?
Solved

ASA 5505 with Two Internal Networks

Posted on 2011-02-23
3
Medium Priority
?
722 Views
Last Modified: 2012-06-27
With the help of another member, I am successfully able to see my two networks tied to the ASA.  I cannot, however, hit the Internet with my second network (2.0).   Also, I need to be able to get to routed networks (25.0 and 1.0) on the router.  I know the ASA is not a router and if I could move the second network to the router - I would (not enough ports).

                                                                                             ASA 5505
                                                                               (192.189.2.1)  (10.99.1.2)
                                                                                        /                   \
                                                                                      /                       \
                                                                                     /                          \
                                                                          192.189.2.0               2600 Router (10.99.1.1)
                                                                                                                /       \                     \
                                                                                                              /           \                     \
                                                                                                             /             \                      \
                                                                                            192.168.25.0       192.189.1.0         10.99.0.0



ASA Version 8.2(2)
!

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.99.1.2 255.255.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.240
!
interface Vlan10
 nameif WLAN
 security-level 10
 ip address 192.168.6.1 255.255.255.0
!
interface Vlan50
 nameif DMZ
 security-level 50
 ip address 192.168.4.1 255.255.255.0
!
interface Vlan75
 nameif CIA
 security-level 75
 ip address 192.189.2.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
 speed 100
 duplex full
!
interface Ethernet0/2
 switchport trunk allowed vlan 10,50
 switchport mode trunk
 switchport protected
!
interface Ethernet0/3
 switchport access vlan 75
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name cca.local
same-security-traffic permit intra-interface
access-list no-nat extended permit ip 10.99.0.0 255.255.0.0 192.189.2.0 255.255.255.0
access-list no-nat extended permit ip 192.189.2.0 255.255.255.0 10.99.0.0 255.255.0.0
access-list ciatoin extended permit ip 192.189.2.0 255.255.255.0 10.99.0.0 255.255.0.0
pager lines 24
logging enable
logging trap debugging
logging asdm informational
logging queue 4096
mtu inside 1500
mtu outside 1500
mtu WLAN 1500
mtu DMZ 1500
mtu CIA 1500
ip local pool vpnphone-ip-pool 10.99.201.1-10.99.201.10 mask 255.255.0.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 xxx.xxx.xxx.xxx netmask 255.255.255.255
global (outside) 3 xxx.xxx.xxx.xxx netmask 255.255.255.255
nat (inside) 0 access-list no-nat
nat (inside) 1 192.150.1.0 255.255.255.0
nat (inside) 1 10.99.0.0 255.255.0.0
nat (WLAN) 3 192.168.6.0 255.255.255.0
nat (DMZ) 2 192.168.4.0 255.255.255.0
nat (CIA) 1 192.189.2.0 255.255.255.0
access-group acl_out in interface outside
access-group dmztoin in interface DMZ
access-group ciatoin in interface CIA
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 192.150.1.0 255.255.255.0 10.99.1.1 1
route inside 192.189.2.0 255.255.255.0 10.99.1.1 1
                                                                                   
0
Comment
Question by:Quelle70
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 18

Accepted Solution

by:
jmeggers earned 1500 total points
ID: 34966839
You need to add some statements to your CIA-in ACL to permit traffic to the .25 and .1 networks.  Right now you're not permitting those.  

As for why you can't get out to the internet from .2, the only thing I can suggest is creating another NAT group since CIA is a different interface than Inside.  I suspect the fact that they're both NAT group 1 but different internal interfaces may be confusing, so creating a NAT group 4 may do it.  You have a /28 address space on the outside, so hopefully you have at least one host address you could spare for that purpose.  
0
 

Author Comment

by:Quelle70
ID: 34989626
I was able to get the two networks to communicate.  Thanks for your help.
0
 

Author Closing Comment

by:Quelle70
ID: 34989632
There were additional steps I had to take outside the remarks made by the poster.  His solution put me on the right track - but wasn't the complete answer.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question