• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 495
  • Last Modified:

ASA VLANNING ISSUE

I have a pretty simple network but have a couple of configuration changes I am making to change some access.  I want people plugged into port 2 on the ASA to be able to get to the internet but not see port 1.  However, I would like for certain clients to see port 1.  

Ex.

10.100.0.100-199 should be able to get to the internet but not see port 1 at 10.10.0.0 255.255.255.0
However I would like for 10.100.0.225 to be able to communicate to 10.10.0.0 255.255.255.0

First problem is they 10.100.0.100-199 are not able to get to the internet with current config.  What needs to change and what added for the certain clients?


CONFIG HERE

domain-name None.com
names
name 10.10.0.50 zeus
name 10.10.0.30 triton
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group att
 ip address pppoe setroute
!
interface Vlan10
 no forward interface Vlan1
           
nameif DMZ
 security-level 90
 ip address 10.100.0.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 10
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
           
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name none.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outsidein extended permit icmp any any
access-list outsidein extended permit tcp any any eq smtp
access-list outsidein extended permit tcp any any eq pop3
access-list outsidein extended permit tcp any any eq https
access-list outsidein extended permit tcp any eq https any
access-list outsidein extended permit tcp any eq www any
access-list outsidein extended permit tcp any any eq www
access-list outsidein extended permit tcp any any eq 3389
access-list outside_1_cryptomap extended permit ip 10.10.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list XXX-Houston_splitTunnelAcl standard permit 10.10.0.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.10.0.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
             
ip local pool RemoteVPN 10.10.1.100-10.10.1.150 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 zeus 3389 netmask 255.255.255.255
access-group outsidein in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.10.0.0 255.255.255.0 inside
http x.x.x.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
             
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer x.x.x.x
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.10.0.0 255.255.255.0 inside
telnet x.x.x.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group att request dialout pppoe
           
vpdn group att localname xxxxxxx@sbcglobal.net
vpdn group att ppp authentication pap
vpdn username xxxxxxxxx@sbcglobal.net password ********* store-local
dhcpd dns zeus 4.2.2.2
dhcpd lease 100000
dhcpd domain none.local
dhcpd auto_config outside
!
dhcpd address 10.10.0.100-10.10.0.200 inside
dhcpd enable inside
!
dhcpd address 10.100.0.100-10.100.0.199 DMZ
dhcpd dns 4.2.2.2 206.13.28.60 interface DMZ
dhcpd lease 36000 interface DMZ
dhcpd enable DMZ
!

group-policy XXX-Houston internal
group-policy XXX-Houston attributes
 wins-server value 10.10.0.50
 dns-server value 10.10.0.50
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value XXX-Houston_splitTunnelAcl
             
 default-domain value XXX-houston.local

 vpn-group-policy XXX-Houston
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *
tunnel-group XXX-Houston type ipsec-ra
tunnel-group xXX-Houston general-attributes
 address-pool RemoteVPN
 default-group-policy XXX-Houston
tunnel-group XXX-Houston ipsec-attributes
 pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
           
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!

0
rcooper83
Asked:
rcooper83
  • 2
1 Solution
 
MikeKaneCommented:
Your "port 2" is your DMZ from what I read.   So you are missing a NAT command for the hosts in the DMZ

nat (dmz) 1 0.0.0.0 0.0.0.0


After you issue this command, you can use the SHOW XLATE to check to make certain the DMZ addresses are translating to the outside interface IP.

0
 
rcooper83Author Commented:
That got the seperate vlan working with the net.  now how about the certain hosts talking to the other side.
0
 
MikeKaneCommented:
If you have a limited number of internal hosts, and since your DMZ is a lower security interface, a good option is to create statics for the each internal host to the DMZ (same process as the inside to outside static).   Add an ACL to allow access from certain hosts to the Static'ed addresses and you are set to go.  

Another option is to use a no nat for the DMZ... then create the access-list to include the source hosts from the DMZ to the inside network hosts or subnets...  
 
nat (DMZ) 0 access-list DMZ_nat0_inbound
access-list DMZ_nat0_inbound permit ip host 10.100.0.10 10.10.0.0 255.255.255.0  

hope that helps.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now