mcsdguyian
asked on
ASA 5505
I am wondering if I am able to use the ASA 5505 to connect 2 subnets and allow them to communicate and if so how I would configure that route. Step by step directions would be much appreciated.
Thanks,
Ian
Thanks,
Ian
What you want to do is a very common scenario and done very often. The first thing you need to make sure of is that you have the security plus license installed. Without this license the 3rd VLAN will be a restricted VLAN meaning it can only send traffic to one other VLAN which is normally the VLAN that is associated with the outside interface.
Now, the interface configuration would be similar to what you already have configured on your inside interface. It can contain the same security level, but then an extra bit of command would need to be added to the ASA. Security levels are used only when there are no ACLs configured for the interfaces. But it is a good practice to add security levels that reflect the importance of a given interface.
Routing will take care of itself if the subnets are directly connected to the ASA, and you would only need a default route for internet traffic.
If you do not require internet access for this new VLAN, and it only needs to communicate with one other VLAN then you do not need the security plus license but you do need to add the command "no forward interface vlan number" Where number is the VLAN number that the new VLAN should not be able to communicate with.
So the steps would be as follows:
1. Check to see if the security plus license is installed using the "show version" command. If it is not installed you would need to purchase this license and install it.
2. Configure the interfaces. Just change the VLAN numbers, descriptions, IPs to your required values. After this your two networks should be able to communicate with eachother:
interface vlan 10
description LAN-1
securty-level 100
nameif LAN1
ip add 10.10.10.1 255.255.255.0
no shut
interface vlan 20
description LAN-2
security-level 100
nameif LAN2
ip add 20.20.20.1 255.255.255.0
no shut
interface VLAN 2
description INTERNET
security-level 0
nameif outside
ip add x.x.x.1 255.255.255.252
no shut
same-security-traffic permit inter-interface
3. Configure NAT for LAN1 and LAN2 so they can reach the internet. Keep in mind that the NAT config I am providing is for ASA version 8.3 and higher. If you are running 8.2 or lower then this configuration will be different:
object network LAN1
subnet 10.10.10.0 255.255.255.0
nat (LAN-1,outside) dynamic interface
object network LAN2
subnet 20.20.20.0 255.255.255.0
nat (LAN-2,outside) dynamic interface
4. Configure a default route for internet traffic (where x.x.x.2 the next hop)
route outside 0 0 x.x.x.2
At this point you have a basic setup that will provide connectivity between the two inside networks and provide internet access for both networks. Now, if you want to restrict traffic between the inside networks you would need to add interface ACLs.
If you want to restrict LAN-2 from initiating traffic to LAN-1 then you just need to lower the security level to 99 or lower. If you want to restrict both LANs from communicating with eachother, remove the command same-security-traffic permit inter-interface.
Now, the interface configuration would be similar to what you already have configured on your inside interface. It can contain the same security level, but then an extra bit of command would need to be added to the ASA. Security levels are used only when there are no ACLs configured for the interfaces. But it is a good practice to add security levels that reflect the importance of a given interface.
Routing will take care of itself if the subnets are directly connected to the ASA, and you would only need a default route for internet traffic.
If you do not require internet access for this new VLAN, and it only needs to communicate with one other VLAN then you do not need the security plus license but you do need to add the command "no forward interface vlan number" Where number is the VLAN number that the new VLAN should not be able to communicate with.
So the steps would be as follows:
1. Check to see if the security plus license is installed using the "show version" command. If it is not installed you would need to purchase this license and install it.
2. Configure the interfaces. Just change the VLAN numbers, descriptions, IPs to your required values. After this your two networks should be able to communicate with eachother:
interface vlan 10
description LAN-1
securty-level 100
nameif LAN1
ip add 10.10.10.1 255.255.255.0
no shut
interface vlan 20
description LAN-2
security-level 100
nameif LAN2
ip add 20.20.20.1 255.255.255.0
no shut
interface VLAN 2
description INTERNET
security-level 0
nameif outside
ip add x.x.x.1 255.255.255.252
no shut
same-security-traffic permit inter-interface
3. Configure NAT for LAN1 and LAN2 so they can reach the internet. Keep in mind that the NAT config I am providing is for ASA version 8.3 and higher. If you are running 8.2 or lower then this configuration will be different:
object network LAN1
subnet 10.10.10.0 255.255.255.0
nat (LAN-1,outside) dynamic interface
object network LAN2
subnet 20.20.20.0 255.255.255.0
nat (LAN-2,outside) dynamic interface
4. Configure a default route for internet traffic (where x.x.x.2 the next hop)
route outside 0 0 x.x.x.2
At this point you have a basic setup that will provide connectivity between the two inside networks and provide internet access for both networks. Now, if you want to restrict traffic between the inside networks you would need to add interface ACLs.
If you want to restrict LAN-2 from initiating traffic to LAN-1 then you just need to lower the security level to 99 or lower. If you want to restrict both LANs from communicating with eachother, remove the command same-security-traffic permit inter-interface.
ASKER
Thanks Mag03,
Ok Well I currently have the firewall setup and have a internal webserver. could you look at the current setup and make your recommendations using it?
Thanks,
Ian
: Saved
:
ASA Version 8.2(5)
!
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.50.140 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.XX.34 255.255.255.240
!
interface Vlan5
no nameif
security-level 50
ip address dhcp
!
ftp mode passive
dns server-group DefaultDNS
domain-name XXX
object-group network inside-subnet
access-list outside-access-in extended permit icmp any any
access-list outside-access-in extended permit tcp any host XX.XX.XX.36 eq www log
access-list outside-access-in extended permit tcp any host XX.XX.XX.35 eq www log
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 XX.XX.XX.35-XX.XX.XX.40 netmask 255.255.255.255
global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0
static (inside,outside) XX.XX.XX.35 192.168.50.131 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.40 192.168.50.245 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.36 192.168.50.135 netmask 255.255.255.255
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco rd DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect ip-options
inspect http
inspect ils
!
Ok Well I currently have the firewall setup and have a internal webserver. could you look at the current setup and make your recommendations using it?
Thanks,
Ian
: Saved
:
ASA Version 8.2(5)
!
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.50.140 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.XX.34 255.255.255.240
!
interface Vlan5
no nameif
security-level 50
ip address dhcp
!
ftp mode passive
dns server-group DefaultDNS
domain-name XXX
object-group network inside-subnet
access-list outside-access-in extended permit icmp any any
access-list outside-access-in extended permit tcp any host XX.XX.XX.36 eq www log
access-list outside-access-in extended permit tcp any host XX.XX.XX.35 eq www log
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 XX.XX.XX.35-XX.XX.XX.40 netmask 255.255.255.255
global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0
static (inside,outside) XX.XX.XX.35 192.168.50.131 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.40 192.168.50.245 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.36 192.168.50.135 netmask 255.255.255.255
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect ip-options
inspect http
inspect ils
!
Not exactly sure what comments you are looking for. The only thing that would change in your case is how NAT is configured since you are running 8.2.
Other than that you would need to be more specific on exactly what you want with regards to the 3rd VLAN.
- Should it be able to reach the internet?
- Should it be able to access the inside network or should only the inside network be able access the new VLAN?
- What is the role of the server you mentioned and what is its IP address (difficult to tell since you have 3 static NAT statements)? By the way is your internet working with this setup?
- Are you thinking of moving this server to the new VLAN?
Other than that you would need to be more specific on exactly what you want with regards to the 3rd VLAN.
- Should it be able to reach the internet?
- Should it be able to access the inside network or should only the inside network be able access the new VLAN?
- What is the role of the server you mentioned and what is its IP address (difficult to tell since you have 3 static NAT statements)? By the way is your internet working with this setup?
- Are you thinking of moving this server to the new VLAN?
ASKER
When I said comment I mean I was not exactly sure how to set that up with my current config. I appreciate your help
- Yes, the 3rd VLan should be able to access the internet
- The New Vlan should be able to access the inside network and the inside network should also be able to access the new VLAN.
- The server is a Webserver and database server the Internal IP is 192.168.50.131
- No the server will stay where its at.
Thanks
- Yes, the 3rd VLan should be able to access the internet
- The New Vlan should be able to access the inside network and the inside network should also be able to access the new VLAN.
- The server is a Webserver and database server the Internal IP is 192.168.50.131
- No the server will stay where its at.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That looks like it might work. I had to upgrade the license to the security plus and will try this in the next couple days when I receive the license. Hopefully that will do the trick.
ASKER
MAG03,
That got the subnet setup. Thanks!. Just to make sure so my computer on my new subnet will use 192.168.40.1 as the gateway? The reason I ask is for some reason I can get on the internet without a problem, but cannot connect to any computers on the other subnet or vice verse. Is to a Cisco config issue?
Thanks
That got the subnet setup. Thanks!. Just to make sure so my computer on my new subnet will use 192.168.40.1 as the gateway? The reason I ask is for some reason I can get on the internet without a problem, but cannot connect to any computers on the other subnet or vice verse. Is to a Cisco config issue?
Thanks
ASKER
I am going to assume there is something not right with the routing, because I cannot ping the ip on the other subnet 192.168.40.1
There is nothing wrong with routing. That subnet is directly connected to the ASA so the ASA knows how to reach it.
The reason you cannot ping the ASA DMZ interface is because of how the ASA is designed. You will only be able to ping the interface that the traffic ingresses on. So if you are pinging from a PC on the inside interface you will only be able to ping the IP on the inside interface and no other IP assigned to the ASA.
So to test this you would need to set up a PC on the inside interface and ping that. Just remember to turn off any software firewall during testing.
The reason you cannot ping the ASA DMZ interface is because of how the ASA is designed. You will only be able to ping the interface that the traffic ingresses on. So if you are pinging from a PC on the inside interface you will only be able to ping the IP on the inside interface and no other IP assigned to the ASA.
So to test this you would need to set up a PC on the inside interface and ping that. Just remember to turn off any software firewall during testing.
Just to make sure so my computer on my new subnet will use 192.168.40.1 as the gateway?Yes, if you have set the ASA interface to 192.168.40.1, then this will be the default gateway of your client machines.
If you are unable to reach the DMZ subnet from the inside...and vice versa, then this is most likely a configuration problem, and could very well be an ACL problem. Make sure that traffic between the two subnets is permitted in the ACL on both interfaces.
If you require further help, please post an updated configuration (sanitised) for further troubleshooting.
ASKER
I appreciate your help.
Result of the command: "show config"
: Saved
: Written by enable_15 at 08:59:41.358 UTC Wed Apr 9 2014
ASA Version 8.2(5)
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.50.140 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.XX.34 255.255.255.240
interface Vlan3
nameif CorpDMZ
security-level 50
ip address 192.168.40.1 255.255.255.0
interface Vlan5
description Guest Access
no nameif
security-level 10
ip address 192.168.1.50 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name QCS
object-group network inside-subnet
access-list outside-access-in extended permit icmp any any
access-list outside-access-in extended permit tcp any host XX.XX.XX.36 eq www log
access-list outside-access-in extended permit tcp any host XX.XX.XX.35 eq www log
access-list Inside-to-any extended permit ip 192.168.50.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu CorpDMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 XX.XX.XX.35-XX.XX.XX.40 netmask 255.255.255.255
global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0
nat (CorpDMZ) 2 192.168.40.0 255.255.255.0
static (inside,outside) XX.XX.XX.35 192.168.50.131 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.40 192.168.50.245 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.36 192.168.50.135 netmask 255.255.255.255
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco rd DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.50.5-192.168.50.13 2 inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect ip-options
inspect http
inspect ils
Thanks
Result of the command: "show config"
: Saved
: Written by enable_15 at 08:59:41.358 UTC Wed Apr 9 2014
ASA Version 8.2(5)
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.50.140 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.XX.34 255.255.255.240
interface Vlan3
nameif CorpDMZ
security-level 50
ip address 192.168.40.1 255.255.255.0
interface Vlan5
description Guest Access
no nameif
security-level 10
ip address 192.168.1.50 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name QCS
object-group network inside-subnet
access-list outside-access-in extended permit icmp any any
access-list outside-access-in extended permit tcp any host XX.XX.XX.36 eq www log
access-list outside-access-in extended permit tcp any host XX.XX.XX.35 eq www log
access-list Inside-to-any extended permit ip 192.168.50.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu CorpDMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 XX.XX.XX.35-XX.XX.XX.40 netmask 255.255.255.255
global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0
nat (CorpDMZ) 2 192.168.40.0 255.255.255.0
static (inside,outside) XX.XX.XX.35 192.168.50.131 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.40 192.168.50.245 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.36 192.168.50.135 netmask 255.255.255.255
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.50.5-192.168.50.13
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect ip-options
inspect http
inspect ils
Thanks
ASKER
I have been doing a little more research and it looks like since I am using Dynamic NAT for traffic going out on the outside interface that I will have to set that up for the DMZ and inside interfaces.
I setup Access list for the interfaces, but now I believe I need to setup NAT and maybe a Pool for those but I am not sure. I also change the Security of DMZ to match inside interface and added the following
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Here is the error when tracing
nat(DMZ) 2 192.168.40.0 255.255.255.0
match ip DMZ 192.168.40.0 255.255.255.0 inside any
dynamic translation to pool 2 (No matching global)
translate_hits=14, untranslate_hits=0
The new config after these changes are as follows
: Saved
: Written by enable_15 at 14:21:53.036 UTC Thu Apr 10 2014
ASA Version 8.2(5)
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.50.140 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.XX.34 255.255.255.240
interface Vlan3
nameif CorpDMZ
security-level 100
ip address 192.168.40.1 255.255.255.0
interface Vlan5
description Guest Access
no nameif
security-level 10
ip address 192.168.1.50 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name QCS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network inside-subnet
access-list outside-access-in extended permit icmp any any
access-list outside-access-in extended permit tcp any host XX.XX.XX.36 eq www log
access-list outside-access-in extended permit tcp any host XX.XX.XX.35 eq www log
access-list inside_access_in extended permit icmp 192.168.50.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.50.0 255.255.255.0 any
access-list Inside-to-any extended permit ip 192.168.50.0 255.255.255.0 any
access-list CorpDMZ_access_in extended permit icmp 192.168.40.0 255.255.255.0 any
access-list CorpDMZ_access_in extended permit ip 192.168.40.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.0
access-list CorpDMZ_nat0_outbound extended permit ip any 192.168.40.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu CorpDMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 3 interface
global (outside) 1 XX.XX.XX.35-XX.XX.XX.40 netmask 255.255.255.255
global (outside) 2 interface
global (CorpDMZ) 4 interface
nat (inside) 2 0.0.0.0 0.0.0.0
nat (CorpDMZ) 2 192.168.40.0 255.255.255.0
static (inside,outside) XX.XX.XX.35 192.168.50.131 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.40 192.168.50.245 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.36 192.168.50.135 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside-access-in in interface outside
access-group CorpDMZ_access_in in interface CorpDMZ
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco rd DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.50.5-192.168.50.13 2 inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect ip-options
inspect http
inspect ils
THanks
I setup Access list for the interfaces, but now I believe I need to setup NAT and maybe a Pool for those but I am not sure. I also change the Security of DMZ to match inside interface and added the following
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Here is the error when tracing
nat(DMZ) 2 192.168.40.0 255.255.255.0
match ip DMZ 192.168.40.0 255.255.255.0 inside any
dynamic translation to pool 2 (No matching global)
translate_hits=14, untranslate_hits=0
The new config after these changes are as follows
: Saved
: Written by enable_15 at 14:21:53.036 UTC Thu Apr 10 2014
ASA Version 8.2(5)
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.50.140 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.XX.34 255.255.255.240
interface Vlan3
nameif CorpDMZ
security-level 100
ip address 192.168.40.1 255.255.255.0
interface Vlan5
description Guest Access
no nameif
security-level 10
ip address 192.168.1.50 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name QCS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network inside-subnet
access-list outside-access-in extended permit icmp any any
access-list outside-access-in extended permit tcp any host XX.XX.XX.36 eq www log
access-list outside-access-in extended permit tcp any host XX.XX.XX.35 eq www log
access-list inside_access_in extended permit icmp 192.168.50.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.50.0 255.255.255.0 any
access-list Inside-to-any extended permit ip 192.168.50.0 255.255.255.0 any
access-list CorpDMZ_access_in extended permit icmp 192.168.40.0 255.255.255.0 any
access-list CorpDMZ_access_in extended permit ip 192.168.40.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.0
access-list CorpDMZ_nat0_outbound extended permit ip any 192.168.40.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu CorpDMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 3 interface
global (outside) 1 XX.XX.XX.35-XX.XX.XX.40 netmask 255.255.255.255
global (outside) 2 interface
global (CorpDMZ) 4 interface
nat (inside) 2 0.0.0.0 0.0.0.0
nat (CorpDMZ) 2 192.168.40.0 255.255.255.0
static (inside,outside) XX.XX.XX.35 192.168.50.131 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.40 192.168.50.245 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.36 192.168.50.135 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside-access-in in interface outside
access-group CorpDMZ_access_in in interface CorpDMZ
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.50.5-192.168.50.13
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect ip-options
inspect http
inspect ils
THanks
You would need dynamic NAT if you want the DMZ to be able to reach the internet. but you have set up your NAT incorrectly. The number following the global and nat statements is a group identifier and must not be unique unless you are setting u different groups. so your NAT should look something like this.
global (outside) 2 interface
nat (inside) 2 192.168.50.0 255.255.255.0
nat (CorpDMZ) 2 192.168.40.0 255.255.255.0
Are you able to establish a connection between the inside and CorpDMZ networks now?
Change the NAT and then test to see if you can get to the internet from the CorpDMZ.
global (outside) 2 interface
nat (inside) 2 192.168.50.0 255.255.255.0
nat (CorpDMZ) 2 192.168.40.0 255.255.255.0
Are you able to establish a connection between the inside and CorpDMZ networks now?
Change the NAT and then test to see if you can get to the internet from the CorpDMZ.
ASKER
My DMZ can already reach the internet and so can the the inside. I just cannot get the DMZ to talk to the inside and vice versa.
I still get the same NAT error and cannot establish a connection between the inside and CorpDMZ networks
I still get the same NAT error and cannot establish a connection between the inside and CorpDMZ networks
ASKER
Mag ,
Thanks for your help to this point I still cannot talk between the 2 VLans, but at least they are both setup and can get to the internet
Thanks for your help to this point I still cannot talk between the 2 VLans, but at least they are both setup and can get to the internet
You can connect two or more subnets using ASA 5505 with some limitation.
ASA is very sensitive on security levels of its interfaces. Meaning, ASA can route between interfaces but it is designed to be an edge device. In that manner ASA is thinking about traffic between different interfaces as which one is more important ...
So if you want to pass traffic between eth0/0 and eth0/1, setup an ip address on eth0/0 from one subnet as gateway, and same thing with the other subnet on eth0/1. Assuming that both subnets are inside, it can cause a problem since you have to choose which one is more important (higher sec level). After that routing will be enabled.
Which raise a question… Do you want to make ASA a router between inside networks? If you want to pass traffic between inside and outside it is another thing.
Where are those subnets? A schema maybe?
Regards.