?
Solved

How to route traffic on ASA

Posted on 2010-11-29
5
Medium Priority
?
564 Views
Last Modified: 2012-06-21
Hi There,

I need some assistant with configuring my new internet connection on ASA 5510
I need to route all traffic to my ISP.

I have setup sub intetrfaces for each of my vlans ( see below) and E0/1 connects directlty to ISP managed MODEM. I have assigned the public ip address to the interface  E0/1 which connects directly to ISP's modem. I would like also to setup PAT for my internal users to be abel to access the internet(please review and and advise)

 I'm attaching a draft network diagram that i'm working on for your review.


#################################'
Ethernet0/0.10             10.10.10.1    

Ethernet0/0.20             10.10.20.1      

Ethernet0/0.30             10.10.30.1      

Ethernet0/0.40             10.10.40.1

Ethernet0/0.50             10.10.50.1      
#################################'


#################################'
global (outside) 1 interface
nat (ManagementVlan) 1 10.10.10.0 255.255.255.0
nat (StaffVlan) 1 10.10.20.0 255.255.255.0
nat (ServerVlan) 1 10.10.30.0 255.255.255.0
nat (StudentVlan) 1 10.10.50.0 255.255.255.0
Network.jpg
0
Comment
Question by:MCP200
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 34229639
So far that looks OK. Did you set the default route to the ISP specified ip address?
Have you considered the security levels of each vlan?
Have you considered which networks need to talk to each other? Are you routing between the vlans on the core switch?
You did not specify exactly which version ASA OS you are running and NAT commands have changed dramatically between 8.2 and 8.3. Most versions up to 8.2 are pretty  much the same.
0
 

Author Comment

by:MCP200
ID: 34230972
Hi , Thanks for the reply

I'm running Asa 8.2

1) I don't want vlan  50 to communicate with vlan 20 at all

2) I have set security level to 100 for all inside vlans and level 0 to the outside level.

3) Well I had router on stick setup and now it will be replaced by the Asa.The routing between vlan is done by the core switch

4) I setup route outside 1 0 255.255.255.252 interface
I'm not sure if that's the right way to assign default route to the supplied public ip.

Thank you

4)

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34231303
For a default route use this syntax:

route outside 0.0.0.0 0.0.0.0 <ip of ISP's managed router>

As long as the routing between vlans is accomplished on the core router, that is where you need to put acls to restrict access between vlans.

If you want to use the ASA to route between the vlans, then you need to disable nat-control, and create acls to apply to each interface to allow/block traffic. It gets ugly trying to use an ASA as a router.
0
 

Author Comment

by:MCP200
ID: 34234964
Routing is working fine now; I had to contact the isp to provide the ip address for their vlan interface. I’ll do some restructuring over the weekend and I’ll get my 3750 do the routing as it's easier.

One more thing, when security level is set to 100, what kind of traffic is allowed outbound?


0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 34235622
All traffic from higher (100) to lower (0) is allowed by default
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question