Solved

Allow internet Access

Posted on 2014-02-23
10
508 Views
Last Modified: 2014-06-06
I have following scenario ,

one ASA 5515 inside ip add 10.10.10.0/24
one cisco 3560 switch ip add 10.10.10.2/24

needs to create two vlans ,  VLAN 1:- 192.168.100.0/24

vlan 2 :- 192.168.200.0 /24

now i need to allow these two subnets to use internet ,
what should be high level configuration on ASA or switch level
0
Comment
Question by:annasad
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 5

Assisted Solution

by:Martin Tarlink
Martin Tarlink earned 50 total points
ID: 39881672
You can do this on many different ways depend how many static IPs you have and how you would like do NAT or PAT

BTW you can not use 10.10.10.0/24 as IP
you can connect ASA<->Cat via noswitch ports and set on ASA
10.10.10.1 and on Catalyst 10.10.10.2 with mask 255.255.255.252 /30

So you will create subnet for that connection
Net address 10.10.10.0
Broadcast address 10.10.10.3

IP to use 10.10.10.1 and 10.10.10.2


If you have soft higher than 8.3 use nat under objects

Here you have very good examples
https://supportforums.cisco.com/docs/DOC-9129

Look also here
http://www.gregledet.net/?p=537


on Catalyst do default static routing
ip route 0.0.0.0 0.0.0.0 10.10.10.1

You can also enable OSPF or EIGRP on Cat and ASA, everything depend what you want to accomplish.

on ASA you need to create object for your vlan IPs
or one global
All Vlans
192.168.0.0 255.255.0.0

and do nat to outside interface dynamic describle
0
 
LVL 9

Accepted Solution

by:
ffleisma earned 400 total points
ID: 39881923
i've attached a diagram in Visio and PDF, this would highlight your basic highlevel design.

Please take note of the following
no redundancy for the FW and core
DMZ setup is not is place yet
access switches not shown
this is just the logical diagram for the setup

hope this helps and let me know if you have any further questions.
Simple-FW-LAN-design.vsd
Visio-Simple-FW-LAN-design.pdf
0
 
LVL 9

Assisted Solution

by:ffleisma
ffleisma earned 400 total points
ID: 39881925
forgot one thing though :-) the permissive ACL to allow internet traffic :-)

!(for http)
!
access-list inside_access_in extended permit tcp object-group objg_Internal_Allowed_Internet any eq www
!
!(for https)
access-list inside_access_in extended permit tcp object-group objg_Internal_Allowed_Internet any eq https
!
!(for email)
access-list inside_access_in extended permit tcp object-group objg_Internal_Allowed_Internet any eq smtp
!

object-group network objg_Internal_Allowed_Internet
 network-object 192.168.100.0 255.255.255.0
 network-object 192.168.200.0 255.255.255.0
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 50 total points
ID: 39882752
Two things.

1)  On the ASA, add routes to the new subnets.

2) modify the object group to include the new subnets.
0
 
LVL 1

Author Comment

by:annasad
ID: 39887537
thanks for sharing detail information ...

yes IOS is higher than 8.3 , I think Its 8.6 or 9.1 , still have to find it out .

total usable public static IP addresses are 5 , does it make a difference it efficiency or performance If I use NAT or PAT ?   should I use one single IP address or more ?

and I have not worked on ASA  on command line but I am aware of Cisco IOS a bit , means can type commands ...

so by default , Internet access is not allowed , I have to use permissive ACLs in order to allow any kind of traffic ?

initially I saw three types of traffic for internet ,

Thanks for the diagrams , Its fairly the same design as explained in the diagram , however there are access layer switches too , but I have to find them
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 28

Expert Comment

by:asavener
ID: 39887748
Like any computer, it does what you tell it to do.  Someone has limited Internet access to certain subnets, so when you add new subnets you have to modify the configuration.

If you want to avoid this issue in the future, just add all of the RFC1918 addresses to your object group:

192.168.0.0 255.255.255.0
172.16.0.0 255.240.0.0
10.0.0.0 255.0.0.0
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 39888538
total usable public static IP addresses are 5 , does it make a difference it efficiency or performance If I use NAT or PAT ?

NAT is usually one is to one translation, and PAT is one is to many, for internet access, that is always PAT since you have multiple LAN users needing to be NATed to a public routed IP.

Static NAT is usually done by not limited to DMZ servers, where web servers, mail servers, etc needs public reachable IP.

and I have not worked on ASA  on command line but I am aware of Cisco IOS a bit , means can type commands ...

you can configure ASA two ways, using ASDM (GUI) or CLI. The one i presented is CLI but if you need something for GUI, let me know your setup and i might be able provide some insights.

so by default , Internet access is not allowed , I have to use permissive ACLs in order to allow any kind of traffic ?

by default all traffic incoming to any interface is blocked. sometimes there is a preset command allowing ALL IP traffic from higher security to lower security interfaces.

let me know how i can help further if you have any questions.
0
 
LVL 1

Assisted Solution

by:annasad
annasad earned 0 total points
ID: 39953705
Thank you for detail answers ... I Am kind of busy , I have sufficient information but i would still need to open this question for sometime ..  I probably be working on this weekend ..

i might need help by then .. thanks
0
 
LVL 1

Author Comment

by:annasad
ID: 40103976
I will close this question as this has given sufficient information and I would reward these points to every one who has contributed here .   I would open another question for further details .
0
 
LVL 1

Author Closing Comment

by:annasad
ID: 40116744
excellent diagram which helped me greatly to understand the design and detail understanding . wonderful detailed diagram with step to step details . thanks very much
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article is focussed on erradicating the confusion with slash notations. This article will help you identify and understand the purpose and use of slash notations. A deep understanding of this will help you identify networks quicker especially w…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now