Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 573
  • Last Modified:

How to route traffic on ASA

Hi There,

I need some assistant with configuring my new internet connection on ASA 5510
I need to route all traffic to my ISP.

I have setup sub intetrfaces for each of my vlans ( see below) and E0/1 connects directlty to ISP managed MODEM. I have assigned the public ip address to the interface  E0/1 which connects directly to ISP's modem. I would like also to setup PAT for my internal users to be abel to access the internet(please review and and advise)

 I'm attaching a draft network diagram that i'm working on for your review.


#################################'
Ethernet0/0.10             10.10.10.1    

Ethernet0/0.20             10.10.20.1      

Ethernet0/0.30             10.10.30.1      

Ethernet0/0.40             10.10.40.1

Ethernet0/0.50             10.10.50.1      
#################################'


#################################'
global (outside) 1 interface
nat (ManagementVlan) 1 10.10.10.0 255.255.255.0
nat (StaffVlan) 1 10.10.20.0 255.255.255.0
nat (ServerVlan) 1 10.10.30.0 255.255.255.0
nat (StudentVlan) 1 10.10.50.0 255.255.255.0
Network.jpg
0
MCP200
Asked:
MCP200
  • 3
  • 2
1 Solution
 
lrmooreCommented:
So far that looks OK. Did you set the default route to the ISP specified ip address?
Have you considered the security levels of each vlan?
Have you considered which networks need to talk to each other? Are you routing between the vlans on the core switch?
You did not specify exactly which version ASA OS you are running and NAT commands have changed dramatically between 8.2 and 8.3. Most versions up to 8.2 are pretty  much the same.
0
 
MCP200Author Commented:
Hi , Thanks for the reply

I'm running Asa 8.2

1) I don't want vlan  50 to communicate with vlan 20 at all

2) I have set security level to 100 for all inside vlans and level 0 to the outside level.

3) Well I had router on stick setup and now it will be replaced by the Asa.The routing between vlan is done by the core switch

4) I setup route outside 1 0 255.255.255.252 interface
I'm not sure if that's the right way to assign default route to the supplied public ip.

Thank you

4)

0
 
lrmooreCommented:
For a default route use this syntax:

route outside 0.0.0.0 0.0.0.0 <ip of ISP's managed router>

As long as the routing between vlans is accomplished on the core router, that is where you need to put acls to restrict access between vlans.

If you want to use the ASA to route between the vlans, then you need to disable nat-control, and create acls to apply to each interface to allow/block traffic. It gets ugly trying to use an ASA as a router.
0
 
MCP200Author Commented:
Routing is working fine now; I had to contact the isp to provide the ip address for their vlan interface. I’ll do some restructuring over the weekend and I’ll get my 3750 do the routing as it's easier.

One more thing, when security level is set to 100, what kind of traffic is allowed outbound?


0
 
lrmooreCommented:
All traffic from higher (100) to lower (0) is allowed by default
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now