Solved

ASA 5505 with Two Internal Networks

Posted on 2011-02-23
3
684 Views
Last Modified: 2012-06-27
With the help of another member, I am successfully able to see my two networks tied to the ASA.  I cannot, however, hit the Internet with my second network (2.0).   Also, I need to be able to get to routed networks (25.0 and 1.0) on the router.  I know the ASA is not a router and if I could move the second network to the router - I would (not enough ports).

                                                                                             ASA 5505
                                                                               (192.189.2.1)  (10.99.1.2)
                                                                                        /                   \
                                                                                      /                       \
                                                                                     /                          \
                                                                          192.189.2.0               2600 Router (10.99.1.1)
                                                                                                                /       \                     \
                                                                                                              /           \                     \
                                                                                                             /             \                      \
                                                                                            192.168.25.0       192.189.1.0         10.99.0.0



ASA Version 8.2(2)
!

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.99.1.2 255.255.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.240
!
interface Vlan10
 nameif WLAN
 security-level 10
 ip address 192.168.6.1 255.255.255.0
!
interface Vlan50
 nameif DMZ
 security-level 50
 ip address 192.168.4.1 255.255.255.0
!
interface Vlan75
 nameif CIA
 security-level 75
 ip address 192.189.2.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
 speed 100
 duplex full
!
interface Ethernet0/2
 switchport trunk allowed vlan 10,50
 switchport mode trunk
 switchport protected
!
interface Ethernet0/3
 switchport access vlan 75
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name cca.local
same-security-traffic permit intra-interface
access-list no-nat extended permit ip 10.99.0.0 255.255.0.0 192.189.2.0 255.255.255.0
access-list no-nat extended permit ip 192.189.2.0 255.255.255.0 10.99.0.0 255.255.0.0
access-list ciatoin extended permit ip 192.189.2.0 255.255.255.0 10.99.0.0 255.255.0.0
pager lines 24
logging enable
logging trap debugging
logging asdm informational
logging queue 4096
mtu inside 1500
mtu outside 1500
mtu WLAN 1500
mtu DMZ 1500
mtu CIA 1500
ip local pool vpnphone-ip-pool 10.99.201.1-10.99.201.10 mask 255.255.0.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 xxx.xxx.xxx.xxx netmask 255.255.255.255
global (outside) 3 xxx.xxx.xxx.xxx netmask 255.255.255.255
nat (inside) 0 access-list no-nat
nat (inside) 1 192.150.1.0 255.255.255.0
nat (inside) 1 10.99.0.0 255.255.0.0
nat (WLAN) 3 192.168.6.0 255.255.255.0
nat (DMZ) 2 192.168.4.0 255.255.255.0
nat (CIA) 1 192.189.2.0 255.255.255.0
access-group acl_out in interface outside
access-group dmztoin in interface DMZ
access-group ciatoin in interface CIA
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 192.150.1.0 255.255.255.0 10.99.1.1 1
route inside 192.189.2.0 255.255.255.0 10.99.1.1 1
                                                                                   
0
Comment
Question by:Quelle70
  • 2
3 Comments
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
Comment Utility
You need to add some statements to your CIA-in ACL to permit traffic to the .25 and .1 networks.  Right now you're not permitting those.  

As for why you can't get out to the internet from .2, the only thing I can suggest is creating another NAT group since CIA is a different interface than Inside.  I suspect the fact that they're both NAT group 1 but different internal interfaces may be confusing, so creating a NAT group 4 may do it.  You have a /28 address space on the outside, so hopefully you have at least one host address you could spare for that purpose.  
0
 

Author Comment

by:Quelle70
Comment Utility
I was able to get the two networks to communicate.  Thanks for your help.
0
 

Author Closing Comment

by:Quelle70
Comment Utility
There were additional steps I had to take outside the remarks made by the poster.  His solution put me on the right track - but wasn't the complete answer.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now