[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.

Question
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

9.2

ASA5505 Security Plus VLAN Trunking

Asked by maver1ck4000 in Network Software Firewalls

Tags: ASA5505, VLAN

Background:
We are a small company, I am the only SA and have been researching and self teaching my self about this ASA5505.  We currently have about 20 servers, and a good number of virtual servers. We have internet connection coming directly in to the ASA, then the ASA is connected to a couple netgear 24 port switches, unmanaged.  The ASA handles everything, DHCP, VPN, and routing.  The servers we host are web servers so pretty much everything is blocked unless you are on the VPN except port 80 and 443. I have NAT set up for some of the servers, and everything has been fine.

On to the question:
Recently I have been working on adding some networks for growth planning and organization.  I have been working on setting up a test network on 10.0.5.0/24 this network like all the rest that I will be setting up in the future needs to be able to talk to the internet, as well as talk to all the other networks, Specifically in this case it needs to talk to 10.0.0.0/24.  I have been reading a lot on line and have been able to get the basic configuration set up, but no matter what I do I am unable to get the networks to talk to each other, nor am I able to get the 10.0.5.0 to talk to the internet (which at one point before I started with trunking they were able to at least talk to the internet).  I have been getting different errors mostly about portmap address translation which I was able to fix, then NAT translation group errors which I then was able to fix, but after trying all sorts of different NAT configs, I just end up getting SYN timeout errors when ever I try to ssh or remote desktop in to my test machines, Same goes for when I try to ssh or RDP in to any machine on the main network from the 10,0.5.0/24 network.  The two 10.0.5.0/24 machines are able to talk to each other fine.  Right now I have no need for added security on the internal network, I want all VPN/wireless clients to be able to talk to all networks, As we grow there might be a need to restrict access to certain interfaces, but that can be done through ACL's pretty easily.  Any help or advice you can give would be great,  I have posted my current config below.  I also have the most updated versions of ASDM and ASA IOS.

Thanks.
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:
385:
386:
: Saved
:
ASA Version 8.2(1) 
!
hostname *
domain-name *
enable password *
passwd *
names
name #.#.#.#5 CHICAGO403
name #.#.#.#6 CHICAGO404
name #.#.#.#8 CHICAGO395
name #.#.#.31 CHICAGO168
name 10.0.5.0 server-network
 
 
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0 
 ospf cost 10
!
interface Vlan2
 nameif T1
 security-level 99
 ip address #.#.#.206 255.255.255.240 
 ospf cost 10
!
interface Vlan3
 nameif server
 security-level 100
 ip address 10.0.5.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport trunk allowed vlan 1,3
 switchport trunk native vlan 1
 switchport mode trunk
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup T1
dns domain-lookup server
dns server-group DefaultDNS
 name-server 10.0.0.104
 domain-name cisco.intranet
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service Zabbix tcp
 description Monitoring
 port-object eq 10050
 port-object eq 10051
object-group service Web
 service-object tcp eq www 
 service-object tcp eq https 
 service-object udp eq www 
object-group service DNS
 service-object tcp eq domain 
 service-object udp eq domain 
access-list levelfivevpn_splitTunnelAcl standard permit any 
access-list T1_access_in extended permit ip any any inactive 
access-list T1_access_in extended permit ip host CHICAGO403 any 
access-list T1_access_in extended permit ip host CHICAGO404 any 
access-list T1_access_in extended permit ip host CHICAGO168 any 
access-list T1_access_in extended permit ip host CHICAGO395 any 
access-list T1_access_in extended permit object-group Web any host #.#.#.194 
access-list T1_access_in extended permit object-group Web any host #.#.#.196 
access-list T1_access_in extended permit object-group Web any host #.#.#.197 
access-list T1_access_in extended permit tcp any host #.#.#.197 eq smtp 
access-list T1_access_in extended permit object-group Web any host #.#.#.201 
access-list T1_access_in extended permit object-group Web any host #.#.#.202 
access-list T1_access_in extended permit object-group Web any host #.#.#.203 
access-list T1_access_in extended permit object-group Web any host #.#.#.204 
access-list T1_access_in extended permit object-group DNS any host #.#.#.204 
access-list T1_access_in extended permit tcp any host #.#.#.204 eq ssh 
access-list T1_access_in extended permit object-group Web any host #.#.#.205 
access-list T1_access_in extended permit icmp any any traceroute inactive 
access-list T1_access_in extended permit tcp any host #.#.#.195 eq 3389 inactive 
access-list T1_access_in extended permit ip any host #.#.#.198 
access-list T1_access_in extended permit ip server-network 255.255.255.0 any 
access-list T1_access_in extended permit ip 10.0.0.0 255.255.255.0 any 
access-list level5test_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0 
access-list T1_nat_outbound extended permit ip vpn-network 255.255.255.0 any 
access-list inside_nat0_outbound extended permit ip vpn-network 255.255.255.0 any 
access-list inside_nat0_outbound extended permit ip any vpn-network 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any server-network 255.255.255.0 
access-list inside_access_in extended permit ip any any 
access-list T1_nat_outbound_1 extended permit ip vpn-network 255.255.255.0 any 
access-list dmz_access_in extended permit ip any any 
access-list servers_access_in extended permit ip any any 
access-list server_access_in extended permit ip any any 
access-list server_access_in_1 extended permit icmp any any echo-reply 
access-list server_access_in_1 extended permit icmp any any unreachable 
access-list server_access_in_1 extended permit icmp any any time-exceeded 
access-list server_access_in_1 extended permit icmp any server-network 255.255.255.0 
access-list server_access_in_1 extended permit ip any any 
access-list server_nat0_outbound extended permit ip server-network 255.255.255.0 10.0.0.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
logging mail emergencies
logging from-address l*
logging recipient-address * level errors
mtu inside 1500
mtu T1 1500
mtu server 1500
ip local pool *pool2 10.0.1.2-10.0.1.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any T1
icmp permit any server
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
global (inside) 1 interface
global (T1) 1 interface
global (server) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 dns
nat (T1) 1 access-list T1_nat_outbound_1 dns
nat (T1) 1 access-list T1_nat_outbound dns outside
nat (server) 0 access-list server_nat0_outbound
nat (server) 1 0.0.0.0 0.0.0.0 dns
static (inside,T1) #.#.#.197 10.0.0.100 netmask 255.255.255.255 dns 
static (inside,T1) #.#.#.196 10.0.0.101 netmask 255.255.255.255 dns 
static (inside,T1) #.#.#.194 10.0.0.103 netmask 255.255.255.255 dns 
static (inside,T1) #.#.#.204 10.0.0.104 netmask 255.255.255.255 dns 
static (inside,T1) #.#.#.200 10.0.0.105 netmask 255.255.255.255 dns 
static (inside,T1) #.#.#.201 10.0.0.110 netmask 255.255.255.255 dns 
static (inside,T1) #.#.#.202 10.0.0.111 netmask 255.255.255.255 dns 
static (inside,T1) #.#.#.203 10.0.0.112 netmask 255.255.255.255 dns 
static (inside,T1) #.#.#.195 10.0.0.113 netmask 255.255.255.255 dns 
static (inside,T1) #.#.#.205 10.0.0.126 netmask 255.255.255.255 dns 
static (inside,inside) #.#.#.197 10.0.0.100 netmask 255.255.255.255 dns 
static (inside,inside) #.#.#.196 10.0.0.101 netmask 255.255.255.255 dns 
static (inside,inside) #.#.#.194 10.0.0.103 netmask 255.255.255.255 dns 
static (inside,inside) #.#.#.204 10.0.0.104 netmask 255.255.255.255 dns 
static (inside,inside) #.#.#.200 10.0.0.105 netmask 255.255.255.255 dns 
static (inside,inside) #.#.#.201 10.0.0.110 netmask 255.255.255.255 dns 
static (inside,inside) #.#.#.202 10.0.0.111 netmask 255.255.255.255 dns 
static (inside,inside) #.#.#.203 10.0.0.112 netmask 255.255.255.255 dns 
static (inside,inside) #.#.#.195 10.0.0.113 netmask 255.255.255.255 dns 
static (inside,inside) #.#.#.205 10.0.0.126 netmask 255.255.255.255 dns 
static (inside,T1) #.#.#.198 10.0.0.21 netmask 255.255.255.255 dns 
static (inside,inside) #.#.#.198 10.0.0.21 netmask 255.255.255.255 dns 
access-group inside_access_in in interface inside
access-group T1_access_in in interface T1
access-group server_access_in_1 in interface server
route T1 0.0.0.0 0.0.0.0 #.#.#.193 1
route inside vpn-network 255.255.255.0 10.0.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server LEVEL5LDAP protocol ldap
 reactivation-mode depletion deadtime 60
 max-failed-attempts 5
aaa-server * (inside) host *
 ldap-base-dn *
 ldap-scope subtree
 ldap-naming-attribute uid
 server-type openldap
aaa authentication enable console LOCAL 
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
aaa authorization command LOCAL 
http server enable
http 10.0.0.0 255.0.0.0 inside
snmp-server host inside 10.0.0.254 community public udp-port 161
snmp-server location*
snmp-server contact *
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df T1
crypto dynamic-map T1_dyn_map 20 set pfs group1
crypto dynamic-map T1_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map T1_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map T1_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map T1_dyn_map 20 set reverse-route
crypto dynamic-map T1_dyn_map 40 set pfs group1
crypto dynamic-map T1_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map T1_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map T1_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map T1_dyn_map 40 set reverse-route
crypto dynamic-map T1_dyn_map 60 set pfs group1
crypto dynamic-map T1_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map T1_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map T1_dyn_map 60 set security-association lifetime kilobytes 4608000
crypto dynamic-map T1_dyn_map 60 set reverse-route
crypto map T1_map 65535 ipsec-isakmp dynamic T1_dyn_map
crypto map T1_map interface T1
crypto isakmp enable inside
crypto isakmp enable T1
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000 
vpn-addr-assign local reuse-delay 5
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 1440
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 1
console timeout 0
management-access inside
dhcpd address 10.0.0.5-10.0.0.99 inside
dhcpd dns 10.0.0.104 interface inside
dhcpd wins 10.0.0.125 interface inside
dhcpd domain level5 interface inside
dhcpd update dns both override interface inside
dhcpd enable inside
!
 
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.0.0.104 source inside prefer
webvpn
 enable T1
 svc image disk0:/anyconnect-macosx-i386-2.3.2016-k9.pkg 1
 svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 2
 svc enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy levelfivevpn internal
group-policy levelfivevpn attributes
 banner value Welcome to the Level Five Solutions network.  The Level Five Solutions network and VPN are for business related use only, all activity while connected to this network is monitored and logged.
 banner value If there are any questions or problems please email admin@levelfivesolutions.com for assitance, and for emergencies call 913-220-7883.
 wins-server value 10.0.0.125
 dns-server value 10.0.0.104
 vpn-tunnel-protocol IPSec l2tp-ipsec svc 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value levelfivevpn_splitTunnelAcl
group-policy level5any internal
group-policy level5any attributes
 vpn-tunnel-protocol webvpn
 webvpn
  url-list none
  svc ask enable
username administrator password moFTh3LGLZlp9/q. encrypted privilege 15
username jlear password 1klDEtXNysS7TUa0 encrypted privilege 15
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool level5pool2
 authentication-server-group LEVEL5LDAP
tunnel-group levelfivevpn type remote-access
tunnel-group levelfivevpn general-attributes
 address-pool level5pool2
 authentication-server-group LEVEL5LDAP
 default-group-policy levelfivevpn
tunnel-group levelfivevpn ipsec-attributes
 pre-shared-key *
tunnel-group level5any type remote-access
tunnel-group level5any general-attributes
 address-pool level5pool2
 authentication-server-group LEVEL5LDAP
 default-group-policy level5any
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect pptp 
!
service-policy global_policy global
smtp-server *
mount Share type cifs
 server *
 share *
 domain *
 username *
 password ********
 status enable
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context 
no compression svc http-comp
: end
asdm image disk0:/asdm-621.bin
asdm history enable
 
Related Solutions
Keywords: ASA5505 Security Plus VLAN Trun…
 
Loading Advertisement...
 
[+][-]09/20/09 10:26 AM, ID: 25377984Accepted Solution

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

About this solution

Zone: Network Software Firewalls
Tags: ASA5505, VLAN
Sign Up Now!
Solution Provided By: jodylemoine
Participating Experts: 1
Solution Grade: A
 
[+][-]09/20/09 06:49 PM, ID: 25379828Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]09/20/09 07:31 PM, ID: 25379963Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]09/24/09 11:36 AM, ID: 25416332Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20091111-EE-VQP-89 - Hierarchy / EE_QW_3_20080625