Solved

ASA 5505

Posted on 2014-03-19
16
531 Views
Last Modified: 2014-04-23
I am wondering if I am able to use the ASA 5505 to connect 2 subnets and allow them to communicate and if so how I would configure that route. Step by step directions would be much appreciated.

Thanks,
Ian
0
Comment
Question by:mcsdguyian
  • 9
  • 6
16 Comments
 
LVL 4

Expert Comment

by:dusanm011
Comment Utility
Hello mcsdguyian,
You can connect two or more subnets using ASA 5505 with some limitation.
ASA is very sensitive on security levels of its interfaces. Meaning, ASA  can route between interfaces but it is designed to be an edge device. In that manner ASA is thinking about traffic between different interfaces as which one is more important ...
So if you want to pass traffic between eth0/0 and eth0/1, setup an ip address on eth0/0 from one subnet as gateway, and same thing with the other subnet on eth0/1. Assuming that both subnets are inside, it can cause a problem since you have to choose which one is more important (higher sec level). After that routing will be enabled.
Which raise a question… Do you want to make ASA a router between inside networks?  If you want to pass traffic between inside and outside it is another thing.
Where are those subnets? A schema maybe?

Regards.
0
 
LVL 17

Expert Comment

by:MAG03
Comment Utility
What you want to do is a very common scenario and done very often.  The first thing you need to make sure of is that you have the security plus license installed.  Without this license the 3rd VLAN will be a restricted VLAN meaning it can only send traffic to one other VLAN which is normally the VLAN that is associated with the outside interface.

Now, the interface configuration would be similar to what you already have configured on your inside interface.  It can contain the same security level, but then an extra bit of command would need to be added to the ASA.  Security levels are used only when there are no ACLs configured for the interfaces.  But it is a good practice to add security levels that reflect the importance of a given interface.

Routing will take care of itself if the subnets are directly connected to the ASA, and you would only need a default route for internet traffic.

If you do not require internet access for this new VLAN, and it only needs to communicate with one other VLAN then you do not need the security plus license but you do need to add the command "no forward interface vlan number" Where number is the VLAN number that the new VLAN should not be able to communicate with.

So the steps would be as follows:

1. Check to see if the security plus license is installed using the "show version" command.  If it is not installed you would need to purchase this license and install it.

2.  Configure the interfaces. Just change the VLAN numbers, descriptions, IPs to your required values.  After this your two networks should be able to communicate with eachother:
interface vlan 10
description LAN-1
securty-level 100
nameif LAN1
ip add 10.10.10.1 255.255.255.0
no shut

interface vlan 20
description LAN-2
security-level 100
nameif LAN2
ip add 20.20.20.1 255.255.255.0
no shut

interface VLAN 2
description INTERNET
security-level 0
nameif outside
ip add x.x.x.1 255.255.255.252
no shut

same-security-traffic permit inter-interface


3. Configure NAT for LAN1 and LAN2 so they can reach the internet. Keep in mind that the NAT config I am providing is for ASA version 8.3 and higher.  If you are running 8.2 or lower then this configuration will be different:

object network LAN1
  subnet 10.10.10.0 255.255.255.0
  nat (LAN-1,outside) dynamic interface

object network LAN2
  subnet 20.20.20.0 255.255.255.0
  nat (LAN-2,outside) dynamic interface


4.  Configure a default route for internet traffic (where x.x.x.2 the next hop)

route outside 0 0 x.x.x.2

At this point you have a basic setup that will provide connectivity between the two inside networks and provide internet access for both networks.  Now, if you want to restrict traffic between the inside networks you would need to add interface ACLs.

If you want to restrict LAN-2 from initiating traffic to LAN-1 then you just need to lower the security level to 99 or lower.  If you want to restrict both LANs from communicating with eachother, remove the command same-security-traffic permit inter-interface.
0
 

Author Comment

by:mcsdguyian
Comment Utility
Thanks Mag03,

Ok Well I currently have the firewall setup and have a internal webserver.  could you look at the current setup and make your recommendations using it?

Thanks,
Ian


: Saved
:
ASA Version 8.2(5)
!
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.50.140 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.XX.XX.34 255.255.255.240
!
interface Vlan5
 no nameif
 security-level 50
 ip address dhcp
!
ftp mode passive
dns server-group DefaultDNS
domain-name XXX
object-group network inside-subnet
access-list outside-access-in extended permit icmp any any
access-list outside-access-in extended permit tcp any host XX.XX.XX.36 eq www log
access-list outside-access-in extended permit tcp any host XX.XX.XX.35 eq www log
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 XX.XX.XX.35-XX.XX.XX.40 netmask 255.255.255.255
global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0
static (inside,outside) XX.XX.XX.35 192.168.50.131 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.40 192.168.50.245 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.36 192.168.50.135 netmask 255.255.255.255
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect ip-options
  inspect http
  inspect ils
!
0
 
LVL 17

Expert Comment

by:MAG03
Comment Utility
Not exactly sure what comments you are looking for.  The only thing that would change in your case is how NAT is configured since you are running 8.2.

Other than that you would need to be more specific on exactly what you want with regards to the 3rd VLAN.  
- Should it be able to reach the internet?
- Should it be able to access the inside network or should only the inside network be able access the new VLAN?
- What is the role of the server you mentioned and what is its IP address (difficult to tell since you have 3 static NAT statements)?  By the way is your internet working with this setup?
- Are you thinking of moving this server to the new VLAN?
0
 

Author Comment

by:mcsdguyian
Comment Utility
When I said comment I mean I was not exactly sure how to set that up with my current config. I appreciate your help

- Yes,  the 3rd VLan should be able to access the internet
- The New Vlan should be able to access the inside network and the inside network should also be able to access the new VLAN.
- The server is a Webserver and database server the Internal IP is 192.168.50.131
- No the server will stay where its at.

Thanks
0
 
LVL 17

Accepted Solution

by:
MAG03 earned 500 total points
Comment Utility
OK, I am assuming VLAN 5 is the third VLAN you want to set up?

First of all, we need to make confirm that you have the security plus license installed.  issue the show version command on the CLI and at the bottom of the output it will state what license you are using.  Remember that you must have a security plus license for this to work.

So it seems you are not very concerned about restricting access between the new VLAN and the inside network.  If that is the case then you can use the following as a sample config.  Just change the IP for the new VLAN and naming convention if needed.

interface vlan 1
nameif inside
 security-level 100
 ip address 192.168.50.140 255.255.255.0

interface vlan 2
 nameif outside
 security-level 0
 ip address XX.XX.XX.34 255.255.255.240

interface VLAN 5
 nameif DMZ
 security-level 50
ip address 192.168.40.1 255.255.255.0

access-list DMZ-to-any extended permit ip 192.168.40.0 255.255.255.0 any
access-list Inside-to-any extended permit ip 192.168.50.0 255.255.255.0 any

access-group DMZ-to-any in interface DMZ
access-group Inside-to-any in interface inside

global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0
nat (DMZ) 2 192.168.40.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 XX.XX.XX.33 1
0
 

Author Comment

by:mcsdguyian
Comment Utility
That looks like it might work.  I had to upgrade the license to the security plus and will try this in the next couple days when I receive the license. Hopefully that will do the trick.
0
 

Author Comment

by:mcsdguyian
Comment Utility
MAG03,

That got the subnet setup. Thanks!.  Just to make sure so my computer on my new subnet will use  192.168.40.1 as the gateway? The reason I ask is for some reason I can get on the internet without a problem, but cannot connect to any computers on the other subnet or vice verse.  Is to a Cisco config issue?

Thanks
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:mcsdguyian
Comment Utility
I am going to assume there is something not right with the routing, because I cannot ping the ip on the other subnet 192.168.40.1
0
 
LVL 17

Expert Comment

by:MAG03
Comment Utility
There is nothing wrong with routing.  That subnet is directly connected to the ASA so the ASA knows how to reach it.

The reason you cannot ping the ASA DMZ interface is because of how the ASA is designed. You will only be able to ping the interface that the traffic ingresses on.  So if you are pinging from a PC on the inside interface you will only be able to ping the IP on the inside interface and no other IP assigned to the ASA.

So to test this you would need to set up a PC on the inside interface and ping that.  Just remember to turn off any software firewall during testing.
0
 
LVL 17

Expert Comment

by:MAG03
Comment Utility
Just to make sure so my computer on my new subnet will use  192.168.40.1 as the gateway?
Yes, if you have set the ASA interface to 192.168.40.1, then this will be the default gateway of your client machines.

If you are unable to reach the DMZ subnet from the inside...and vice versa, then this is most likely a configuration problem, and could very well be an ACL problem.  Make sure that traffic between the two subnets is permitted in the ACL on both interfaces.

If you require further help, please post an updated configuration (sanitised) for further troubleshooting.
0
 

Author Comment

by:mcsdguyian
Comment Utility
I appreciate your help.  

Result of the command: "show config"

: Saved
: Written by enable_15 at 08:59:41.358 UTC Wed Apr 9 2014
 
ASA Version 8.2(5)
 
names
 
interface Ethernet0/0
 switchport access vlan 2
 
interface Ethernet0/1
 
interface Ethernet0/2
 switchport access vlan 3
 
interface Ethernet0/3
 
interface Ethernet0/4
 
interface Ethernet0/5
 switchport access vlan 5
 
interface Ethernet0/6
 
interface Ethernet0/7
 
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.50.140 255.255.255.0
 
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.XX.XX.34 255.255.255.240
 
interface Vlan3
 nameif CorpDMZ
 security-level 50
 ip address 192.168.40.1 255.255.255.0
 
interface Vlan5
 description Guest Access
 no nameif
 security-level 10
 ip address 192.168.1.50 255.255.255.0
 
ftp mode passive
dns server-group DefaultDNS
 domain-name QCS
object-group network inside-subnet
access-list outside-access-in extended permit icmp any any
access-list outside-access-in extended permit tcp any host XX.XX.XX.36 eq www log
access-list outside-access-in extended permit tcp any host XX.XX.XX.35 eq www log
access-list Inside-to-any extended permit ip 192.168.50.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu CorpDMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 XX.XX.XX.35-XX.XX.XX.40 netmask 255.255.255.255
global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0
nat (CorpDMZ) 2 192.168.40.0 255.255.255.0
static (inside,outside) XX.XX.XX.35 192.168.50.131 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.40 192.168.50.245 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.36 192.168.50.135 netmask 255.255.255.255
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 5
console timeout 0

dhcpd auto_config outside
dhcpd address 192.168.50.5-192.168.50.132 inside

threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
 
class-map inspection_default
 match default-inspection-traffic
 
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect ip-options
  inspect http
  inspect ils

Thanks
0
 

Author Comment

by:mcsdguyian
Comment Utility
I have been doing a little more research and it looks like since I am using Dynamic NAT for traffic going out on the outside interface that I will have to set that up for the DMZ and inside interfaces.  

I setup Access list for the interfaces, but now I believe I need to setup NAT and maybe a Pool for those but I am not sure.  I also change the Security of DMZ to match inside interface and added the following
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Here is the error when tracing
nat(DMZ) 2 192.168.40.0 255.255.255.0
match ip DMZ 192.168.40.0 255.255.255.0 inside any
dynamic translation to pool 2 (No matching global)
translate_hits=14, untranslate_hits=0

The new config after these changes are as follows

: Saved
: Written by enable_15 at 14:21:53.036 UTC Thu Apr 10 2014

ASA Version 8.2(5)

names

interface Ethernet0/0
 switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2
 switchport access vlan 3

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5
 switchport access vlan 5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.50.140 255.255.255.0

interface Vlan2
 nameif outside
 security-level 0
 ip address XX.XX.XX.34 255.255.255.240

interface Vlan3
 nameif CorpDMZ
 security-level 100
 ip address 192.168.40.1 255.255.255.0

interface Vlan5
 description Guest Access
 no nameif
 security-level 10
 ip address 192.168.1.50 255.255.255.0

ftp mode passive
dns server-group DefaultDNS
 domain-name QCS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network inside-subnet
access-list outside-access-in extended permit icmp any any
access-list outside-access-in extended permit tcp any host XX.XX.XX.36 eq www log
access-list outside-access-in extended permit tcp any host XX.XX.XX.35 eq www log
access-list inside_access_in extended permit icmp 192.168.50.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.50.0 255.255.255.0 any
access-list Inside-to-any extended permit ip 192.168.50.0 255.255.255.0 any
access-list CorpDMZ_access_in extended permit icmp 192.168.40.0 255.255.255.0 any
access-list CorpDMZ_access_in extended permit ip 192.168.40.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.0
access-list CorpDMZ_nat0_outbound extended permit ip any 192.168.40.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu CorpDMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 3 interface
global (outside) 1 XX.XX.XX.35-XX.XX.XX.40 netmask 255.255.255.255
global (outside) 2 interface
global (CorpDMZ) 4 interface
nat (inside) 2 0.0.0.0 0.0.0.0
nat (CorpDMZ) 2 192.168.40.0 255.255.255.0
static (inside,outside) XX.XX.XX.35 192.168.50.131 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.40 192.168.50.245 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.36 192.168.50.135 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside-access-in in interface outside
access-group CorpDMZ_access_in in interface CorpDMZ
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside

dhcpd address 192.168.50.5-192.168.50.132 inside


threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn


class-map inspection_default
 match default-inspection-traffic


policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect ip-options
  inspect http
  inspect ils


THanks
0
 
LVL 17

Expert Comment

by:MAG03
Comment Utility
You would need dynamic NAT if you want the DMZ to be able to reach the internet.  but you have set up your NAT incorrectly.  The number following the global and nat statements is a group identifier and must not be unique unless you are setting u different groups. so your NAT should look something like this.

global (outside) 2 interface
nat (inside) 2 192.168.50.0 255.255.255.0
nat (CorpDMZ) 2 192.168.40.0 255.255.255.0

Are you able to establish a connection between the inside and CorpDMZ networks now?
Change the NAT and then test to see if you can get to the internet from the CorpDMZ.
0
 

Author Comment

by:mcsdguyian
Comment Utility
My DMZ can already reach the internet and so can the the inside.  I just cannot get the DMZ to talk to the inside and vice versa.

I still get the same NAT error and cannot  establish a connection between the inside and CorpDMZ networks
0
 

Author Comment

by:mcsdguyian
Comment Utility
Mag ,

Thanks for your help to this point I still cannot talk between the 2 VLans, but at least they are both setup and can get to the internet
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now