Solved

Allow internet Access

Posted on 2014-02-23
10
509 Views
Last Modified: 2014-06-06
I have following scenario ,

one ASA 5515 inside ip add 10.10.10.0/24
one cisco 3560 switch ip add 10.10.10.2/24

needs to create two vlans ,  VLAN 1:- 192.168.100.0/24

vlan 2 :- 192.168.200.0 /24

now i need to allow these two subnets to use internet ,
what should be high level configuration on ASA or switch level
0
Comment
Question by:annasad
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 5

Assisted Solution

by:Martin Tarlink
Martin Tarlink earned 50 total points
ID: 39881672
You can do this on many different ways depend how many static IPs you have and how you would like do NAT or PAT

BTW you can not use 10.10.10.0/24 as IP
you can connect ASA<->Cat via noswitch ports and set on ASA
10.10.10.1 and on Catalyst 10.10.10.2 with mask 255.255.255.252 /30

So you will create subnet for that connection
Net address 10.10.10.0
Broadcast address 10.10.10.3

IP to use 10.10.10.1 and 10.10.10.2


If you have soft higher than 8.3 use nat under objects

Here you have very good examples
https://supportforums.cisco.com/docs/DOC-9129

Look also here
http://www.gregledet.net/?p=537


on Catalyst do default static routing
ip route 0.0.0.0 0.0.0.0 10.10.10.1

You can also enable OSPF or EIGRP on Cat and ASA, everything depend what you want to accomplish.

on ASA you need to create object for your vlan IPs
or one global
All Vlans
192.168.0.0 255.255.0.0

and do nat to outside interface dynamic describle
0
 
LVL 9

Accepted Solution

by:
ffleisma earned 400 total points
ID: 39881923
i've attached a diagram in Visio and PDF, this would highlight your basic highlevel design.

Please take note of the following
no redundancy for the FW and core
DMZ setup is not is place yet
access switches not shown
this is just the logical diagram for the setup

hope this helps and let me know if you have any further questions.
Simple-FW-LAN-design.vsd
Visio-Simple-FW-LAN-design.pdf
0
 
LVL 9

Assisted Solution

by:ffleisma
ffleisma earned 400 total points
ID: 39881925
forgot one thing though :-) the permissive ACL to allow internet traffic :-)

!(for http)
!
access-list inside_access_in extended permit tcp object-group objg_Internal_Allowed_Internet any eq www
!
!(for https)
access-list inside_access_in extended permit tcp object-group objg_Internal_Allowed_Internet any eq https
!
!(for email)
access-list inside_access_in extended permit tcp object-group objg_Internal_Allowed_Internet any eq smtp
!

object-group network objg_Internal_Allowed_Internet
 network-object 192.168.100.0 255.255.255.0
 network-object 192.168.200.0 255.255.255.0
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 28

Assisted Solution

by:asavener
asavener earned 50 total points
ID: 39882752
Two things.

1)  On the ASA, add routes to the new subnets.

2) modify the object group to include the new subnets.
0
 
LVL 1

Author Comment

by:annasad
ID: 39887537
thanks for sharing detail information ...

yes IOS is higher than 8.3 , I think Its 8.6 or 9.1 , still have to find it out .

total usable public static IP addresses are 5 , does it make a difference it efficiency or performance If I use NAT or PAT ?   should I use one single IP address or more ?

and I have not worked on ASA  on command line but I am aware of Cisco IOS a bit , means can type commands ...

so by default , Internet access is not allowed , I have to use permissive ACLs in order to allow any kind of traffic ?

initially I saw three types of traffic for internet ,

Thanks for the diagrams , Its fairly the same design as explained in the diagram , however there are access layer switches too , but I have to find them
0
 
LVL 28

Expert Comment

by:asavener
ID: 39887748
Like any computer, it does what you tell it to do.  Someone has limited Internet access to certain subnets, so when you add new subnets you have to modify the configuration.

If you want to avoid this issue in the future, just add all of the RFC1918 addresses to your object group:

192.168.0.0 255.255.255.0
172.16.0.0 255.240.0.0
10.0.0.0 255.0.0.0
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 39888538
total usable public static IP addresses are 5 , does it make a difference it efficiency or performance If I use NAT or PAT ?

NAT is usually one is to one translation, and PAT is one is to many, for internet access, that is always PAT since you have multiple LAN users needing to be NATed to a public routed IP.

Static NAT is usually done by not limited to DMZ servers, where web servers, mail servers, etc needs public reachable IP.

and I have not worked on ASA  on command line but I am aware of Cisco IOS a bit , means can type commands ...

you can configure ASA two ways, using ASDM (GUI) or CLI. The one i presented is CLI but if you need something for GUI, let me know your setup and i might be able provide some insights.

so by default , Internet access is not allowed , I have to use permissive ACLs in order to allow any kind of traffic ?

by default all traffic incoming to any interface is blocked. sometimes there is a preset command allowing ALL IP traffic from higher security to lower security interfaces.

let me know how i can help further if you have any questions.
0
 
LVL 1

Assisted Solution

by:annasad
annasad earned 0 total points
ID: 39953705
Thank you for detail answers ... I Am kind of busy , I have sufficient information but i would still need to open this question for sometime ..  I probably be working on this weekend ..

i might need help by then .. thanks
0
 
LVL 1

Author Comment

by:annasad
ID: 40103976
I will close this question as this has given sufficient information and I would reward these points to every one who has contributed here .   I would open another question for further details .
0
 
LVL 1

Author Closing Comment

by:annasad
ID: 40116744
excellent diagram which helped me greatly to understand the design and detail understanding . wonderful detailed diagram with step to step details . thanks very much
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Stuck in INIT/DROTHER 2 29
Network cabling explanation? Copper, twinaxial, SFP+, fiber? 4 52
Use of vpn-filter value  in S2S VPN 2 36
Cisco Trunk question 4 18
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question