Solved

Allow internet Access

Posted on 2014-02-23
10
503 Views
Last Modified: 2014-06-06
I have following scenario ,

one ASA 5515 inside ip add 10.10.10.0/24
one cisco 3560 switch ip add 10.10.10.2/24

needs to create two vlans ,  VLAN 1:- 192.168.100.0/24

vlan 2 :- 192.168.200.0 /24

now i need to allow these two subnets to use internet ,
what should be high level configuration on ASA or switch level
0
Comment
Question by:annasad
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 5

Assisted Solution

by:Martin Tarlink
Martin Tarlink earned 50 total points
ID: 39881672
You can do this on many different ways depend how many static IPs you have and how you would like do NAT or PAT

BTW you can not use 10.10.10.0/24 as IP
you can connect ASA<->Cat via noswitch ports and set on ASA
10.10.10.1 and on Catalyst 10.10.10.2 with mask 255.255.255.252 /30

So you will create subnet for that connection
Net address 10.10.10.0
Broadcast address 10.10.10.3

IP to use 10.10.10.1 and 10.10.10.2


If you have soft higher than 8.3 use nat under objects

Here you have very good examples
https://supportforums.cisco.com/docs/DOC-9129

Look also here
http://www.gregledet.net/?p=537


on Catalyst do default static routing
ip route 0.0.0.0 0.0.0.0 10.10.10.1

You can also enable OSPF or EIGRP on Cat and ASA, everything depend what you want to accomplish.

on ASA you need to create object for your vlan IPs
or one global
All Vlans
192.168.0.0 255.255.0.0

and do nat to outside interface dynamic describle
0
 
LVL 9

Accepted Solution

by:
ffleisma earned 400 total points
ID: 39881923
i've attached a diagram in Visio and PDF, this would highlight your basic highlevel design.

Please take note of the following
no redundancy for the FW and core
DMZ setup is not is place yet
access switches not shown
this is just the logical diagram for the setup

hope this helps and let me know if you have any further questions.
Simple-FW-LAN-design.vsd
Visio-Simple-FW-LAN-design.pdf
0
 
LVL 9

Assisted Solution

by:ffleisma
ffleisma earned 400 total points
ID: 39881925
forgot one thing though :-) the permissive ACL to allow internet traffic :-)

!(for http)
!
access-list inside_access_in extended permit tcp object-group objg_Internal_Allowed_Internet any eq www
!
!(for https)
access-list inside_access_in extended permit tcp object-group objg_Internal_Allowed_Internet any eq https
!
!(for email)
access-list inside_access_in extended permit tcp object-group objg_Internal_Allowed_Internet any eq smtp
!

object-group network objg_Internal_Allowed_Internet
 network-object 192.168.100.0 255.255.255.0
 network-object 192.168.200.0 255.255.255.0
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 50 total points
ID: 39882752
Two things.

1)  On the ASA, add routes to the new subnets.

2) modify the object group to include the new subnets.
0
 
LVL 1

Author Comment

by:annasad
ID: 39887537
thanks for sharing detail information ...

yes IOS is higher than 8.3 , I think Its 8.6 or 9.1 , still have to find it out .

total usable public static IP addresses are 5 , does it make a difference it efficiency or performance If I use NAT or PAT ?   should I use one single IP address or more ?

and I have not worked on ASA  on command line but I am aware of Cisco IOS a bit , means can type commands ...

so by default , Internet access is not allowed , I have to use permissive ACLs in order to allow any kind of traffic ?

initially I saw three types of traffic for internet ,

Thanks for the diagrams , Its fairly the same design as explained in the diagram , however there are access layer switches too , but I have to find them
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 28

Expert Comment

by:asavener
ID: 39887748
Like any computer, it does what you tell it to do.  Someone has limited Internet access to certain subnets, so when you add new subnets you have to modify the configuration.

If you want to avoid this issue in the future, just add all of the RFC1918 addresses to your object group:

192.168.0.0 255.255.255.0
172.16.0.0 255.240.0.0
10.0.0.0 255.0.0.0
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 39888538
total usable public static IP addresses are 5 , does it make a difference it efficiency or performance If I use NAT or PAT ?

NAT is usually one is to one translation, and PAT is one is to many, for internet access, that is always PAT since you have multiple LAN users needing to be NATed to a public routed IP.

Static NAT is usually done by not limited to DMZ servers, where web servers, mail servers, etc needs public reachable IP.

and I have not worked on ASA  on command line but I am aware of Cisco IOS a bit , means can type commands ...

you can configure ASA two ways, using ASDM (GUI) or CLI. The one i presented is CLI but if you need something for GUI, let me know your setup and i might be able provide some insights.

so by default , Internet access is not allowed , I have to use permissive ACLs in order to allow any kind of traffic ?

by default all traffic incoming to any interface is blocked. sometimes there is a preset command allowing ALL IP traffic from higher security to lower security interfaces.

let me know how i can help further if you have any questions.
0
 
LVL 1

Assisted Solution

by:annasad
annasad earned 0 total points
ID: 39953705
Thank you for detail answers ... I Am kind of busy , I have sufficient information but i would still need to open this question for sometime ..  I probably be working on this weekend ..

i might need help by then .. thanks
0
 
LVL 1

Author Comment

by:annasad
ID: 40103976
I will close this question as this has given sufficient information and I would reward these points to every one who has contributed here .   I would open another question for further details .
0
 
LVL 1

Author Closing Comment

by:annasad
ID: 40116744
excellent diagram which helped me greatly to understand the design and detail understanding . wonderful detailed diagram with step to step details . thanks very much
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now