Solved

Configuring Interfaces and Routing with Cisco ASA 5505

Posted on 2007-11-28
7
2,680 Views
Last Modified: 2008-04-01
Hello All,

I've been working more closely with the Cisco ASA 5505 device as of late and starting to get more hands on for overall knowledge of the device...I was hoping a someone can help me with configuring/explaining interfaces and simple routing with the ASA 5505.

Basically, my network has 2 vlans configured by a Dlink Switch.  One Vlan is used for voip and the other is the company network.

I was wondering with my ASA 5505, could i configure it to route traffic between the 2 vlans?

on my ASA, Vlan 1 is used for Inside network and Vlan 2 is used for Outside...I was hoping to configure another interface with the ip address/subnet of the VOIP vlan and have traffic routed back and forth.

is this a viable solution or do i need a real router in between?
0
Comment
Question by:jetli87
  • 4
  • 2
7 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 20371093
the asa can do it.  you just need to create the virtual interfaces, assign the appropriate vlan tag, security level, etc.  then just create the acls and static or global/nat entries to allow traffic to traverse the interfaces.

example


int eth0/0.10
  vlan 10
  nameif voip
  security-level 75
  ip address .....

global (outside) 5 <ip address>
nat (voip) 5 0 0

that's just a rough example though

the asa does basic routing.  the main thing to remember about cisco firewalls though is they don't allow return path traffic.  meaning if a packet sent to the inside interface needs to go back out the inside interface, it is dropped.  This is because cisco firewalls are considered pure security devices and by allowing this kind of traffic an open the device up for certain types of attacks
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 20371099
however you said the outside connection is a vlan.  this should be on a separate interface of the asa.  partly for security so you don't have to worry about vlan attacks, but also because I believe the 5505 model only allows 2 vlans unless the security plus license is purchased
0
 
LVL 1

Author Comment

by:jetli87
ID: 20376753
understood...so in this situation:

1 Dlink 48 Port Switch with 2 Vlan, 1) VOIP: 10.20.111.0/255.255.255.0  & 2) LAN: 10.20.100.0/255.255.255.0  

Cisco ASA 5505: 10.20.100.1 Connected directly to 10.20.100.0/255.255.255.0  Vlan port.

what is the best way to get devices on both Vlans to communicate each other and for the 10.20.111.0/255.255.255.0 network to reach the internet if need be?

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
ID: 20377308
switch needs to of course have the port trunked and configured to process the vlans (not sure how to configure dlink)

ASA:
1) like I said, just configure the voip sub-interface on the physical port.  This auto-trunks that physical port.
2) after you assign the correct vlan tag on the interface, the asa can now process that vlan's data
3) now you have to create a global/nat combination  so the voip network can communicate to the internet.  then for communication between the voip and inside networks, you'll create a static entry (easiest method for inter-interface transformation config)
4) also, you need to configure an acl and assign it to the voip interface defining which traffic is allowed.  however, if you wish, you can assign it the same security-level of the inside interface and then just ensure the ASA is configure for inter-interface communication
0
 
LVL 1

Author Comment

by:jetli87
ID: 20377347
Thanks Cyclops, i'll test out the config this weekend and get back to you.

until then, enjoy!
0
 

Expert Comment

by:etonnemacher
ID: 21663032
Hey cyclops - the asa 5505 doesn't do virtual interfaces does it?
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 21665364
yes, but how many depends on the license you have; base or security plus
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA policy-map not matching the specific traffic 3 52
Cisco / asa /Nagios 3 15
Access List 2 18
Adding VPN user with Cisco RV110W changes IP address 7 22
Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
I designed this idea while studying technology in the classroom.  This is a semester long project.  Students are asked to take photographs on a specific topic which they find meaningful, it can be a place or situation such as travel or homelessness.…

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now