Solved

ASA 5505 with two internal subnets

Posted on 2011-02-21
3
1,060 Views
Last Modified: 2012-06-27
I have two internal networks - one is a class B and the other a class C.  I do not have enough ports on my Cisco 2600 router to bring all the connections together (need 3 ethernet ports).  I have the class B (10.1.0.0) configured and accessible throguh the ASA firewall as well as the 2600 router.  The class C network (192.189.2.0) needs to be able to access the resources on 10.1.0.0 as well as route traffic out the fiber network.  I can ping 192.189.2.6 from the ASA and can ping 192.189.2.1 from the workstation.  I cannot ping 10.1.x.x from the workstation, however.

I have looked on this forum as well as other websites and tried various solutions.  Here's what I currently have:

ASA Version 8.2(2)
!
hostname ASA
domain-name xxx.local
enable password
passwd
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.1.2 255.255.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 2xx.xxx.xxx.xxx 255.255.255.240
!
interface Vlan10
 nameif WLAN
 security-level 10
 ip address 192.168.6.1 255.255.255.0
!
interface Vlan50
 nameif DMZ
 security-level 50
 ip address 192.168.4.1 255.255.255.0
!
interface Vlan75
 nameif
 security-level 75
 ip address 192.189.2.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
 speed 100
 duplex full
!
interface Ethernet0/2
 switchport trunk allowed vlan 10,50
 switchport mode trunk
 switchport protected
!
interface Ethernet0/3
 switchport access vlan 75
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name xxx.local
same-security-traffic permit intra-interface
access-list no-nat extended permit ip 10.1.0.0 255.255.0.0 192.189.2.0 255.255.255.0
access-list no-nat extended permit ip 192.189.2.0 255.255.255.0 10.1.0.0 255.255.0.0
pager lines 24
logging enable
logging trap debugging
logging asdm informational
logging queue 4096
mtu inside 1500
mtu outside 1500
mtu WLAN 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 192.189.2.0 255.255.255.0
nat (inside) 1 10.1.0.0 255.255.0.0
route outside 0.0.0.0 0.0.0.0 2xx.xxx.xxx.xxx 1
route inside 192.189.2.0 255.255.255.0 10.1.1.1 1

Thanks.
0
Comment
Question by:Quelle70
  • 2
3 Comments
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 34945811
You need to allow the traffic from the lower security interface to the higher security interface.  

1st off, give it a name:
interface Vlan75
 nameif
 security-level 75
 ip address 192.189.2.1 255.255.255.0

Make it anything.....  
interface Vlan75
 nameif this_network
 security-level 75
 ip address 192.189.2.1 255.255.255.0

Use
access-list this_network_in extended permit ip 10.1.0.0 255.255.0.0  192.189.2.0 255.255.255.0
access-group this_network_in in interface this_network


That will allow the traffic to flow into the other network.
0
 

Author Comment

by:Quelle70
ID: 34946010
Ok, so since 10.1.0.0 is security level 100 and 192.189.2.0 is security level 75, I put the following statement:

access-list this_network_in extended permit ip 192.189.2.0 255.255.255.0  10.99.0.0 255.255.255.0
access-group this_network_in in interface this_network

I also put in a NAT (this_network) 4 192.189.2.0 255.255.255.0

I can ping both ways now and it appears to be working just fine!

Does the NAT statement sound correct?


0
 
LVL 33

Expert Comment

by:MikeKane
ID: 34946733
Instead of
NAT (this_network) 4 192.189.2.0 255.255.255.0

use

NAT (this_network) 1 192.189.2.0 255.255.255.0

"This_Network" would still go outbound to the public internet using the same "global 1" that the other use for Nating to the interface IP.

0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now