Cisco 5505 Firewall routing between subnets

Posted on 2012-08-24
Last Modified: 2012-09-10
This is the setup I have for an external connection. This external connection is for our boardrooms so people from outside the company can connect to the internet without getting on our LAN.

The outside connection provided by our ISP plugs into the Cisco 5505 Firewall.  Through a series of simple risers, a Dlink router located in the boardroom is attached to this firewall.  There is a series of 4 routers attached to this firewall.  

I have assigned each router with an External IP address under the "manual Internet connection" tab.  For example, router 2 would have an IP of  The 3rd router in the 3rd boardroom would be, etc etc.  When traffic is flowing through the FW, this is the IP it sees.  

The Gateway (Cisco Firewall) is

Now, each router also has its own IP address.  For example, router 2 would have an IP of  The 3rd router in the 3rd boardroom would be, etc etc.  So if a PC that is connected to this router does an IPCONFIG the Gateway would be this.  

After all of that, each router gets to the internet great and everyone is happy.  But my question is:
I am on another router, (external IP; the internal IP is that only the IT people are allowed to be on.  It is attached to this firewall as well.  I want to be able to connect to each of the segments from mine so I can configure the routers without visiting each boardroom and having to connect to it.  For example, my PC, needs to be able to connect to the 2nd floor boardroom router at  But I also want to make sure no one can go from one of the boardrooms to the IT router.

Am I making sense?  

thx in advance
Question by:MaltusW
    LVL 18

    Expert Comment

    Generally speaking, you would put an access-list inbound on the inside interface of the 5505 that denies the other addresses from going to anything in the private address range, but permits everything else, and you have to make sure you permit "hair pinning" the traffic. Are you NATing on the internal routers? If not, then the source address of the traffic would be from each of the internal subnets; if you are, then the source address would be the specific IP on the outside of the router. Assuming the guest IP addresses are 192.168.1.x to 192.168.4.x, and your inside interface is named "Inside" try this:

    object-group network GUESTS
    object-group network Private_nets
    access-list Guest_ACL remark permit admin traffic
    access-list Guest_ACL permit ip host any
    access-list Guest_ACL remark deny access inside but permit Internet
    access-list Guest_ACL deny ip object-group GUESTS object-group Private_nets
    access-list Guest_ACL permit ip object-group GUESTS any
    access-list Guest_ACL remark permit all other traffic
    access-list Guest_ACL permit ip any any

    access-group Guest_ACL in interface Inside
    same-security-traffic permit intra-interface

    Let me know if that doesn't do what you want.

    Author Comment

    Hi, sorry for the delay.  I was away the last couple of days.  I will try that and see what happens.  I have attached a pdf that will hopefully provide a little more clarifications.  The green arrow in the diagram is the direction of the traffic that needs to be permitted.  Also, would I not have to configure each router as well to allow the traffic?  Thanks again
    LVL 18

    Accepted Solution

    I just saw what appears to be a flaw in my approach, and that is where do you apply the access-list. On the 5505, you'll apply it on the VLAN interface, but all the interfaces you're interested in protecting are on the same VLAN, so I believe the ASA may forward traffic within the VLAN without applying the ACL that's configured. If your segments were separated and not on the same VLAN, you could do what I suggested.

    So you may be right, that you would have to block traffic at each router rather than at the ASA. The concept is still the same, though -- you want to state the particular management traffic you want to allow, then block what you want to deny, then permit everything else (Internet). The question of how you accomplish that on the D-Link routers, I'm not sure I can answer.

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    Join & Write a Comment

    Suggested Solutions

    The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
    As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now