• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 641
  • Last Modified:

Cisco 5505 Firewall routing between subnets

This is the setup I have for an external connection. This external connection is for our boardrooms so people from outside the company can connect to the internet without getting on our LAN.

The outside connection provided by our ISP plugs into the Cisco 5505 Firewall.  Through a series of simple risers, a Dlink router located in the boardroom is attached to this firewall.  There is a series of 4 routers attached to this firewall.  

I have assigned each router with an External IP address under the "manual Internet connection" tab.  For example, router 2 would have an IP of  The 3rd router in the 3rd boardroom would be, etc etc.  When traffic is flowing through the FW, this is the IP it sees.  

The Gateway (Cisco Firewall) is

Now, each router also has its own IP address.  For example, router 2 would have an IP of  The 3rd router in the 3rd boardroom would be, etc etc.  So if a PC that is connected to this router does an IPCONFIG the Gateway would be this.  

After all of that, each router gets to the internet great and everyone is happy.  But my question is:
I am on another router, (external IP; the internal IP is that only the IT people are allowed to be on.  It is attached to this firewall as well.  I want to be able to connect to each of the segments from mine so I can configure the routers without visiting each boardroom and having to connect to it.  For example, my PC, needs to be able to connect to the 2nd floor boardroom router at  But I also want to make sure no one can go from one of the boardrooms to the IT router.

Am I making sense?  

thx in advance
  • 2
1 Solution
John MeggersNetwork ArchitectCommented:
Generally speaking, you would put an access-list inbound on the inside interface of the 5505 that denies the other addresses from going to anything in the private address range, but permits everything else, and you have to make sure you permit "hair pinning" the traffic. Are you NATing on the internal routers? If not, then the source address of the traffic would be from each of the internal subnets; if you are, then the source address would be the specific IP on the outside of the router. Assuming the guest IP addresses are 192.168.1.x to 192.168.4.x, and your inside interface is named "Inside" try this:

object-group network GUESTS
object-group network Private_nets
access-list Guest_ACL remark permit admin traffic
access-list Guest_ACL permit ip host any
access-list Guest_ACL remark deny access inside but permit Internet
access-list Guest_ACL deny ip object-group GUESTS object-group Private_nets
access-list Guest_ACL permit ip object-group GUESTS any
access-list Guest_ACL remark permit all other traffic
access-list Guest_ACL permit ip any any

access-group Guest_ACL in interface Inside
same-security-traffic permit intra-interface

Let me know if that doesn't do what you want.
MaltusWAuthor Commented:
Hi, sorry for the delay.  I was away the last couple of days.  I will try that and see what happens.  I have attached a pdf that will hopefully provide a little more clarifications.  The green arrow in the diagram is the direction of the traffic that needs to be permitted.  Also, would I not have to configure each router as well to allow the traffic?  Thanks again
John MeggersNetwork ArchitectCommented:
I just saw what appears to be a flaw in my approach, and that is where do you apply the access-list. On the 5505, you'll apply it on the VLAN interface, but all the interfaces you're interested in protecting are on the same VLAN, so I believe the ASA may forward traffic within the VLAN without applying the ACL that's configured. If your segments were separated and not on the same VLAN, you could do what I suggested.

So you may be right, that you would have to block traffic at each router rather than at the ASA. The concept is still the same, though -- you want to state the particular management traffic you want to allow, then block what you want to deny, then permit everything else (Internet). The question of how you accomplish that on the D-Link routers, I'm not sure I can answer.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now