[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Configure Vlan Routing on Cisco ASA 5505

Posted on 2012-09-08
7
Medium Priority
?
1,686 Views
Last Modified: 2012-10-01
Hi experts,

I am attempting to use the ASA 5505 as a firewall/router. Is this possible? If so what steps to do I need to take? Also i do have the Security Plus license on this device.

I have created the vlans on the ASA and the the 2950 switch along with trunking. What am I missing?

Here is my current config...

ASA Version 8.2(1)

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 154.187.203.204 255.143.255.260
!
interface Vlan11
 nameif wireless_in
 security-level 100
 ip address 192.168.11.1 255.255.255.0
!
interface Vlan12
 nameif iscsi
 security-level 90
 ip address 192.168.12.1 255.255.255.0
!
interface Vlan15
 nameif wireless_out
 security-level 30
 ip address 192.168.15.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
 switchport access vlan 11
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_acl extended permit ip any any
access-list inside_acl extended permit icmp any any
access-list inside_acl extended permit tcp any any eq ssh
access-list outside_acl extended permit icmp any any
access-list outside_acl extended permit ip any 192.168.1.0 255.255.255.0
access-list wireless_in extended permit icmp any any
access-list wireless_in extended permit ip any 192.168.11.0 255.255.255.0
access-list wireless_in extended permit ip any 192.168.1.0 255.255.255.0
access-list tunnel_acl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat extended permit ip any 192.168.1.0 255.255.255.0
access-list inside_nat extended permit ip any 192.168.11.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu wireless_in 1500
mtu wireless_out 1500
mtu iscsi 1500
ip local pool External 192.168.1.200-192.168.1.230 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (wireless_in) 1 0.0.0.0 0.0.0.0
static (inside,wireless_in) 192.168.1.0 192.168.11.0 netmask 255.255.255.0
static (wireless_in,inside) 192.168.11.0 192.168.1.0 netmask 255.255.255.0
access-group inside_acl in interface inside
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 98.18.203.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
0
Comment
Question by:techguy57
7 Comments
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38379917
First of all, you need to configure trunk port on ASA

What exactly is not working?
0
 

Author Comment

by:techguy57
ID: 38379923
I would like to communicate between the 192.168.1.xx and 192.168.11.xx networks
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 1000 total points
ID: 38379931
First of all, a firewall isn't a router (but you know that of course :) though is has some capabilities.
Second, you connected Ethernet0/3 and Ethernet0/5 to the switch on trunked ports (at the switch side)?
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 

Author Comment

by:techguy57
ID: 38379944
Yes.. I have ethernet 0/3 connected to the managed switch with the same vlan name and also trunked. Currently 0/5 is shutdown..

From the managed switch i am connected via fa0/1with an ip of 192.168.1.1 to e0/1 on the ASA. Then from the ASA e0/3 to fa0/9 with trunking on the switch..

Here is the switch's config..

version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SW1
!
enable secret 5 $1$U/cG$d.yn6kx0p96vc2cSqx57t/
enable password 7 01201F170B52265C25414707
!
ip subnet-zero
!
ip domain-name
vtp domain store
vtp mode transparent
cluster enable exit 0
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
 speed 100
 duplex full
!
interface FastEthernet0/2
 switchport mode access
 speed 100
 duplex full
!
interface FastEthernet0/3
 switchport mode access
 speed 100
 duplex full
!
interface FastEthernet0/4
 switchport mode access
 speed 100
 duplex full
!
interface FastEthernet0/5
 switchport mode access
 speed 100
 duplex full
!
interface FastEthernet0/6
 switchport mode access
 speed 100
 duplex full
!
interface FastEthernet0/7
 switchport mode access
 speed 100
 duplex full
!
interface FastEthernet0/8
 switchport mode access
 speed 100
 duplex full
!
interface FastEthernet0/9
 switchport access vlan 11
 switchport mode access
switchport mode trunk
 speed 100
 duplex full
!
interface FastEthernet0/10
 switchport access vlan 11
 switchport mode access
 speed 100
 duplex full
!
interface FastEthernet0/11
 switchport access vlan 11
 switchport mode access
 speed 100
 duplex full
!
interface FastEthernet0/12
 switchport mode access
 speed 100
 duplex full
!
interface FastEthernet0/13
 switchport mode access
 speed 100
 duplex full
!
interface FastEthernet0/14
 switchport mode access
 speed 100
 duplex full
!
interface FastEthernet0/15
 switchport mode access
 speed 100
 duplex full
!
interface FastEthernet0/16
 switchport mode access
 speed 100
 duplex full
!
interface FastEthernet0/17
 switchport mode access
 speed 100
 duplex full
!
interface FastEthernet0/18
 switchport mode access
 speed 100
 duplex full
!
interface FastEthernet0/19
 switchport mode access
 speed 100
 duplex full
!
interface FastEthernet0/20
 switchport mode access
 speed 100
 duplex full
!
interface FastEthernet0/21
 switchport mode access
 speed 100
 duplex full
!
interface FastEthernet0/22
 switchport mode access
 speed 100
 duplex full
!
interface FastEthernet0/23
 switchport mode access
 speed 100
 duplex full
!
interface FastEthernet0/24
 switchport mode access
 speed 100
 duplex full
!
interface Vlan1
 ip address 192.168.1.2 255.255.255.0
 no ip route-cache
!
interface Vlan10
 description iSCSI
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan11
 description Internal Wireless
 ip address 192.168.11.2 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.1.1
ip http server
!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38379973
How did you do this:

switchport access vlan 11
 switchport mode access
switchport mode trunk


Mode access AND mode trunk (?)

Because the ASA only holds one VLAN on that port you don't really need a trunk. You could as well configure it on the switch as just an access port.

And then something like:


switchport access vlan 11
 switchport mode access
 switchport nonegotiate
 no cdp enable
0
 
LVL 1

Expert Comment

by:ping2vohra
ID: 38380685
put on asa

eth0

switchport mode trunk

put on access switch

f0/1
switchport mode trunk..


if the ASA is connected with switch with same port.
check is it working or not.
0
 
LVL 18

Assisted Solution

by:max_the_king
max_the_king earned 1000 total points
ID: 38380796
Hi,
try the following:

no access-list inside_nat extended permit ip any 192.168.1.0 255.255.255.0
no access-list inside_nat extended permit ip any 192.168.11.0 255.255.255.0
access-list inside_nat extended permit ip 192.168.11.1 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0

besides, please note that the command "same-security-traffic permit inter-interface" should be used to avoid acl and nat problems when you configure more interfaces with the same security level. as this is your case with vlan 1 and vlan 11.

hope this helps
max
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

590 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question