troubleshooting Question

ASA 5510 VLANS AND ROUTING

Avatar of fredbfrugle
fredbfrugleFlag for United States of America asked on
RoutersHardware Firewalls
20 Comments2 Solutions2515 ViewsLast Modified:
I have a Cisco ASA-5510 currently configured and operational with an inside and a outside interface, i have certain ports being forwarded in, and everything *seems* to be working fine.  what i would like to do, is segment our inside lan and seperate a portion of it off onto a different interface (E0/3) or (E0/3.x) i have made several attempts at this, and i am missing something.
I would prefer that my inside (lan) stay on E0/1, and if possible create a vlan on E0/3.x, so eventually once this one portion is segmented off the primary network, i can create addtional ones.... ie  192.168.50.X will be on E0/3.50 and 192.168.60.x will be on E0/3.60.   I still want to be able to share resources across the inside and the vlans (in both directions) and also make sure that the vlans have internet access via "outside" interface on E0/0
E0/1 is connect to a triple stack of 3com Superstack 4400's
E0/3 is connected to a single 3com 4400

keep in mind that i know enough about Cisoc IOS to be dangerous.

I thought that i would be able to pass traffic between interfaces if they have the same security level.
to over simplify this.... i want the ASA fiewall features to protect me from the outside interface, but just do basic routing on the internal interfaces.

Thanks for looking at my problem!


 
: Saved
:
ASA Version 7.0(8) 
!
hostname meritechasa
domain-name meritechinc.local
names
name 192.168.1.27 merts1-inside description 2k3 Terminal Server RDP-3390
name 192.168.1.65 mergc01-inside description 2k3 Domain Controller RDP-3390
name 192.168.1.66 mergc02-inside description 2k3 Domain Controller RDP-3390
name 192.168.1.67 merexh2k7-inside description 2k3-64bit Exchange 2007 SMTP,2525,https-owa 
name 192.168.1.23 merhv02-inside description 2k8 Hyper-v Virtual Server RDP-3389
name 192.168.1.24 merhv01-inside description 2k8 Hyper-v virtual Server RDP-3389
name 192.168.1.242 docmanage-inside description 2k3 Document managment server WWW
name 192.168.1.180 docinternal-inside description 2k3 document managment server www
name 123.123.123.100 web-outside description web server outside ip
name 123.123.123.101 merts1-outside description terminal server outside
name 123.123.123.102 mergc01-outside description domain controller
name 123.123.123.103 mergc02-outside description domain controller
name 123.123.123.104 meresxh2k7-outside description mail server outside ip
name 123.123.123.105 merhv02-outside description virtual server
name 123.123.123.106 merhv01-outside description virtual server
name 123.123.123.107 docmanage-outside description document managment server
name 192.168.1.34 web-inside description webserver inside WWW
name 192.168.0.11 cwise-inside description cwise inside WWW(7171)
name 123.123.123.109 cwise-outside description cwise outside www (7171)
name 123.123.123.110 kaseya-outside description Kaseya server
name 192.168.1.22 kaseya-inside description Kaseya server inside
name 123.123.123.108 maryannd220m-outside description maryannd220m
name 192.168.0.41 maryannd220m-inside description Maryann server inside
dns-guard
!
interface Ethernet0/0
 description Interface for Primary ISP
 nameif outside
 security-level 0
 ip address 123.123.123.98 255.255.255.224 
!
interface Ethernet0/1
 description Interface for Primary LAN
 nameif inside
 security-level 100
 ip address 192.168.1.31 255.255.254.0 
!
interface Ethernet0/2
 shutdown
 nameif DMZ
 security-level 50
 no ip address
!
interface Ethernet0/3
 description VLAN interface for segmentation
 nameif vlanhost
 security-level 100
 ip address 192.168.10.1 255.255.255.0 
!
interface Ethernet0/3.50
 description VLAN interface for segmentation
 vlan 50
 nameif shop
 security-level 100
 ip address 192.168.50.1 255.255.255.0 
!
interface Ethernet0/3.60
 description VLAN interface for segmentation
 vlan 60
 nameif demofloor
 security-level 100
 ip address 192.168.60.1 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.100.1 255.255.255.0 
 management-only
!
ftp mode passive
clock timezone EST -5
same-security-traffic permit inter-interface
access-list outside_access_in extended permit tcp any host meresxh2k7-outside eq smtp 
access-list outside_access_in extended permit tcp any host meresxh2k7-outside eq www 
access-list outside_access_in extended permit tcp any host meresxh2k7-outside eq https 
no pager
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
mtu shop 1500
no failover
icmp permit any shop
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 web-outside-kaseya-outside
global (outside) 1 123.123.123.111-123.123.123.124
global (outside) 10 123.123.123.99 netmask 255.255.255.224
global (outside) 2 123.123.123.126
global (outside) 1 interface
global (outside) 50 123.123.123.125
nat (inside) 1 192.168.0.0 255.255.254.0
static (inside,outside) merts1-outside merts1-inside netmask 255.255.255.255 
static (inside,outside) mergc01-outside mergc01-inside netmask 255.255.255.255 
static (inside,outside) mergc02-outside mergc02-inside netmask 255.255.255.255 
static (inside,outside) meresxh2k7-outside merexh2k7-inside netmask 255.255.255.255 
static (inside,outside) merhv02-outside merhv02-inside netmask 255.255.255.255 
static (inside,outside) merhv01-outside merhv01-inside netmask 255.255.255.255 
static (inside,outside) docmanage-outside docmanage-inside netmask 255.255.255.255 
static (inside,outside) web-outside web-inside netmask 255.255.255.255 
static (inside,outside) cwise-outside cwise-inside netmask 255.255.255.255 
static (inside,outside) kaseya-outside kaseya-inside netmask 255.255.255.255 
static (inside,outside) maryannd220m-outside maryannd220m-inside netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 123.123.123.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username admin password 4N/cPlx30tqt6w/1 encrypted privilege 15
http server enable
http 192.168.0.0 255.255.254.0 inside
http 192.168.100.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
isakmp enable outside
telnet 192.168.0.0 255.255.254.0 inside
telnet 192.168.100.0 255.255.255.0 management
telnet timeout 99
ssh timeout 5
console timeout 0
dhcpd address 192.168.50.51-192.168.50.254 shop
dhcpd dns mergc01-inside mergc02-inside
dhcpd wins mergc01-inside mergc02-inside
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain meritechinc.shop
dhcpd enable shop
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
Cryptochecksum:456d1370756fd32ff045aabcf8a3d5c6
: end
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 2 Answers and 20 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 20 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros