Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How to route traffic on ASA

Posted on 2010-11-29
5
Medium Priority
?
569 Views
Last Modified: 2012-06-21
Hi There,

I need some assistant with configuring my new internet connection on ASA 5510
I need to route all traffic to my ISP.

I have setup sub intetrfaces for each of my vlans ( see below) and E0/1 connects directlty to ISP managed MODEM. I have assigned the public ip address to the interface  E0/1 which connects directly to ISP's modem. I would like also to setup PAT for my internal users to be abel to access the internet(please review and and advise)

 I'm attaching a draft network diagram that i'm working on for your review.


#################################'
Ethernet0/0.10             10.10.10.1    

Ethernet0/0.20             10.10.20.1      

Ethernet0/0.30             10.10.30.1      

Ethernet0/0.40             10.10.40.1

Ethernet0/0.50             10.10.50.1      
#################################'


#################################'
global (outside) 1 interface
nat (ManagementVlan) 1 10.10.10.0 255.255.255.0
nat (StaffVlan) 1 10.10.20.0 255.255.255.0
nat (ServerVlan) 1 10.10.30.0 255.255.255.0
nat (StudentVlan) 1 10.10.50.0 255.255.255.0
Network.jpg
0
Comment
Question by:MCP200
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 34229639
So far that looks OK. Did you set the default route to the ISP specified ip address?
Have you considered the security levels of each vlan?
Have you considered which networks need to talk to each other? Are you routing between the vlans on the core switch?
You did not specify exactly which version ASA OS you are running and NAT commands have changed dramatically between 8.2 and 8.3. Most versions up to 8.2 are pretty  much the same.
0
 

Author Comment

by:MCP200
ID: 34230972
Hi , Thanks for the reply

I'm running Asa 8.2

1) I don't want vlan  50 to communicate with vlan 20 at all

2) I have set security level to 100 for all inside vlans and level 0 to the outside level.

3) Well I had router on stick setup and now it will be replaced by the Asa.The routing between vlan is done by the core switch

4) I setup route outside 1 0 255.255.255.252 interface
I'm not sure if that's the right way to assign default route to the supplied public ip.

Thank you

4)

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34231303
For a default route use this syntax:

route outside 0.0.0.0 0.0.0.0 <ip of ISP's managed router>

As long as the routing between vlans is accomplished on the core router, that is where you need to put acls to restrict access between vlans.

If you want to use the ASA to route between the vlans, then you need to disable nat-control, and create acls to apply to each interface to allow/block traffic. It gets ugly trying to use an ASA as a router.
0
 

Author Comment

by:MCP200
ID: 34234964
Routing is working fine now; I had to contact the isp to provide the ip address for their vlan interface. I’ll do some restructuring over the weekend and I’ll get my 3750 do the routing as it's easier.

One more thing, when security level is set to 100, what kind of traffic is allowed outbound?


0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 34235622
All traffic from higher (100) to lower (0) is allowed by default
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question