Solved

ASA 5505 with Two Internal Networks

Posted on 2011-02-23
3
709 Views
Last Modified: 2012-06-27
With the help of another member, I am successfully able to see my two networks tied to the ASA.  I cannot, however, hit the Internet with my second network (2.0).   Also, I need to be able to get to routed networks (25.0 and 1.0) on the router.  I know the ASA is not a router and if I could move the second network to the router - I would (not enough ports).

                                                                                             ASA 5505
                                                                               (192.189.2.1)  (10.99.1.2)
                                                                                        /                   \
                                                                                      /                       \
                                                                                     /                          \
                                                                          192.189.2.0               2600 Router (10.99.1.1)
                                                                                                                /       \                     \
                                                                                                              /           \                     \
                                                                                                             /             \                      \
                                                                                            192.168.25.0       192.189.1.0         10.99.0.0



ASA Version 8.2(2)
!

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.99.1.2 255.255.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.240
!
interface Vlan10
 nameif WLAN
 security-level 10
 ip address 192.168.6.1 255.255.255.0
!
interface Vlan50
 nameif DMZ
 security-level 50
 ip address 192.168.4.1 255.255.255.0
!
interface Vlan75
 nameif CIA
 security-level 75
 ip address 192.189.2.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
 speed 100
 duplex full
!
interface Ethernet0/2
 switchport trunk allowed vlan 10,50
 switchport mode trunk
 switchport protected
!
interface Ethernet0/3
 switchport access vlan 75
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name cca.local
same-security-traffic permit intra-interface
access-list no-nat extended permit ip 10.99.0.0 255.255.0.0 192.189.2.0 255.255.255.0
access-list no-nat extended permit ip 192.189.2.0 255.255.255.0 10.99.0.0 255.255.0.0
access-list ciatoin extended permit ip 192.189.2.0 255.255.255.0 10.99.0.0 255.255.0.0
pager lines 24
logging enable
logging trap debugging
logging asdm informational
logging queue 4096
mtu inside 1500
mtu outside 1500
mtu WLAN 1500
mtu DMZ 1500
mtu CIA 1500
ip local pool vpnphone-ip-pool 10.99.201.1-10.99.201.10 mask 255.255.0.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 xxx.xxx.xxx.xxx netmask 255.255.255.255
global (outside) 3 xxx.xxx.xxx.xxx netmask 255.255.255.255
nat (inside) 0 access-list no-nat
nat (inside) 1 192.150.1.0 255.255.255.0
nat (inside) 1 10.99.0.0 255.255.0.0
nat (WLAN) 3 192.168.6.0 255.255.255.0
nat (DMZ) 2 192.168.4.0 255.255.255.0
nat (CIA) 1 192.189.2.0 255.255.255.0
access-group acl_out in interface outside
access-group dmztoin in interface DMZ
access-group ciatoin in interface CIA
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 192.150.1.0 255.255.255.0 10.99.1.1 1
route inside 192.189.2.0 255.255.255.0 10.99.1.1 1
                                                                                   
0
Comment
Question by:Quelle70
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
ID: 34966839
You need to add some statements to your CIA-in ACL to permit traffic to the .25 and .1 networks.  Right now you're not permitting those.  

As for why you can't get out to the internet from .2, the only thing I can suggest is creating another NAT group since CIA is a different interface than Inside.  I suspect the fact that they're both NAT group 1 but different internal interfaces may be confusing, so creating a NAT group 4 may do it.  You have a /28 address space on the outside, so hopefully you have at least one host address you could spare for that purpose.  
0
 

Author Comment

by:Quelle70
ID: 34989626
I was able to get the two networks to communicate.  Thanks for your help.
0
 

Author Closing Comment

by:Quelle70
ID: 34989632
There were additional steps I had to take outside the remarks made by the poster.  His solution put me on the right track - but wasn't the complete answer.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question