Solved

ASA 5505 with Two Internal Networks

Posted on 2011-02-23
3
718 Views
Last Modified: 2012-06-27
With the help of another member, I am successfully able to see my two networks tied to the ASA.  I cannot, however, hit the Internet with my second network (2.0).   Also, I need to be able to get to routed networks (25.0 and 1.0) on the router.  I know the ASA is not a router and if I could move the second network to the router - I would (not enough ports).

                                                                                             ASA 5505
                                                                               (192.189.2.1)  (10.99.1.2)
                                                                                        /                   \
                                                                                      /                       \
                                                                                     /                          \
                                                                          192.189.2.0               2600 Router (10.99.1.1)
                                                                                                                /       \                     \
                                                                                                              /           \                     \
                                                                                                             /             \                      \
                                                                                            192.168.25.0       192.189.1.0         10.99.0.0



ASA Version 8.2(2)
!

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.99.1.2 255.255.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.240
!
interface Vlan10
 nameif WLAN
 security-level 10
 ip address 192.168.6.1 255.255.255.0
!
interface Vlan50
 nameif DMZ
 security-level 50
 ip address 192.168.4.1 255.255.255.0
!
interface Vlan75
 nameif CIA
 security-level 75
 ip address 192.189.2.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
 speed 100
 duplex full
!
interface Ethernet0/2
 switchport trunk allowed vlan 10,50
 switchport mode trunk
 switchport protected
!
interface Ethernet0/3
 switchport access vlan 75
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name cca.local
same-security-traffic permit intra-interface
access-list no-nat extended permit ip 10.99.0.0 255.255.0.0 192.189.2.0 255.255.255.0
access-list no-nat extended permit ip 192.189.2.0 255.255.255.0 10.99.0.0 255.255.0.0
access-list ciatoin extended permit ip 192.189.2.0 255.255.255.0 10.99.0.0 255.255.0.0
pager lines 24
logging enable
logging trap debugging
logging asdm informational
logging queue 4096
mtu inside 1500
mtu outside 1500
mtu WLAN 1500
mtu DMZ 1500
mtu CIA 1500
ip local pool vpnphone-ip-pool 10.99.201.1-10.99.201.10 mask 255.255.0.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 xxx.xxx.xxx.xxx netmask 255.255.255.255
global (outside) 3 xxx.xxx.xxx.xxx netmask 255.255.255.255
nat (inside) 0 access-list no-nat
nat (inside) 1 192.150.1.0 255.255.255.0
nat (inside) 1 10.99.0.0 255.255.0.0
nat (WLAN) 3 192.168.6.0 255.255.255.0
nat (DMZ) 2 192.168.4.0 255.255.255.0
nat (CIA) 1 192.189.2.0 255.255.255.0
access-group acl_out in interface outside
access-group dmztoin in interface DMZ
access-group ciatoin in interface CIA
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 192.150.1.0 255.255.255.0 10.99.1.1 1
route inside 192.189.2.0 255.255.255.0 10.99.1.1 1
                                                                                   
0
Comment
Question by:Quelle70
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
ID: 34966839
You need to add some statements to your CIA-in ACL to permit traffic to the .25 and .1 networks.  Right now you're not permitting those.  

As for why you can't get out to the internet from .2, the only thing I can suggest is creating another NAT group since CIA is a different interface than Inside.  I suspect the fact that they're both NAT group 1 but different internal interfaces may be confusing, so creating a NAT group 4 may do it.  You have a /28 address space on the outside, so hopefully you have at least one host address you could spare for that purpose.  
0
 

Author Comment

by:Quelle70
ID: 34989626
I was able to get the two networks to communicate.  Thanks for your help.
0
 

Author Closing Comment

by:Quelle70
ID: 34989632
There were additional steps I had to take outside the remarks made by the poster.  His solution put me on the right track - but wasn't the complete answer.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question