Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Configuring Interfaces and Routing with Cisco ASA 5505

Posted on 2007-11-28
7
Medium Priority
?
2,697 Views
Last Modified: 2008-04-01
Hello All,

I've been working more closely with the Cisco ASA 5505 device as of late and starting to get more hands on for overall knowledge of the device...I was hoping a someone can help me with configuring/explaining interfaces and simple routing with the ASA 5505.

Basically, my network has 2 vlans configured by a Dlink Switch.  One Vlan is used for voip and the other is the company network.

I was wondering with my ASA 5505, could i configure it to route traffic between the 2 vlans?

on my ASA, Vlan 1 is used for Inside network and Vlan 2 is used for Outside...I was hoping to configure another interface with the ip address/subnet of the VOIP vlan and have traffic routed back and forth.

is this a viable solution or do i need a real router in between?
0
Comment
Question by:jetli87
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 20371093
the asa can do it.  you just need to create the virtual interfaces, assign the appropriate vlan tag, security level, etc.  then just create the acls and static or global/nat entries to allow traffic to traverse the interfaces.

example


int eth0/0.10
  vlan 10
  nameif voip
  security-level 75
  ip address .....

global (outside) 5 <ip address>
nat (voip) 5 0 0

that's just a rough example though

the asa does basic routing.  the main thing to remember about cisco firewalls though is they don't allow return path traffic.  meaning if a packet sent to the inside interface needs to go back out the inside interface, it is dropped.  This is because cisco firewalls are considered pure security devices and by allowing this kind of traffic an open the device up for certain types of attacks
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 20371099
however you said the outside connection is a vlan.  this should be on a separate interface of the asa.  partly for security so you don't have to worry about vlan attacks, but also because I believe the 5505 model only allows 2 vlans unless the security plus license is purchased
0
 
LVL 1

Author Comment

by:jetli87
ID: 20376753
understood...so in this situation:

1 Dlink 48 Port Switch with 2 Vlan, 1) VOIP: 10.20.111.0/255.255.255.0  & 2) LAN: 10.20.100.0/255.255.255.0  

Cisco ASA 5505: 10.20.100.1 Connected directly to 10.20.100.0/255.255.255.0  Vlan port.

what is the best way to get devices on both Vlans to communicate each other and for the 10.20.111.0/255.255.255.0 network to reach the internet if need be?

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 1500 total points
ID: 20377308
switch needs to of course have the port trunked and configured to process the vlans (not sure how to configure dlink)

ASA:
1) like I said, just configure the voip sub-interface on the physical port.  This auto-trunks that physical port.
2) after you assign the correct vlan tag on the interface, the asa can now process that vlan's data
3) now you have to create a global/nat combination  so the voip network can communicate to the internet.  then for communication between the voip and inside networks, you'll create a static entry (easiest method for inter-interface transformation config)
4) also, you need to configure an acl and assign it to the voip interface defining which traffic is allowed.  however, if you wish, you can assign it the same security-level of the inside interface and then just ensure the ASA is configure for inter-interface communication
0
 
LVL 1

Author Comment

by:jetli87
ID: 20377347
Thanks Cyclops, i'll test out the config this weekend and get back to you.

until then, enjoy!
0
 

Expert Comment

by:etonnemacher
ID: 21663032
Hey cyclops - the asa 5505 doesn't do virtual interfaces does it?
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 21665364
yes, but how many depends on the license you have; base or security plus
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question