ASA 5505 with Two Internal Networks

Posted on 2011-02-23
Medium Priority
Last Modified: 2012-06-27
With the help of another member, I am successfully able to see my two networks tied to the ASA.  I cannot, however, hit the Internet with my second network (2.0).   Also, I need to be able to get to routed networks (25.0 and 1.0) on the router.  I know the ASA is not a router and if I could move the second network to the router - I would (not enough ports).

                                                                                             ASA 5505
                                                                               (  (
                                                                                        /                   \
                                                                                      /                       \
                                                                                     /                          \
                                                                               2600 Router (
                                                                                                                /       \                     \
                                                                                                              /           \                     \
                                                                                                             /             \                      \

ASA Version 8.2(2)

interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx
interface Vlan10
 nameif WLAN
 security-level 10
 ip address
interface Vlan50
 nameif DMZ
 security-level 50
 ip address
interface Vlan75
 nameif CIA
 security-level 75
 ip address
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
interface Ethernet0/1
 speed 100
 duplex full
interface Ethernet0/2
 switchport trunk allowed vlan 10,50
 switchport mode trunk
 switchport protected
interface Ethernet0/3
 switchport access vlan 75
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name cca.local
same-security-traffic permit intra-interface
access-list no-nat extended permit ip
access-list no-nat extended permit ip
access-list ciatoin extended permit ip
pager lines 24
logging enable
logging trap debugging
logging asdm informational
logging queue 4096
mtu inside 1500
mtu outside 1500
mtu WLAN 1500
mtu DMZ 1500
mtu CIA 1500
ip local pool vpnphone-ip-pool mask
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 xxx.xxx.xxx.xxx netmask
global (outside) 3 xxx.xxx.xxx.xxx netmask
nat (inside) 0 access-list no-nat
nat (inside) 1
nat (inside) 1
nat (WLAN) 3
nat (DMZ) 2
nat (CIA) 1
access-group acl_out in interface outside
access-group dmztoin in interface DMZ
access-group ciatoin in interface CIA
route outside xxx.xxx.xxx.xxx 1
route inside 1
route inside 1
Question by:Quelle70
  • 2
LVL 18

Accepted Solution

jmeggers earned 1500 total points
ID: 34966839
You need to add some statements to your CIA-in ACL to permit traffic to the .25 and .1 networks.  Right now you're not permitting those.  

As for why you can't get out to the internet from .2, the only thing I can suggest is creating another NAT group since CIA is a different interface than Inside.  I suspect the fact that they're both NAT group 1 but different internal interfaces may be confusing, so creating a NAT group 4 may do it.  You have a /28 address space on the outside, so hopefully you have at least one host address you could spare for that purpose.  

Author Comment

ID: 34989626
I was able to get the two networks to communicate.  Thanks for your help.

Author Closing Comment

ID: 34989632
There were additional steps I had to take outside the remarks made by the poster.  His solution put me on the right track - but wasn't the complete answer.

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question