?
Solved

Allow internet Access

Posted on 2014-02-23
10
Medium Priority
?
514 Views
Last Modified: 2014-06-06
I have following scenario ,

one ASA 5515 inside ip add 10.10.10.0/24
one cisco 3560 switch ip add 10.10.10.2/24

needs to create two vlans ,  VLAN 1:- 192.168.100.0/24

vlan 2 :- 192.168.200.0 /24

now i need to allow these two subnets to use internet ,
what should be high level configuration on ASA or switch level
0
Comment
Question by:annasad
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 5

Assisted Solution

by:Martin Tarlink
Martin Tarlink earned 200 total points
ID: 39881672
You can do this on many different ways depend how many static IPs you have and how you would like do NAT or PAT

BTW you can not use 10.10.10.0/24 as IP
you can connect ASA<->Cat via noswitch ports and set on ASA
10.10.10.1 and on Catalyst 10.10.10.2 with mask 255.255.255.252 /30

So you will create subnet for that connection
Net address 10.10.10.0
Broadcast address 10.10.10.3

IP to use 10.10.10.1 and 10.10.10.2


If you have soft higher than 8.3 use nat under objects

Here you have very good examples
https://supportforums.cisco.com/docs/DOC-9129

Look also here
http://www.gregledet.net/?p=537


on Catalyst do default static routing
ip route 0.0.0.0 0.0.0.0 10.10.10.1

You can also enable OSPF or EIGRP on Cat and ASA, everything depend what you want to accomplish.

on ASA you need to create object for your vlan IPs
or one global
All Vlans
192.168.0.0 255.255.0.0

and do nat to outside interface dynamic describle
0
 
LVL 9

Accepted Solution

by:
ffleisma earned 1600 total points
ID: 39881923
i've attached a diagram in Visio and PDF, this would highlight your basic highlevel design.

Please take note of the following
no redundancy for the FW and core
DMZ setup is not is place yet
access switches not shown
this is just the logical diagram for the setup

hope this helps and let me know if you have any further questions.
Simple-FW-LAN-design.vsd
Visio-Simple-FW-LAN-design.pdf
0
 
LVL 9

Assisted Solution

by:ffleisma
ffleisma earned 1600 total points
ID: 39881925
forgot one thing though :-) the permissive ACL to allow internet traffic :-)

!(for http)
!
access-list inside_access_in extended permit tcp object-group objg_Internal_Allowed_Internet any eq www
!
!(for https)
access-list inside_access_in extended permit tcp object-group objg_Internal_Allowed_Internet any eq https
!
!(for email)
access-list inside_access_in extended permit tcp object-group objg_Internal_Allowed_Internet any eq smtp
!

object-group network objg_Internal_Allowed_Internet
 network-object 192.168.100.0 255.255.255.0
 network-object 192.168.200.0 255.255.255.0
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 28

Assisted Solution

by:asavener
asavener earned 200 total points
ID: 39882752
Two things.

1)  On the ASA, add routes to the new subnets.

2) modify the object group to include the new subnets.
0
 
LVL 1

Author Comment

by:annasad
ID: 39887537
thanks for sharing detail information ...

yes IOS is higher than 8.3 , I think Its 8.6 or 9.1 , still have to find it out .

total usable public static IP addresses are 5 , does it make a difference it efficiency or performance If I use NAT or PAT ?   should I use one single IP address or more ?

and I have not worked on ASA  on command line but I am aware of Cisco IOS a bit , means can type commands ...

so by default , Internet access is not allowed , I have to use permissive ACLs in order to allow any kind of traffic ?

initially I saw three types of traffic for internet ,

Thanks for the diagrams , Its fairly the same design as explained in the diagram , however there are access layer switches too , but I have to find them
0
 
LVL 28

Expert Comment

by:asavener
ID: 39887748
Like any computer, it does what you tell it to do.  Someone has limited Internet access to certain subnets, so when you add new subnets you have to modify the configuration.

If you want to avoid this issue in the future, just add all of the RFC1918 addresses to your object group:

192.168.0.0 255.255.255.0
172.16.0.0 255.240.0.0
10.0.0.0 255.0.0.0
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 39888538
total usable public static IP addresses are 5 , does it make a difference it efficiency or performance If I use NAT or PAT ?

NAT is usually one is to one translation, and PAT is one is to many, for internet access, that is always PAT since you have multiple LAN users needing to be NATed to a public routed IP.

Static NAT is usually done by not limited to DMZ servers, where web servers, mail servers, etc needs public reachable IP.

and I have not worked on ASA  on command line but I am aware of Cisco IOS a bit , means can type commands ...

you can configure ASA two ways, using ASDM (GUI) or CLI. The one i presented is CLI but if you need something for GUI, let me know your setup and i might be able provide some insights.

so by default , Internet access is not allowed , I have to use permissive ACLs in order to allow any kind of traffic ?

by default all traffic incoming to any interface is blocked. sometimes there is a preset command allowing ALL IP traffic from higher security to lower security interfaces.

let me know how i can help further if you have any questions.
0
 
LVL 1

Assisted Solution

by:annasad
annasad earned 0 total points
ID: 39953705
Thank you for detail answers ... I Am kind of busy , I have sufficient information but i would still need to open this question for sometime ..  I probably be working on this weekend ..

i might need help by then .. thanks
0
 
LVL 1

Author Comment

by:annasad
ID: 40103976
I will close this question as this has given sufficient information and I would reward these points to every one who has contributed here .   I would open another question for further details .
0
 
LVL 1

Author Closing Comment

by:annasad
ID: 40116744
excellent diagram which helped me greatly to understand the design and detail understanding . wonderful detailed diagram with step to step details . thanks very much
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question