Improve company productivity with a Business Account.Sign Up

x
?
Solved

HOW DO I CONFIGURE VLANs ON ASA 5505?

Posted on 2008-06-26
23
Medium Priority
?
2,358 Views
Last Modified: 2012-08-13
On my ASA 5505, I need help to:
1) configure the Ethernet Port 0 (VLAN1) to use a Public IP 216.123.2.192/255.255.255.248 DNS1 207.3.65.22 DNS2 207.3.65.32
2) configure the Ethernet Port 1 (VLAN2) to use an Internal IP 10.0.15.254/255.255.255.0
0
Comment
Question by:gabepcsolutions
  • 14
  • 9
23 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 21875665
This is a duplicate question already answered, no?
0
 

Author Comment

by:gabepcsolutions
ID: 21875713
I had closed the other question before you answered it.... because I thought it was a different issue than the originally intended. I awarded you the points on the last question. We can use this thread if you like.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 21875934
That works for me.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 

Author Comment

by:gabepcsolutions
ID: 21876192
Ok then, starting over... can help me with the CLI to:

1) disable DHCP on Ethernet Port 0 (VLAN1), comes by default
2) configure the Ethernet Port 0 (VLAN1) to use a static Public IP 216.123.2.192/255.255.255.248 DNS1 207.3.65.22 DNS2 207.3.65.32 , security 0
3) configure the Ethernet Port 1 (VLAN2) to use an static Internal IP 10.0.15.254/255.255.255.0 , security 100
4) does ASA need a Policy to allow traffic outgoing traffic to the internet from vlan 2 through vlan 1 ?

.... thanks
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 21876418
config t

 dns server-group DefaultDNS
   name-server 207.3.65.22
   name-server 207.3.65.32

int vlan 1
 description private network
 nameif inside
 security-level 100
 ip address 10.0.15.254 255.255.255.0

int vlan 2
 description public Internet
 nameif outside
 security-level 0
 ip address 216.123.2.193 255.255.255.248

int e0/0
 description public Internet
 switchport access vlan 2
 no shutdown

int e0/1 description private network
 switchport access vlan 1
 no shutdown
end

specifying an ip address on the vlan interface should disable dhcp.  

by default, a higher security interface can pass traffic through a lower security interface.

by default, traffic that originates from a client inside the private network is allowed back through the public interface to the client.
0
 

Author Comment

by:gabepcsolutions
ID: 21876683
hey thanks for the fast response !

...let you know how it goes
0
 

Author Comment

by:gabepcsolutions
ID: 21877740
ciscoasa(config-dns-server-group)# name-server 207.3.65.22
ERROR: DNS must first be enabled.
ciscoasa(config-dns-server-group)#
0
 

Author Comment

by:gabepcsolutions
ID: 21877764
ciscoasa>
ciscoasa> ena
Password:
ciscoasa# config t
ciscoasa(config)# dns server-group DefaultDNS
ciscoasa(config-dns-server-group)# name-server 205.152.144.23
ERROR: DNS must first be enabled.
ciscoasa(config-dns-server-group)#
0
 

Author Comment

by:gabepcsolutions
ID: 21877955
...this is the whole thing

ciscoasa# config t
ciscoasa(config)#
ciscoasa(config)#  dns server-group DefaultDNS
ciscoasa(config-dns-server-group)#    name-server 207.3.65.22
ERROR: DNS must first be enabled.
ciscoasa(config-dns-server-group)#    name-server 207.3.65.32
ERROR: DNS must first be enabled.
ciscoasa(config-dns-server-group)#
ciscoasa(config-dns-server-group)# int vlan 1
ciscoasa(config-if)#  description private network
ciscoasa(config-if)#  nameif inside
ciscoasa(config-if)#  security-level 100
ciscoasa(config-if)#  ip address 10.0.15.254 255.255.255.0
ERROR: This address conflicts with interface Vlan12
ciscoasa(config-if)#
ciscoasa(config-if)# int vlan 2
ciscoasa(config-if)#  description public Internet
ciscoasa(config-if)#  nameif outside
ciscoasa(config-if)#  security-level 0
ciscoasa(config-if)#  ip address 216.123.2.193 255.255.255.248
ciscoasa(config-if)# int e0/0
ciscoasa(config-if)#  description public Internet
ciscoasa(config-if)#  switchport access vlan 2
ciscoasa(config-if)#  no shutdown
ciscoasa(config-if)#
ciscoasa(config-if)# int e0/1 description private network
                              ^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-if)#  switchport access vlan 1
ciscoasa(config-if)#  no shutdown
ciscoasa(config-if)# end
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 21878169
ciscoasa(config-if)#  ip address 10.0.15.254 255.255.255.0
ERROR: This address conflicts with interface Vlan12

Did you set this box back to the default configuration?  It appears to have its original config (or some of it).

int vlan 1
 description private network
 nameif inside
 security-level 100
 ip address 10.0.15.254 255.255.255.0
 exit

int vlan 2
 description public Internet
 nameif outside
 security-level 0
 ip address 216.123.2.193 255.255.255.248
 exit

int e0/0
 description public Internet
 switchport access vlan 2
 no shutdown
 exit

int e0/1 description private network
 switchport access vlan 1
 no shutdown
end
0
 

Author Comment

by:gabepcsolutions
ID: 21879528
true... after resetting it I played with the GUI... I'll reset it to fact-def b4 applying the commands in the CLI


...what should I do about the DNS issue?

ciscoasa(config)#  dns server-group DefaultDNS
ciscoasa(config-dns-server-group)#    name-server 207.3.65.22
ERROR: DNS must first be enabled.
ciscoasa(config-dns-server-group)#    name-server 207.3.65.32
ERROR: DNS must first be enabled.
0
 

Author Comment

by:gabepcsolutions
ID: 21879534
oh man sorry, wrong thread... let's use the new one.

thanks.
0
 

Author Comment

by:gabepcsolutions
ID: 21880259
sorry again jesper... I'm going crazy here. This is the right thread... bear with me pls, and dont loose interest...
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 21883515
Let's talk DNS.  What do you need the firewall to do with DNS?
0
 

Author Comment

by:gabepcsolutions
ID: 21883812
I've configured ISA Server before, where for example you have to configure the outside NIC with info  the ISP gives you:

Public IP / Mask / Gateway / DNS1 / DNS2

That's what I'm trying to get my VLAN2 to work.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 21884083
Are you machines on the private network getting the IP address via DHCP or are that statically addresses?  If DHCP, what is the DHCP server?
0
 

Author Comment

by:gabepcsolutions
ID: 21884366
...no DHCP available on the private network, the VLAN1 (inside) will need to be assigned a static IP like the config you gave me before.

int vlan 1
 description private network
 nameif inside
 security-level 100
 ip address 10.0.15.254 255.255.255.0
 exit

int vlan 2
 description public Internet
 nameif outside
 security-level 0
 ip address 216.123.2.193 255.255.255.248
 exit

I'm wondering how and where it is that you configure the  Gateway / DNS1 / DNS2 for the VLAN2 (outside) ports.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 21884420
Let's talk DNS.  What does the ASA need to do with DNS?  If it's not to provide DNS servers via DHCP, what do you need it for?

The gateway:
  route outside 0.0.0.0 0.0.0.0 IP.OF.NEXT.HOP
0
 

Author Comment

by:gabepcsolutions
ID: 21884578
...ok, I see where you're going, ASA doesn't need a DNS configured, the machines in the private network do

...what started this line of conversation is the alert I got after applying the config commands you gave me

ciscoasa# config t
ciscoasa(config)#
ciscoasa(config)#  dns server-group DefaultDNS ***
ciscoasa(config-dns-server-group)#    name-server 207.3.65.22
ERROR: DNS must first be enabled.
ciscoasa(config-dns-server-group)#    name-server 207.3.65.32
ERROR: DNS must first be enabled.
ciscoasa(config-dns-server-group)#

***I figured there ought to be a DNS enable command after that line
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 2000 total points
ID: 21885166
This should just work.  Specify prior to the config above:

dns domain-lookup outside
0
 

Author Comment

by:gabepcsolutions
ID: 21885199
ok... like this then?

ciscoasa# config t
ciscoasa(config)# dns domain-lookup outside
ciscoasa(config)# dns server-group DefaultDNS
ciscoasa(config-dns-server-group)#    name-server 207.3.65.22
ERROR: DNS must first be enabled.
ciscoasa(config-dns-server-group)#    name-server 207.3.65.32
ERROR: DNS must first be enabled.
ciscoasa(config-dns-server-group)#
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 21885491
Are these valid DNS servers?
0
 

Author Comment

by:gabepcsolutions
ID: 21885512
noup... sample ones to test it
0

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

If you try to migrate from Elastix to Issabel, you will face a lot of issues. These problems are inevitable but fortunately, you can fix them. In the guide below, I will explain how I performed the migration while keeping all data and successfully t…
In short, I will be giving a guide on how to install UNMS on a virtual machine in hyper-v and change the default port for security (you don’t need to have a server, since Windows 10 supports hyper-v)
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

608 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question