troubleshooting Question


Avatar of fredbfrugle
fredbfrugleFlag for United States of America asked on
RoutersHardware Firewalls
20 Comments2 Solutions2515 ViewsLast Modified:
I have a Cisco ASA-5510 currently configured and operational with an inside and a outside interface, i have certain ports being forwarded in, and everything *seems* to be working fine.  what i would like to do, is segment our inside lan and seperate a portion of it off onto a different interface (E0/3) or (E0/3.x) i have made several attempts at this, and i am missing something.
I would prefer that my inside (lan) stay on E0/1, and if possible create a vlan on E0/3.x, so eventually once this one portion is segmented off the primary network, i can create addtional ones.... ie  192.168.50.X will be on E0/3.50 and 192.168.60.x will be on E0/3.60.   I still want to be able to share resources across the inside and the vlans (in both directions) and also make sure that the vlans have internet access via "outside" interface on E0/0
E0/1 is connect to a triple stack of 3com Superstack 4400's
E0/3 is connected to a single 3com 4400

keep in mind that i know enough about Cisoc IOS to be dangerous.

I thought that i would be able to pass traffic between interfaces if they have the same security level.
to over simplify this.... i want the ASA fiewall features to protect me from the outside interface, but just do basic routing on the internal interfaces.

Thanks for looking at my problem!

: Saved
ASA Version 7.0(8) 
hostname meritechasa
domain-name meritechinc.local
name merts1-inside description 2k3 Terminal Server RDP-3390
name mergc01-inside description 2k3 Domain Controller RDP-3390
name mergc02-inside description 2k3 Domain Controller RDP-3390
name merexh2k7-inside description 2k3-64bit Exchange 2007 SMTP,2525,https-owa 
name merhv02-inside description 2k8 Hyper-v Virtual Server RDP-3389
name merhv01-inside description 2k8 Hyper-v virtual Server RDP-3389
name docmanage-inside description 2k3 Document managment server WWW
name docinternal-inside description 2k3 document managment server www
name web-outside description web server outside ip
name merts1-outside description terminal server outside
name mergc01-outside description domain controller
name mergc02-outside description domain controller
name meresxh2k7-outside description mail server outside ip
name merhv02-outside description virtual server
name merhv01-outside description virtual server
name docmanage-outside description document managment server
name web-inside description webserver inside WWW
name cwise-inside description cwise inside WWW(7171)
name cwise-outside description cwise outside www (7171)
name kaseya-outside description Kaseya server
name kaseya-inside description Kaseya server inside
name maryannd220m-outside description maryannd220m
name maryannd220m-inside description Maryann server inside
interface Ethernet0/0
 description Interface for Primary ISP
 nameif outside
 security-level 0
 ip address 
interface Ethernet0/1
 description Interface for Primary LAN
 nameif inside
 security-level 100
 ip address 
interface Ethernet0/2
 nameif DMZ
 security-level 50
 no ip address
interface Ethernet0/3
 description VLAN interface for segmentation
 nameif vlanhost
 security-level 100
 ip address 
interface Ethernet0/3.50
 description VLAN interface for segmentation
 vlan 50
 nameif shop
 security-level 100
 ip address 
interface Ethernet0/3.60
 description VLAN interface for segmentation
 vlan 60
 nameif demofloor
 security-level 100
 ip address 
interface Management0/0
 nameif management
 security-level 100
 ip address 
ftp mode passive
clock timezone EST -5
same-security-traffic permit inter-interface
access-list outside_access_in extended permit tcp any host meresxh2k7-outside eq smtp 
access-list outside_access_in extended permit tcp any host meresxh2k7-outside eq www 
access-list outside_access_in extended permit tcp any host meresxh2k7-outside eq https 
no pager
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
mtu shop 1500
no failover
icmp permit any shop
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 10 web-outside-kaseya-outside
global (outside) 1
global (outside) 10 netmask
global (outside) 2
global (outside) 1 interface
global (outside) 50
nat (inside) 1
static (inside,outside) merts1-outside merts1-inside netmask 
static (inside,outside) mergc01-outside mergc01-inside netmask 
static (inside,outside) mergc02-outside mergc02-inside netmask 
static (inside,outside) meresxh2k7-outside merexh2k7-inside netmask 
static (inside,outside) merhv02-outside merhv02-inside netmask 
static (inside,outside) merhv01-outside merhv01-inside netmask 
static (inside,outside) docmanage-outside docmanage-inside netmask 
static (inside,outside) web-outside web-inside netmask 
static (inside,outside) cwise-outside cwise-inside netmask 
static (inside,outside) kaseya-outside kaseya-inside netmask 
static (inside,outside) maryannd220m-outside maryannd220m-inside netmask 
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username admin password 4N/cPlx30tqt6w/1 encrypted privilege 15
http server enable
http inside
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
isakmp enable outside
telnet inside
telnet management
telnet timeout 99
ssh timeout 5
console timeout 0
dhcpd address shop
dhcpd dns mergc01-inside mergc02-inside
dhcpd wins mergc01-inside mergc02-inside
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain
dhcpd enable shop
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
service-policy global_policy global
: end
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 2 Answers and 20 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 20 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros