• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1082
  • Last Modified:

ASA 5505 with two internal subnets

I have two internal networks - one is a class B and the other a class C.  I do not have enough ports on my Cisco 2600 router to bring all the connections together (need 3 ethernet ports).  I have the class B (10.1.0.0) configured and accessible throguh the ASA firewall as well as the 2600 router.  The class C network (192.189.2.0) needs to be able to access the resources on 10.1.0.0 as well as route traffic out the fiber network.  I can ping 192.189.2.6 from the ASA and can ping 192.189.2.1 from the workstation.  I cannot ping 10.1.x.x from the workstation, however.

I have looked on this forum as well as other websites and tried various solutions.  Here's what I currently have:

ASA Version 8.2(2)
!
hostname ASA
domain-name xxx.local
enable password
passwd
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.1.2 255.255.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 2xx.xxx.xxx.xxx 255.255.255.240
!
interface Vlan10
 nameif WLAN
 security-level 10
 ip address 192.168.6.1 255.255.255.0
!
interface Vlan50
 nameif DMZ
 security-level 50
 ip address 192.168.4.1 255.255.255.0
!
interface Vlan75
 nameif
 security-level 75
 ip address 192.189.2.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
 speed 100
 duplex full
!
interface Ethernet0/2
 switchport trunk allowed vlan 10,50
 switchport mode trunk
 switchport protected
!
interface Ethernet0/3
 switchport access vlan 75
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name xxx.local
same-security-traffic permit intra-interface
access-list no-nat extended permit ip 10.1.0.0 255.255.0.0 192.189.2.0 255.255.255.0
access-list no-nat extended permit ip 192.189.2.0 255.255.255.0 10.1.0.0 255.255.0.0
pager lines 24
logging enable
logging trap debugging
logging asdm informational
logging queue 4096
mtu inside 1500
mtu outside 1500
mtu WLAN 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 192.189.2.0 255.255.255.0
nat (inside) 1 10.1.0.0 255.255.0.0
route outside 0.0.0.0 0.0.0.0 2xx.xxx.xxx.xxx 1
route inside 192.189.2.0 255.255.255.0 10.1.1.1 1

Thanks.
0
Quelle70
Asked:
Quelle70
  • 2
1 Solution
 
MikeKaneCommented:
You need to allow the traffic from the lower security interface to the higher security interface.  

1st off, give it a name:
interface Vlan75
 nameif
 security-level 75
 ip address 192.189.2.1 255.255.255.0

Make it anything.....  
interface Vlan75
 nameif this_network
 security-level 75
 ip address 192.189.2.1 255.255.255.0

Use
access-list this_network_in extended permit ip 10.1.0.0 255.255.0.0  192.189.2.0 255.255.255.0
access-group this_network_in in interface this_network


That will allow the traffic to flow into the other network.
0
 
Quelle70Author Commented:
Ok, so since 10.1.0.0 is security level 100 and 192.189.2.0 is security level 75, I put the following statement:

access-list this_network_in extended permit ip 192.189.2.0 255.255.255.0  10.99.0.0 255.255.255.0
access-group this_network_in in interface this_network

I also put in a NAT (this_network) 4 192.189.2.0 255.255.255.0

I can ping both ways now and it appears to be working just fine!

Does the NAT statement sound correct?


0
 
MikeKaneCommented:
Instead of
NAT (this_network) 4 192.189.2.0 255.255.255.0

use

NAT (this_network) 1 192.189.2.0 255.255.255.0

"This_Network" would still go outbound to the public internet using the same "global 1" that the other use for Nating to the interface IP.

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now