techguy57
asked on
Configure Vlan Routing on Cisco ASA 5505
Hi experts,
I am attempting to use the ASA 5505 as a firewall/router. Is this possible? If so what steps to do I need to take? Also i do have the Security Plus license on this device.
I have created the vlans on the ASA and the the 2950 switch along with trunking. What am I missing?
Here is my current config...
ASA Version 8.2(1)
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 154.187.203.204 255.143.255.260
!
interface Vlan11
nameif wireless_in
security-level 100
ip address 192.168.11.1 255.255.255.0
!
interface Vlan12
nameif iscsi
security-level 90
ip address 192.168.12.1 255.255.255.0
!
interface Vlan15
nameif wireless_out
security-level 30
ip address 192.168.15.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 11
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_acl extended permit ip any any
access-list inside_acl extended permit icmp any any
access-list inside_acl extended permit tcp any any eq ssh
access-list outside_acl extended permit icmp any any
access-list outside_acl extended permit ip any 192.168.1.0 255.255.255.0
access-list wireless_in extended permit icmp any any
access-list wireless_in extended permit ip any 192.168.11.0 255.255.255.0
access-list wireless_in extended permit ip any 192.168.1.0 255.255.255.0
access-list tunnel_acl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat extended permit ip any 192.168.1.0 255.255.255.0
access-list inside_nat extended permit ip any 192.168.11.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu wireless_in 1500
mtu wireless_out 1500
mtu iscsi 1500
ip local pool External 192.168.1.200-192.168.1.23 0 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (wireless_in) 1 0.0.0.0 0.0.0.0
static (inside,wireless_in) 192.168.1.0 192.168.11.0 netmask 255.255.255.0
static (wireless_in,inside) 192.168.11.0 192.168.1.0 netmask 255.255.255.0
access-group inside_acl in interface inside
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 98.18.203.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco rd DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
I am attempting to use the ASA 5505 as a firewall/router. Is this possible? If so what steps to do I need to take? Also i do have the Security Plus license on this device.
I have created the vlans on the ASA and the the 2950 switch along with trunking. What am I missing?
Here is my current config...
ASA Version 8.2(1)
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 154.187.203.204 255.143.255.260
!
interface Vlan11
nameif wireless_in
security-level 100
ip address 192.168.11.1 255.255.255.0
!
interface Vlan12
nameif iscsi
security-level 90
ip address 192.168.12.1 255.255.255.0
!
interface Vlan15
nameif wireless_out
security-level 30
ip address 192.168.15.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 11
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_acl extended permit ip any any
access-list inside_acl extended permit icmp any any
access-list inside_acl extended permit tcp any any eq ssh
access-list outside_acl extended permit icmp any any
access-list outside_acl extended permit ip any 192.168.1.0 255.255.255.0
access-list wireless_in extended permit icmp any any
access-list wireless_in extended permit ip any 192.168.11.0 255.255.255.0
access-list wireless_in extended permit ip any 192.168.1.0 255.255.255.0
access-list tunnel_acl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat extended permit ip any 192.168.1.0 255.255.255.0
access-list inside_nat extended permit ip any 192.168.11.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu wireless_in 1500
mtu wireless_out 1500
mtu iscsi 1500
ip local pool External 192.168.1.200-192.168.1.23
ip verify reverse-path interface inside
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (wireless_in) 1 0.0.0.0 0.0.0.0
static (inside,wireless_in) 192.168.1.0 192.168.11.0 netmask 255.255.255.0
static (wireless_in,inside) 192.168.11.0 192.168.1.0 netmask 255.255.255.0
access-group inside_acl in interface inside
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 98.18.203.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
ASKER
I would like to communicate between the 192.168.1.xx and 192.168.11.xx networks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes.. I have ethernet 0/3 connected to the managed switch with the same vlan name and also trunked. Currently 0/5 is shutdown..
From the managed switch i am connected via fa0/1with an ip of 192.168.1.1 to e0/1 on the ASA. Then from the ASA e0/3 to fa0/9 with trunking on the switch..
Here is the switch's config..
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SW1
!
enable secret 5 $1$U/cG$d.yn6kx0p96vc2cSqx 57t/
enable password 7 01201F170B52265C25414707
!
ip subnet-zero
!
ip domain-name
vtp domain store
vtp mode transparent
cluster enable exit 0
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
speed 100
duplex full
!
interface FastEthernet0/2
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/3
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/4
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/5
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/6
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/7
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/8
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/9
switchport access vlan 11
switchport mode access
switchport mode trunk
speed 100
duplex full
!
interface FastEthernet0/10
switchport access vlan 11
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/11
switchport access vlan 11
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/12
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/13
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/14
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/15
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/16
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/17
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/18
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/19
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/20
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/21
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/22
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/23
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/24
switchport mode access
speed 100
duplex full
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
no ip route-cache
!
interface Vlan10
description iSCSI
no ip address
no ip route-cache
shutdown
!
interface Vlan11
description Internal Wireless
ip address 192.168.11.2 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.1.1
ip http server
!
From the managed switch i am connected via fa0/1with an ip of 192.168.1.1 to e0/1 on the ASA. Then from the ASA e0/3 to fa0/9 with trunking on the switch..
Here is the switch's config..
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SW1
!
enable secret 5 $1$U/cG$d.yn6kx0p96vc2cSqx
enable password 7 01201F170B52265C25414707
!
ip subnet-zero
!
ip domain-name
vtp domain store
vtp mode transparent
cluster enable exit 0
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
speed 100
duplex full
!
interface FastEthernet0/2
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/3
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/4
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/5
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/6
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/7
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/8
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/9
switchport access vlan 11
switchport mode access
switchport mode trunk
speed 100
duplex full
!
interface FastEthernet0/10
switchport access vlan 11
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/11
switchport access vlan 11
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/12
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/13
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/14
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/15
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/16
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/17
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/18
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/19
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/20
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/21
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/22
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/23
switchport mode access
speed 100
duplex full
!
interface FastEthernet0/24
switchport mode access
speed 100
duplex full
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
no ip route-cache
!
interface Vlan10
description iSCSI
no ip address
no ip route-cache
shutdown
!
interface Vlan11
description Internal Wireless
ip address 192.168.11.2 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.1.1
ip http server
!
How did you do this:
switchport access vlan 11
switchport mode access
switchport mode trunk
Mode access AND mode trunk (?)
Because the ASA only holds one VLAN on that port you don't really need a trunk. You could as well configure it on the switch as just an access port.
And then something like:
switchport access vlan 11
switchport mode access
switchport nonegotiate
no cdp enable
switchport access vlan 11
switchport mode access
switchport mode trunk
Mode access AND mode trunk (?)
Because the ASA only holds one VLAN on that port you don't really need a trunk. You could as well configure it on the switch as just an access port.
And then something like:
switchport access vlan 11
switchport mode access
switchport nonegotiate
no cdp enable
put on asa
eth0
switchport mode trunk
put on access switch
f0/1
switchport mode trunk..
if the ASA is connected with switch with same port.
check is it working or not.
eth0
switchport mode trunk
put on access switch
f0/1
switchport mode trunk..
if the ASA is connected with switch with same port.
check is it working or not.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What exactly is not working?