• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 519
  • Last Modified:

Allow internet Access

I have following scenario ,

one ASA 5515 inside ip add 10.10.10.0/24
one cisco 3560 switch ip add 10.10.10.2/24

needs to create two vlans ,  VLAN 1:- 192.168.100.0/24

vlan 2 :- 192.168.200.0 /24

now i need to allow these two subnets to use internet ,
what should be high level configuration on ASA or switch level
0
annasad
Asked:
annasad
  • 4
  • 3
  • 2
  • +1
5 Solutions
 
Martin TarlinkNetwork Systems AdministratorCommented:
You can do this on many different ways depend how many static IPs you have and how you would like do NAT or PAT

BTW you can not use 10.10.10.0/24 as IP
you can connect ASA<->Cat via noswitch ports and set on ASA
10.10.10.1 and on Catalyst 10.10.10.2 with mask 255.255.255.252 /30

So you will create subnet for that connection
Net address 10.10.10.0
Broadcast address 10.10.10.3

IP to use 10.10.10.1 and 10.10.10.2


If you have soft higher than 8.3 use nat under objects

Here you have very good examples
https://supportforums.cisco.com/docs/DOC-9129

Look also here
http://www.gregledet.net/?p=537


on Catalyst do default static routing
ip route 0.0.0.0 0.0.0.0 10.10.10.1

You can also enable OSPF or EIGRP on Cat and ASA, everything depend what you want to accomplish.

on ASA you need to create object for your vlan IPs
or one global
All Vlans
192.168.0.0 255.255.0.0

and do nat to outside interface dynamic describle
0
 
ffleismaCommented:
i've attached a diagram in Visio and PDF, this would highlight your basic highlevel design.

Please take note of the following
no redundancy for the FW and core
DMZ setup is not is place yet
access switches not shown
this is just the logical diagram for the setup

hope this helps and let me know if you have any further questions.
Simple-FW-LAN-design.vsd
Visio-Simple-FW-LAN-design.pdf
0
 
ffleismaCommented:
forgot one thing though :-) the permissive ACL to allow internet traffic :-)

!(for http)
!
access-list inside_access_in extended permit tcp object-group objg_Internal_Allowed_Internet any eq www
!
!(for https)
access-list inside_access_in extended permit tcp object-group objg_Internal_Allowed_Internet any eq https
!
!(for email)
access-list inside_access_in extended permit tcp object-group objg_Internal_Allowed_Internet any eq smtp
!

object-group network objg_Internal_Allowed_Internet
 network-object 192.168.100.0 255.255.255.0
 network-object 192.168.200.0 255.255.255.0
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
asavenerCommented:
Two things.

1)  On the ASA, add routes to the new subnets.

2) modify the object group to include the new subnets.
0
 
annasadAuthor Commented:
thanks for sharing detail information ...

yes IOS is higher than 8.3 , I think Its 8.6 or 9.1 , still have to find it out .

total usable public static IP addresses are 5 , does it make a difference it efficiency or performance If I use NAT or PAT ?   should I use one single IP address or more ?

and I have not worked on ASA  on command line but I am aware of Cisco IOS a bit , means can type commands ...

so by default , Internet access is not allowed , I have to use permissive ACLs in order to allow any kind of traffic ?

initially I saw three types of traffic for internet ,

Thanks for the diagrams , Its fairly the same design as explained in the diagram , however there are access layer switches too , but I have to find them
0
 
asavenerCommented:
Like any computer, it does what you tell it to do.  Someone has limited Internet access to certain subnets, so when you add new subnets you have to modify the configuration.

If you want to avoid this issue in the future, just add all of the RFC1918 addresses to your object group:

192.168.0.0 255.255.255.0
172.16.0.0 255.240.0.0
10.0.0.0 255.0.0.0
0
 
ffleismaCommented:
total usable public static IP addresses are 5 , does it make a difference it efficiency or performance If I use NAT or PAT ?

NAT is usually one is to one translation, and PAT is one is to many, for internet access, that is always PAT since you have multiple LAN users needing to be NATed to a public routed IP.

Static NAT is usually done by not limited to DMZ servers, where web servers, mail servers, etc needs public reachable IP.

and I have not worked on ASA  on command line but I am aware of Cisco IOS a bit , means can type commands ...

you can configure ASA two ways, using ASDM (GUI) or CLI. The one i presented is CLI but if you need something for GUI, let me know your setup and i might be able provide some insights.

so by default , Internet access is not allowed , I have to use permissive ACLs in order to allow any kind of traffic ?

by default all traffic incoming to any interface is blocked. sometimes there is a preset command allowing ALL IP traffic from higher security to lower security interfaces.

let me know how i can help further if you have any questions.
0
 
annasadAuthor Commented:
Thank you for detail answers ... I Am kind of busy , I have sufficient information but i would still need to open this question for sometime ..  I probably be working on this weekend ..

i might need help by then .. thanks
0
 
annasadAuthor Commented:
I will close this question as this has given sufficient information and I would reward these points to every one who has contributed here .   I would open another question for further details .
0
 
annasadAuthor Commented:
excellent diagram which helped me greatly to understand the design and detail understanding . wonderful detailed diagram with step to step details . thanks very much
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now