Cisco ASA Firewall Configuration Help needed!

Hi All,

I need some assistance setting up the below. I've got 3 "subnets" to set up internally. All must be able to reach the internet through the suppliers router.

The networks are 2x /26 and 1x /27. VLANS 601 & 603 are desktop pc's. VLAN 602 will be Cisco phones. 601 and 603 do not need any seperation, they're just to cover the seperate DHCP ranges. DHCP will be provided by an external source (hopefully) through a VPN setup on the ASA Firewall. I'm looking to setup outside interface, inside interface and access for all vlans.

Is anyone able to provide a sample config on how I could get this working?

Network Overview
Thanks,

J
J 19101919Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ArneLoviusCommented:
It looks from your diagram as if you have public addresses for each of the VLANs.

If you have three public subnets from your ISP, you could either use a L3 switch, or if your ASA is suitably licensed have each subnet connected to a dedicated (or VLAN trunk) interface on the ASA that then connects to the VLAN on the switch.
J 19101919Author Commented:
Hi ArneLovius,

The IP ranges are sanitised, but will be part of an MPLS network, not public however.

Thanks,

John
mikecrIT Architect/Technology Delivery ManagerCommented:
I'm confused. You're using the subnets you specify on the interfaces of the ASA. Are these subnets internal to the ASA? If they are, then routed vlans should be configured on the switch for each subnet. You should then create another totally separate subnet/vlan that will have the inside interface of the ASA connected to it. You will then set up routing on the router and ASA to access your internal subnets but I would probably use PAT on the firewall to hide all the networks and give them access to the internet.
CEOs need to know what they should worry about

Nearly every week during the past few years has featured a headline about the latest data breach, malware attack, ransomware demand, or unrecoverable corporate data loss. Those stories are frequently followed by news that the CEOs at those companies were forced to resign.

ArneLoviusCommented:
interface Ethernet0/0
 switchport access vlan 10
!
interface Ethernet0/1
 switchport access vlan 601
!
interface Ethernet0/2
 switchport access vlan 602
!
interface Ethernet0/3
 switchport access vlan 603

!
interface Vlan10
 nameif MPLSRouter
 security-level 100
 ip address 123.123.25.66 255.255.255.224

!
interface Vlan601
 nameif VLAN601
 security-level 100
 ip address 123.123.24.64 255.255.255.224
!
interface Vlan602
 nameif VLAN602
 security-level 100
 ip address 123.123.24.97 255.255.255.224
!
interface Vlan603
 nameif VLAN603
 security-level 100
 ip address 123.123.24.66 255.255.255.192
Pete LongTechnical ConsultantCommented:
ArneLovius its a 5506-X buddy not a 5505.
ArneLoviusCommented:
@PeteLong, good point well made!
J 19101919Author Commented:
Okay,

So the 5506-X can't be used as switch ports.

How do I overcome that?

Thanks in advance
ArneLoviusCommented:
From

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/general/asa-99-general-config/interface-vlan.html

Examples for VLAN Interfaces
The following example configures parameters for a subinterface in single mode:

interface gigabitethernet 0/1
  no nameif
  no security-level
  no ip address
  no shutdown
interface gigabitethernet 0/1.1
  vlan 101
  nameif inside
  security-level 100
  ip address 192.168.6.6 255.255.255.0
  no shutdown

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.