I wanted to stick with one default route of 192.168.1.1, I looked into adding another VLAN to the ASA box, to see if it could route packets to 192.168.5.0 down the port that connects to the wireless router. Unfortunately, my ASA is only licensed for 3 VLANs which are all in use (outside link, inside link, and DMZ). I could spend a few hundred bucks upgrading my ASA license to support more VLANs, but it just didn’t seem worth it.

Another option is to add a managed switch to the internal network and use that to setup VLANs. New hardware is always fun, but again this would cost a couple hundred bucks and there has to be another way…

Finally, the solution became immediately obvious…so obvious that it’s amazing I hadn’t thought of it before. Instead of connecting a wire from an internal port on the ASA to the WAN port on the Linksys, I tried connecting from the same internal port on the ASA to an internal LAN port on the Linksys, leaving the WAN port on the Linksys unused.

This setup works perfectly. I changed the internal network of the Linksys to the same 192.168.1.0 as the ASA internal network, and gave the Linksys an internal IP of 192.168.1.2. The ASA is already running a DHCP server on the 192.168.1.0 network, so I disabled the Linksys DHCP server. Wireless hosts are now first-class citizens on this network…

ASA Port Forwarding

I came across the first less-than-trivial configuration situation on the ASA router this morning—port forwarding. On consumer routers, this is absolutely simple to setup, just specify what port number you want to forward and select the internal IP to forward it to. On the ASA, it’s a bit more complicated, and I decided to document it here in case anyone is Googling around for an answer. For this example, we are forwarding incoming traffic on port 8080 to a device on the internal network using the same port number.

First, you have to add the port to be forwarded to the outside interface’s access list. In ADSM, go to the Configuration panel under the Firewall section. Then click on Access Rules, and select the outside interface in the table. Click the Add button. Here, use the following settings:

  • Interface: outside
  • Action: Permit
  • Source: any
  • Destination: any
  • Service: tcp/8080 (or any other port number you would like to forward)
  • Description: (optional)
  • Enable Logging: (optional)

Click OK to add the access rule. Then click Apply at the bottom to upload the configuration to the router. In the end, it should look like this:

Now that we are allowing traffic on that port, we need to tell the router where to send the traffic. Click on the NAT Rules section and click the Add button to add a Static NAT Rule, using the following settings:

  • Original Interface: inside
  • Original Source: 192.168.1.5 (replace with internal IP)
  • Translated Interface: outside
  • Translated IP: Use Interface IP Address
  • Enable Port Address Translation (PAT)
  • PAT Protocol: TCP
  • PAT Original Port: 8080 (replace with your port, on the outside interface)
  • PAT Translated Port: 8080 (replace with your port, on the internal device)

Again, hit OK to add the NAT rule and apply the settings to the router. It should look like this:

That’s it, you’re done!

Updated Gaucho Network

For quite some time now, I’ve been wanting to upgrade my office network, which doubles as my home network as well. From the business standpoint, I wanted some more reliable equipment along with some added security by enabling me to connect to the office network over a VPN when I’m on the road. From the home standpoint, I wanted to add a couple of ethernet outlets upstairs, mostly to enable the quick transfer of media from the file server downstairs, as wireless can be pretty slow.

A few weeks ago, I finally took the initiative and started looking at some equipment. For networking, no one is going to blame you for ordering Cisco equipment, so I started there. Their routers start at about $350-400 and move up from there pretty quickly, which is more than I originally was looking to spend, so I started looking at a few other brands. Brands like ZyXEL offer less-expensive business-grade equipement at about half the price, and I checked all the high-end equipment offered by consumer brands like Netgear and Linksys.

It didn’t take long to rule out the consumer equipment. While a lot of the features were there, I was constantly running into reviews complaining about reliability issues, and to me that was a key issue. Another common issue with consumer equipment was bandwidth capacity. A lot of them only handled around 15MBits, with some others moving up to 50-75MBits. VPN speeds were definitely slower, most of the time running around 10MBits because of the extra processing required to encrypt the packets. Ignoring VPN, these routers were faster than my network connection (10MBits), but I was looking more for something to handle up to 100MBits so it would grow with my connection for many years to come. Despite this limitation, a lot of them had gigabit connections on the WAN side. Not sure why…

While doing my research, I kept going back to look at the Cisco router. I was looking specifically at their ASA line of products. The ASA line replaces the older PIX routers, and there is quite a model spread from the 5505 for small office environments, all the way up to the 5580 for the enterprise. Even at the low-end, the 5505 was able to handle 150MBits of throughput for unencrypted traffic, and an impressive 100Mbits of VPN traffic bandwidth. All of the reviews said the device was rock-solid and never crashed. Setup seemed to be a bit more difficult, with a lot of it taking place on a command line, but I have some past experience with Cisco’s IOS and thought this would be a good time to brush up on my knowledge. Finally, with support for VLANs, an 8 port Cisco switch built-in with 2 power-over-ethernet ports, and an insane 10,000 simultaneous connections supported, it was hard not to like this device.

I ended up going for it, and shiny new 5505 is sitting on my desk. The device is a lot easier to configure than I originally expected. The device arrives with a dynamic configuration by default, so it just worked when I plugged it in to my network. There is an online Java application that is hosted on an HTTPS server. Configuring the VPN end-point and getting the iPhone to connect to it and split-tunnel all traffic through the router took all of 20 minutes. It’s taking me a little longer to configure my Mac to connect over the VPN, but I just need to spend some more time on it. I find it ironic that the iPhone is more prepared for the enterprise than the Mac is. Overall, I couldn’t be happier with my decision.

Switching gears a little bit here, from the home side of adding additional outlets, I bought a 24 port patch panel to punch down all the cabling on, and 500 feet of Cat 5e to wire it all up. Cat 6 was definitely a consideration but it cost twice as much, and with Cat 5e handling gigabit just fine I saw no need to spend the extra money. If 10-gigabit starts becoming standard, I’ll just upgrade the cabling in my office.

Dropping the lines from upstairs has been a bit more difficult than I was expecting. I naively expected to be able to look up the wall from the basement and see the outlet connection box from below. Of course, this isn’t the case, as each wall has a bottom 2×4 to complete that edge of the frame. I’m still working on finding the best way to send the wire through a small hole in the connection box, and target a small hole at the bottom of the wall frame.

I still have some work to do, but will try to update this with photos when the job is completed. Stay tuned.

© 2017 *Coder Blog

Theme by Anders NorenUp ↑