Quelle70
asked on
ASA 5505 with Two Internal Networks
With the help of another member, I am successfully able to see my two networks tied to the ASA. I cannot, however, hit the Internet with my second network (2.0). Also, I need to be able to get to routed networks (25.0 and 1.0) on the router. I know the ASA is not a router and if I could move the second network to the router - I would (not enough ports).
ASA 5505
(192.189.2.1) (10.99.1.2)
/ \
/ \
/ \
192.189.2.0 2600 Router (10.99.1.1)
/ \ \
/ \ \
/ \ \
192.168.25.0 192.189.1.0 10.99.0.0
ASA Version 8.2(2)
!
interface Vlan1
nameif inside
security-level 100
ip address 10.99.1.2 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.240
!
interface Vlan10
nameif WLAN
security-level 10
ip address 192.168.6.1 255.255.255.0
!
interface Vlan50
nameif DMZ
security-level 50
ip address 192.168.4.1 255.255.255.0
!
interface Vlan75
nameif CIA
security-level 75
ip address 192.189.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
speed 100
duplex full
!
interface Ethernet0/2
switchport trunk allowed vlan 10,50
switchport mode trunk
switchport protected
!
interface Ethernet0/3
switchport access vlan 75
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name cca.local
same-security-traffic permit intra-interface
access-list no-nat extended permit ip 10.99.0.0 255.255.0.0 192.189.2.0 255.255.255.0
access-list no-nat extended permit ip 192.189.2.0 255.255.255.0 10.99.0.0 255.255.0.0
access-list ciatoin extended permit ip 192.189.2.0 255.255.255.0 10.99.0.0 255.255.0.0
pager lines 24
logging enable
logging trap debugging
logging asdm informational
logging queue 4096
mtu inside 1500
mtu outside 1500
mtu WLAN 1500
mtu DMZ 1500
mtu CIA 1500
ip local pool vpnphone-ip-pool 10.99.201.1-10.99.201.10 mask 255.255.0.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 xxx.xxx.xxx.xxx netmask 255.255.255.255
global (outside) 3 xxx.xxx.xxx.xxx netmask 255.255.255.255
nat (inside) 0 access-list no-nat
nat (inside) 1 192.150.1.0 255.255.255.0
nat (inside) 1 10.99.0.0 255.255.0.0
nat (WLAN) 3 192.168.6.0 255.255.255.0
nat (DMZ) 2 192.168.4.0 255.255.255.0
nat (CIA) 1 192.189.2.0 255.255.255.0
access-group acl_out in interface outside
access-group dmztoin in interface DMZ
access-group ciatoin in interface CIA
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 192.150.1.0 255.255.255.0 10.99.1.1 1
route inside 192.189.2.0 255.255.255.0 10.99.1.1 1
ASA 5505
(192.189.2.1) (10.99.1.2)
/ \
/ \
/ \
192.189.2.0 2600 Router (10.99.1.1)
/ \ \
/ \ \
/ \ \
192.168.25.0 192.189.1.0 10.99.0.0
ASA Version 8.2(2)
!
interface Vlan1
nameif inside
security-level 100
ip address 10.99.1.2 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.240
!
interface Vlan10
nameif WLAN
security-level 10
ip address 192.168.6.1 255.255.255.0
!
interface Vlan50
nameif DMZ
security-level 50
ip address 192.168.4.1 255.255.255.0
!
interface Vlan75
nameif CIA
security-level 75
ip address 192.189.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
speed 100
duplex full
!
interface Ethernet0/2
switchport trunk allowed vlan 10,50
switchport mode trunk
switchport protected
!
interface Ethernet0/3
switchport access vlan 75
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name cca.local
same-security-traffic permit intra-interface
access-list no-nat extended permit ip 10.99.0.0 255.255.0.0 192.189.2.0 255.255.255.0
access-list no-nat extended permit ip 192.189.2.0 255.255.255.0 10.99.0.0 255.255.0.0
access-list ciatoin extended permit ip 192.189.2.0 255.255.255.0 10.99.0.0 255.255.0.0
pager lines 24
logging enable
logging trap debugging
logging asdm informational
logging queue 4096
mtu inside 1500
mtu outside 1500
mtu WLAN 1500
mtu DMZ 1500
mtu CIA 1500
ip local pool vpnphone-ip-pool 10.99.201.1-10.99.201.10 mask 255.255.0.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 xxx.xxx.xxx.xxx netmask 255.255.255.255
global (outside) 3 xxx.xxx.xxx.xxx netmask 255.255.255.255
nat (inside) 0 access-list no-nat
nat (inside) 1 192.150.1.0 255.255.255.0
nat (inside) 1 10.99.0.0 255.255.0.0
nat (WLAN) 3 192.168.6.0 255.255.255.0
nat (DMZ) 2 192.168.4.0 255.255.255.0
nat (CIA) 1 192.189.2.0 255.255.255.0
access-group acl_out in interface outside
access-group dmztoin in interface DMZ
access-group ciatoin in interface CIA
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 192.150.1.0 255.255.255.0 10.99.1.1 1
route inside 192.189.2.0 255.255.255.0 10.99.1.1 1
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
There were additional steps I had to take outside the remarks made by the poster. His solution put me on the right track - but wasn't the complete answer.
ASKER