gabepcsolutions
asked on
HOW DO I CONFIGURE VLANs ON ASA 5505?
On my ASA 5505, I need help to:
1) configure the Ethernet Port 0 (VLAN1) to use a Public IP 216.123.2.192/255.255.255. 248 DNS1 207.3.65.22 DNS2 207.3.65.32
2) configure the Ethernet Port 1 (VLAN2) to use an Internal IP 10.0.15.254/255.255.255.0
1) configure the Ethernet Port 0 (VLAN1) to use a Public IP 216.123.2.192/255.255.255.
2) configure the Ethernet Port 1 (VLAN2) to use an Internal IP 10.0.15.254/255.255.255.0
This is a duplicate question already answered, no?
ASKER
I had closed the other question before you answered it.... because I thought it was a different issue than the originally intended. I awarded you the points on the last question. We can use this thread if you like.
That works for me.
ASKER
Ok then, starting over... can help me with the CLI to:
1) disable DHCP on Ethernet Port 0 (VLAN1), comes by default
2) configure the Ethernet Port 0 (VLAN1) to use a static Public IP 216.123.2.192/255.255.255. 248 DNS1 207.3.65.22 DNS2 207.3.65.32 , security 0
3) configure the Ethernet Port 1 (VLAN2) to use an static Internal IP 10.0.15.254/255.255.255.0 , security 100
4) does ASA need a Policy to allow traffic outgoing traffic to the internet from vlan 2 through vlan 1 ?
.... thanks
1) disable DHCP on Ethernet Port 0 (VLAN1), comes by default
2) configure the Ethernet Port 0 (VLAN1) to use a static Public IP 216.123.2.192/255.255.255.
3) configure the Ethernet Port 1 (VLAN2) to use an static Internal IP 10.0.15.254/255.255.255.0 , security 100
4) does ASA need a Policy to allow traffic outgoing traffic to the internet from vlan 2 through vlan 1 ?
.... thanks
config t
dns server-group DefaultDNS
name-server 207.3.65.22
name-server 207.3.65.32
int vlan 1
description private network
nameif inside
security-level 100
ip address 10.0.15.254 255.255.255.0
int vlan 2
description public Internet
nameif outside
security-level 0
ip address 216.123.2.193 255.255.255.248
int e0/0
description public Internet
switchport access vlan 2
no shutdown
int e0/1 description private network
switchport access vlan 1
no shutdown
end
specifying an ip address on the vlan interface should disable dhcp.
by default, a higher security interface can pass traffic through a lower security interface.
by default, traffic that originates from a client inside the private network is allowed back through the public interface to the client.
dns server-group DefaultDNS
name-server 207.3.65.22
name-server 207.3.65.32
int vlan 1
description private network
nameif inside
security-level 100
ip address 10.0.15.254 255.255.255.0
int vlan 2
description public Internet
nameif outside
security-level 0
ip address 216.123.2.193 255.255.255.248
int e0/0
description public Internet
switchport access vlan 2
no shutdown
int e0/1 description private network
switchport access vlan 1
no shutdown
end
specifying an ip address on the vlan interface should disable dhcp.
by default, a higher security interface can pass traffic through a lower security interface.
by default, traffic that originates from a client inside the private network is allowed back through the public interface to the client.
ASKER
hey thanks for the fast response !
...let you know how it goes
...let you know how it goes
ASKER
ciscoasa(config-dns-server -group)# name-server 207.3.65.22
ERROR: DNS must first be enabled.
ciscoasa(config-dns-server -group)#
ERROR: DNS must first be enabled.
ciscoasa(config-dns-server
ASKER
ciscoasa>
ciscoasa> ena
Password:
ciscoasa# config t
ciscoasa(config)# dns server-group DefaultDNS
ciscoasa(config-dns-server -group)# name-server 205.152.144.23
ERROR: DNS must first be enabled.
ciscoasa(config-dns-server -group)#
ciscoasa> ena
Password:
ciscoasa# config t
ciscoasa(config)# dns server-group DefaultDNS
ciscoasa(config-dns-server
ERROR: DNS must first be enabled.
ciscoasa(config-dns-server
ASKER
...this is the whole thing
ciscoasa# config t
ciscoasa(config)#
ciscoasa(config)# dns server-group DefaultDNS
ciscoasa(config-dns-server -group)# name-server 207.3.65.22
ERROR: DNS must first be enabled.
ciscoasa(config-dns-server -group)# name-server 207.3.65.32
ERROR: DNS must first be enabled.
ciscoasa(config-dns-server -group)#
ciscoasa(config-dns-server -group)# int vlan 1
ciscoasa(config-if)# description private network
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address 10.0.15.254 255.255.255.0
ERROR: This address conflicts with interface Vlan12
ciscoasa(config-if)#
ciscoasa(config-if)# int vlan 2
ciscoasa(config-if)# description public Internet
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# ip address 216.123.2.193 255.255.255.248
ciscoasa(config-if)# int e0/0
ciscoasa(config-if)# description public Internet
ciscoasa(config-if)# switchport access vlan 2
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)#
ciscoasa(config-if)# int e0/1 description private network
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-if)# switchport access vlan 1
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# end
ciscoasa# config t
ciscoasa(config)#
ciscoasa(config)# dns server-group DefaultDNS
ciscoasa(config-dns-server
ERROR: DNS must first be enabled.
ciscoasa(config-dns-server
ERROR: DNS must first be enabled.
ciscoasa(config-dns-server
ciscoasa(config-dns-server
ciscoasa(config-if)# description private network
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address 10.0.15.254 255.255.255.0
ERROR: This address conflicts with interface Vlan12
ciscoasa(config-if)#
ciscoasa(config-if)# int vlan 2
ciscoasa(config-if)# description public Internet
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# ip address 216.123.2.193 255.255.255.248
ciscoasa(config-if)# int e0/0
ciscoasa(config-if)# description public Internet
ciscoasa(config-if)# switchport access vlan 2
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)#
ciscoasa(config-if)# int e0/1 description private network
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-if)# switchport access vlan 1
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# end
ciscoasa(config-if)# ip address 10.0.15.254 255.255.255.0
ERROR: This address conflicts with interface Vlan12
Did you set this box back to the default configuration? It appears to have its original config (or some of it).
int vlan 1
description private network
nameif inside
security-level 100
ip address 10.0.15.254 255.255.255.0
exit
int vlan 2
description public Internet
nameif outside
security-level 0
ip address 216.123.2.193 255.255.255.248
exit
int e0/0
description public Internet
switchport access vlan 2
no shutdown
exit
int e0/1 description private network
switchport access vlan 1
no shutdown
end
ERROR: This address conflicts with interface Vlan12
Did you set this box back to the default configuration? It appears to have its original config (or some of it).
int vlan 1
description private network
nameif inside
security-level 100
ip address 10.0.15.254 255.255.255.0
exit
int vlan 2
description public Internet
nameif outside
security-level 0
ip address 216.123.2.193 255.255.255.248
exit
int e0/0
description public Internet
switchport access vlan 2
no shutdown
exit
int e0/1 description private network
switchport access vlan 1
no shutdown
end
ASKER
true... after resetting it I played with the GUI... I'll reset it to fact-def b4 applying the commands in the CLI
...what should I do about the DNS issue?
ciscoasa(config)# dns server-group DefaultDNS
ciscoasa(config-dns-server -group)# name-server 207.3.65.22
ERROR: DNS must first be enabled.
ciscoasa(config-dns-server -group)# name-server 207.3.65.32
ERROR: DNS must first be enabled.
...what should I do about the DNS issue?
ciscoasa(config)# dns server-group DefaultDNS
ciscoasa(config-dns-server
ERROR: DNS must first be enabled.
ciscoasa(config-dns-server
ERROR: DNS must first be enabled.
ASKER
oh man sorry, wrong thread... let's use the new one.
thanks.
thanks.
ASKER
sorry again jesper... I'm going crazy here. This is the right thread... bear with me pls, and dont loose interest...
Let's talk DNS. What do you need the firewall to do with DNS?
ASKER
I've configured ISA Server before, where for example you have to configure the outside NIC with info the ISP gives you:
Public IP / Mask / Gateway / DNS1 / DNS2
That's what I'm trying to get my VLAN2 to work.
Public IP / Mask / Gateway / DNS1 / DNS2
That's what I'm trying to get my VLAN2 to work.
Are you machines on the private network getting the IP address via DHCP or are that statically addresses? If DHCP, what is the DHCP server?
ASKER
...no DHCP available on the private network, the VLAN1 (inside) will need to be assigned a static IP like the config you gave me before.
int vlan 1
description private network
nameif inside
security-level 100
ip address 10.0.15.254 255.255.255.0
exit
int vlan 2
description public Internet
nameif outside
security-level 0
ip address 216.123.2.193 255.255.255.248
exit
I'm wondering how and where it is that you configure the Gateway / DNS1 / DNS2 for the VLAN2 (outside) ports.
int vlan 1
description private network
nameif inside
security-level 100
ip address 10.0.15.254 255.255.255.0
exit
int vlan 2
description public Internet
nameif outside
security-level 0
ip address 216.123.2.193 255.255.255.248
exit
I'm wondering how and where it is that you configure the Gateway / DNS1 / DNS2 for the VLAN2 (outside) ports.
Let's talk DNS. What does the ASA need to do with DNS? If it's not to provide DNS servers via DHCP, what do you need it for?
The gateway:
route outside 0.0.0.0 0.0.0.0 IP.OF.NEXT.HOP
The gateway:
route outside 0.0.0.0 0.0.0.0 IP.OF.NEXT.HOP
ASKER
...ok, I see where you're going, ASA doesn't need a DNS configured, the machines in the private network do
...what started this line of conversation is the alert I got after applying the config commands you gave me
ciscoasa# config t
ciscoasa(config)#
ciscoasa(config)# dns server-group DefaultDNS ***
ciscoasa(config-dns-server -group)# name-server 207.3.65.22
ERROR: DNS must first be enabled.
ciscoasa(config-dns-server -group)# name-server 207.3.65.32
ERROR: DNS must first be enabled.
ciscoasa(config-dns-server -group)#
***I figured there ought to be a DNS enable command after that line
...what started this line of conversation is the alert I got after applying the config commands you gave me
ciscoasa# config t
ciscoasa(config)#
ciscoasa(config)# dns server-group DefaultDNS ***
ciscoasa(config-dns-server
ERROR: DNS must first be enabled.
ciscoasa(config-dns-server
ERROR: DNS must first be enabled.
ciscoasa(config-dns-server
***I figured there ought to be a DNS enable command after that line
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok... like this then?
ciscoasa# config t
ciscoasa(config)# dns domain-lookup outside
ciscoasa(config)# dns server-group DefaultDNS
ciscoasa(config-dns-server -group)# name-server 207.3.65.22
ERROR: DNS must first be enabled.
ciscoasa(config-dns-server -group)# name-server 207.3.65.32
ERROR: DNS must first be enabled.
ciscoasa(config-dns-server -group)#
ciscoasa# config t
ciscoasa(config)# dns domain-lookup outside
ciscoasa(config)# dns server-group DefaultDNS
ciscoasa(config-dns-server
ERROR: DNS must first be enabled.
ciscoasa(config-dns-server
ERROR: DNS must first be enabled.
ciscoasa(config-dns-server
Are these valid DNS servers?
ASKER
noup... sample ones to test it