Solved

VLAN/Subnet setup on ASA 5505

Posted on 2008-06-17
19
3,382 Views
Last Modified: 2012-06-27
Hello All,

I have a ASA 5505 that has been working great for a few years with 2 VLANs configured. One for the outside (216.64.x.x) and one for the inside (192.168.0.1). We recently installed IP Office and will soon connect our remote office to our main office. I need to setup another VLAN/Subnet which will be 192.168.1.x  to support out remote office. Although I am not new to networking, I don't typically work on firewalls/switches all the time - once I setup mine up with the help from people on this site - it pretty much runs itself.

How do I add another VLAN/Subnet (192.168.1.x) to my basic ASA 5505. I don't have the security plus license, can this still be done? I attempted to do this last night, but I don't think it's correct - see running config below:

Thx


Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name audiology.org
enable password xxxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 216.64.x.2 255.255.255.240
 ospf cost 10
!
interface Vlan12
 no nameif
 no security-level
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name audiology.org
same-security-traffic permit inter-interface
access-list mailserver extended permit tcp any host 216.64.x.10 eq smtp
access-list mailserver extended permit tcp any host 216.64.x.4 eq https log
access-list mailserver extended permit tcp any host 216.64.x.4 eq www
access-list outside_in extended permit tcp any host 216.64.x.4 eq https
access-list outside_in extended permit tcp any host 216.64.x.4 eq www
access-list outside_in extended permit tcp any host 216.64.x.3 eq www
access-list outside_access_in remark RDP for Bkana
access-list outside_access_in extended permit tcp any host 216.64.x.12 eq 3389
access-list outside_access_in remark AAADC2
access-list outside_access_in extended permit tcp any host 216.64.x.10 eq smtp
access-list outside_access_in extended permit tcp any host 216.64.x.4 eq ftp
access-list outside_access_in remark Web Portal/AAAMBR02
access-list outside_access_in extended permit tcp any host 216.64.x.4 eq www
access-list outside_access_in remark Web Portal/AAAMBR02
access-list outside_access_in extended permit tcp any host 216.64.x.4 eq https
access-list outside_access_in extended permit tcp any host 216.64.x.10 eq https
access-list outside_access_in remark RDP for CRM
access-list outside_access_in extended permit tcp any host 216.64.x.8 eq 3389
access-list outside_access_in extended permit tcp any host 216.64.x.10 eq www
access-list outside_access_in remark HTTP access for CRM
access-list outside_access_in extended permit tcp any host 216.64.x.8 eq www
access-list outside_access_in extended permit tcp any host 216.64.x.5 eq https
access-list outside_access_in extended permit tcp any host 216.64.x.5 eq www
access-list outside_access_in extended permit tcp any host 216.64.x.9 eq www
access-list outside_access_in extended permit tcp any host 216.64.x.9 eq https
access-list outside_access_in extended permit tcp any host 216.64.x.9 eq 46168
access-list outside_access_in remark RDP for WebPortal Svr
access-list outside_access_in extended permit tcp any host 216.64.x.x eq 3389
access-list inside_nat0_outbound extended permit ip any 192.168.0.160 255.255.255.240
access-list outside_access extended permit tcp any host 216.64.x.6 eq 3389
access-list AAA_split_tunnel_ACL extended permit ip 192.168.0.0 255.255.255.0 any
pager lines 24
logging enable
logging trap debugging
logging asdm informational
logging queue 150
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.50.1-192.168.50.254 mask 255.255.255.0
ip local pool AAAIPPOOL 192.168.0.161-192.168.0.180 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 216.64.x.3-216.64.78.12 netmask 255.255.255.240
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 216.64.x.4 192.168.0.4 netmask 255.255.255.255
static (inside,outside) 216.64x.12 192.168.0.212 netmask 255.255.255.255
static (inside,outside) 216.64.x.8 192.168.0.12 netmask 255.255.255.255
static (inside,outside) 216.64x.10 192.168.0.62 netmask 255.255.255.255
static (inside,outside) 216.64.x5 192.168.0.66 netmask 255.255.255.255
static (inside,outside) 216.64.x.9 192.168.0.8 netmask 255.255.255.255
static (inside,outside) 216.64.x.3 192.168.0.37 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 216.64.78.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server NTWRKSVRS protocol ldap
aaa-server NTWRKSVRS host 192.168.0.62
 timeout 5
 ldap-scope onelevel
group-policy Audiology_VPN internal
group-policy Audiology_VPN attributes
 banner value Welcome to the Audiology Network.
 dns-server value 192.168.0.8 192.168.0.62
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value AAA_split_tunnel_ACL
 default-domain value audiology
group-policy vpnpolicy internal
group-policy vpnpolicy attributes
 banner value You are entering a secured network for authorized personal only.
 dns-server value 192.168.0.8 192.168.0.62
 vpn-tunnel-protocol IPSec l2tp-ipsec
 default-domain value audiology
username sbishop password Eeg.fmr26DELXEKw encrypted privilege 5
username sbishop attributes
 vpn-group-policy Audiology_VPN
username lowens password ZikxJcEBZ0YqVONZ encrypted privilege 5
username lowens attributes
 vpn-group-policy Audiology_VPN
username cgallow password cxuXh2CnVa2e5tEm encrypted privilege 5
username cgallow attributes
 vpn-group-policy Audiology_VPN
username equinn password Lctoi4gVDnZoklWY encrypted privilege 5
username equinn attributes
 vpn-group-policy Audiology_VPN
username cfurr password RKlWPtus9hqzax8A encrypted privilege 5
username cfurr attributes
 vpn-group-policy Audiology_VPN
username bwertheim password v/.qI7/EEH1aAXjD encrypted privilege 5
username bwertheim attributes
 vpn-group-policy Audiology_VPN
username vanessas password 7IE6D1eIfx0KcZHE encrypted privilege 5
username vanessas attributes
 vpn-group-policy Audiology_VPN
username meggano password TB2g6ELNob5JQpTe encrypted privilege 5
username meggano attributes
 vpn-group-policy Audiology_VPN
username skelley password fLQvCBmxMLbGw02J encrypted privilege 5
username skelley attributes
 vpn-group-policy Audiology_VPN
username bkana password 7nGPp4eh4G.KZH7p encrypted privilege 15
username bkana attributes
 vpn-group-policy Audiology_VPN
username wkana password dDw7XyPkGrrKlkzN encrypted privilege 15
username wkana attributes
 vpn-group-policy vpnpolicy
username jwilson password yhQDuki0An31.NuN encrypted privilege 5
username jwilson attributes
 vpn-group-policy Audiology_VPN
aaa authorization command LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group Audiology_VPN type ipsec-ra
tunnel-group Audiology_VPN general-attributes
 address-pool AAAIPPOOL
 default-group-policy Audiology_VPN
tunnel-group Audiology_VPN ipsec-attributes
 pre-shared-key *
tunnel-group vpntunnel type ipsec-ra
tunnel-group vpntunnel general-attributes
 address-pool vpnpool
 default-group-policy vpnpolicy
tunnel-group vpntunnel ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.0.2-192.168.0.129 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
client-update enable
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:5d1d3f632b1fd0b18f66ad565f0178e8
: end
0
Comment
Question by:bkana
  • 9
  • 6
  • 4
19 Comments
 
LVL 11

Expert Comment

by:billwharton
ID: 21801976
Unfortunately not. Before you can enable a switch port on the ASA 5505, it must be assigned to a VLAN. With the Base platform, each switch port can be assigned to only one VLAN at a time. With the Security Plus license, you can use a single port to trunk between 20 VLANs on an external switch, enabling you to scale your deployment for larger organizations.

Once you upgrade to the security plus license, you can follow instructions on this page. It works wonderfully and I've been using it on production networks. The ASA5505 is a powerful box for SMB's with under 100 users
http://www.cisco.com/en/US/docs/security/asa/asa72/getting_started/asa5505/quick/guide/vlans.html
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 21802040
You can have 3 VLAN's without the security plus license so you are okay.  You need to assign interface(s) to VLAN12 for the new subnet, i.e. the port that connects to the switch in the new office.

First assign a name to the VLAN12 interface:

conf t
int vlan12
nameif remoteoffice

Then assign a port to VLAN12:

conf t
interface e0/7
switchport access vlan 12

You may also need DHCP for the new office:

conf t
dhcpd address 192.168.1.2-192.168.1.129 remoteoffice
0
 
LVL 11

Expert Comment

by:billwharton
ID: 21802079
You can have 3 VLAN's but they are not fully operational. The base license has major limitations attached to it., For eg: the DMZ is only able to go out to the internet. You cannot access DMZ devices from the inside and they cannot access you. You need the security plus for this. In your case, if the 192.168.1.x VLAN is only supposed to go out to the Internet, that's fine. But remember that if anybody from that network tries to access the inside network or vice versa, they won't be able to. So any DNS, file or print servers on the inside network would be inaccessible to the 192.168.1.x computers

Hope this helps



0
 

Author Comment

by:bkana
ID: 21802101
billwharton:
Thanks for your quick reply. Just to clarify, of all of my current switch ports (Ethernet0/0 - outside) (Ethernet1/1 - 8/8), I can't take Ethernet 2/2 or 3/3 and assing a different subnet? Although I believe I have the basic license, what is the best way to check? And, if I had the correct license, looking at my running config - did what I do to setup the 3rd VLAN look correct to you. Short of using the link you provided (thank you), what are the correct commands to use to setup the other subnet?

I read somewhere that one could setup a 3rd VLAN, but had to "route it" to one of the other VLANs already setup. So basically, the Base platform only supports 2 VLANs?
0
 
LVL 11

Expert Comment

by:billwharton
ID: 21802139
1) Look at the show version of your device and you'll see the last line identify the license. In my case, you see below it's the security plus

Licensed features for this platform:
Maximum Physical Interfaces : 8        
VLANs                       : 20, DMZ Unrestricted
Inside Hosts                : Unlimited
Failover                    : Active/Standby
VPN-DES                     : Enabled  
VPN-3DES-AES                : Enabled  
VPN Peers                   : 25        
WebVPN Peers                : 2        
Dual ISPs                   : Enabled  
VLAN Trunk Ports            : 8        

This platform has an ASA 5505 Security Plus license.


2) You will have to attach multiple vlan's to a single physical interface like this
interface Ethernet0/1
 switchport trunk allowed vlan 5-6,10 (you can add as many as you want)
 switchport mode trunk

Then, you can define vlan's and your configuration, you seem to be defining vlan's fine. You'll also need to configure a trunk port on the switch (the port which connects to the firewall)
interface FastEthernet0/xx
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 5-6, 10
 switchport mode trunk

Once again, I strongly recommend only moving ahead with the security+ license as I'm sure you'll hit some issues you wouldn't have thought of at this time
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 21802150
Very interesting billwharton, I didn't realize that.  I guess I have always been spoiled using 5505's with the security plus license.
0
 

Author Comment

by:bkana
ID: 21802172
JFrederick29: Thanks for your reply. Will the commands you gave me over-write what my current config shows, will I have to go back first and take out what I did before applying your commands?
 
billwharton: I do need the 192.168.1.x to access the internet, that is one of the goals I am trying accomplish, they also need to access the voice-mail server and IP Office phone system, which is currently on the 192.168.0.x network - which will not work without upgrading correct?

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 21802231
You don't have to remove anything first before applying the commands.  How is the remote site physically connecting into the Firewall?
0
 

Author Comment

by:bkana
ID: 21802354
(1) Did the show version, and I am indeed only running the Base version.

(2) Do your statements about attaching  multiple vlan's to a single physical interface only apply if I had the security plus license, or are you providing a workable solution to my current setup? I understand that if this is the case that I still may run into issues.

"interface Ethernet0/1
 switchport trunk allowed vlan 5-6,10 (you can add as many as you want)
 switchport mode trunk" ------is this the actuall command that I would send to the device?

My Ethernet0/1 interface is my inside interface, will doing the above command only add new configuration to it, or are you only showing an example? I'm a little confused about the "vlan 5-6,10" portion.

Thanks for all your help on this.


0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:bkana
ID: 21802426
JFrederick29:
There's going to be two Adtran routers setup: one here and one at the remote site, the remote site will have a Netgear Prosafe G724 with address of 192.168.1.230, with the Adtran being 192.168.1.228/24

The other Adtran (192.168.0.226) will connect to my NetGear FSM726 here at my office. The FSM726 is where I plug the firewall into. I will also have the IP Office and voice mail server also on that switch.

The goal is to have my remote office be able to access the new IP Office phone system, as well as the voice mail server as if they were sitting here.  Hope that was clear.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 21802518
If you have a router at both sites, you don't need to setup a third interface on the ASA.  You can simply have the Adtran route between offices or do you want to limit access?  You could use access-lists on the Adtran to accomplish this.
0
 

Author Comment

by:bkana
ID: 21802589
I do not want to limit access, as they should have the same capabilities as people in the main office. The converged enginner who is configuring the adtrans for me (off-site) said there would have to be a second subnet setup on my firewall to support the remote office - which is going to use the 192.168.1.x network, where I use the 192.168.0.x network. All of the devices (IP Office, Voice-Mail svr, File svr, etc..) will be on the 192.168.0.x network. I too, am a little surprised as to why there had to be another subnet setup on the firewall - but it made sense at the time. Let me get an answer from him as to why we just couldn't setup the Adtrans as you suggested. Stand by...   and thanks for all your help on this!
0
 

Author Comment

by:bkana
ID: 21908520
Sorry for the delay in getting back to this.

I've decided to upgrade my ASA 5505 to the Security Plus License. My only question is how this is done. Can someone provide instructions on how to update/upgrade to the Security Plus License?

Thx
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 250 total points
ID: 21908785
Use the "activation-key" command to install the license.

conf t
activation-key <license key>
0
 

Author Comment

by:bkana
ID: 21909436
Thx Jfrederick29 !
0
 
LVL 11

Assisted Solution

by:billwharton
billwharton earned 250 total points
ID: 21913193
But before he uses that command, he'll need to purchase the license
1) You'll need to purchase this part number - ASA5505-SEC-PL= which has a list price of $850

2) Then, once you get the license, you'll need to register the key at cisco's website (the license pak will give you details on this)

3) finally, you'll need to use the activation-key command restart your firewall

Hope this helps. Please close the case if you don't have any additional questions

Thank you
0
 

Author Comment

by:bkana
ID: 21915367
Thanks for the additional info billwharton.
I actually got the license through my vendor for $559 and should receive it soon.
I already have a login account to Cisco's site - that will allow me to register the key correct?
Does the activation-key command restart the firewall by default, or is that a separate function?
I think I got it.

With the 2 of you helping me with this, who should get the points?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 21915376
You can split the points if you like.
0
 

Author Closing Comment

by:bkana
ID: 31467919
Cheers to the both of you!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now