asked on
Cisco ASA Firewall Configuration Help needed!
Hi All,
I need some assistance setting up the below. I've got 3 "subnets" to set up internally. All must be able to reach the internet through the suppliers router.
The networks are 2x /26 and 1x /27. VLANS 601 & 603 are desktop pc's. VLAN 602 will be Cisco phones. 601 and 603 do not need any seperation, they're just to cover the seperate DHCP ranges. DHCP will be provided by an external source (hopefully) through a VPN setup on the ASA Firewall. I'm looking to setup outside interface, inside interface and access for all vlans.
Is anyone able to provide a sample config on how I could get this working?
![Network Overview]()
Thanks,
J
I need some assistance setting up the below. I've got 3 "subnets" to set up internally. All must be able to reach the internet through the suppliers router.
The networks are 2x /26 and 1x /27. VLANS 601 & 603 are desktop pc's. VLAN 602 will be Cisco phones. 601 and 603 do not need any seperation, they're just to cover the seperate DHCP ranges. DHCP will be provided by an external source (hopefully) through a VPN setup on the ASA Firewall. I'm looking to setup outside interface, inside interface and access for all vlans.
Is anyone able to provide a sample config on how I could get this working?
Thanks,
J
Hardware FirewallsSwitches / HubsCiscoDHCPNetworking
Last Comment
ArneLovius
ASKER
Hi ArneLovius,
The IP ranges are sanitised, but will be part of an MPLS network, not public however.
Thanks,
John
The IP ranges are sanitised, but will be part of an MPLS network, not public however.
Thanks,
John
I'm confused. You're using the subnets you specify on the interfaces of the ASA. Are these subnets internal to the ASA? If they are, then routed vlans should be configured on the switch for each subnet. You should then create another totally separate subnet/vlan that will have the inside interface of the ASA connected to it. You will then set up routing on the router and ASA to access your internal subnets but I would probably use PAT on the firewall to hide all the networks and give them access to the internet.
interface Ethernet0/0
switchport access vlan 10
!
interface Ethernet0/1
switchport access vlan 601
!
interface Ethernet0/2
switchport access vlan 602
!
interface Ethernet0/3
switchport access vlan 603
!
interface Vlan10
nameif MPLSRouter
security-level 100
ip address 123.123.25.66 255.255.255.224
!
interface Vlan601
nameif VLAN601
security-level 100
ip address 123.123.24.64 255.255.255.224
!
interface Vlan602
nameif VLAN602
security-level 100
ip address 123.123.24.97 255.255.255.224
!
interface Vlan603
nameif VLAN603
security-level 100
ip address 123.123.24.66 255.255.255.192
switchport access vlan 10
!
interface Ethernet0/1
switchport access vlan 601
!
interface Ethernet0/2
switchport access vlan 602
!
interface Ethernet0/3
switchport access vlan 603
!
interface Vlan10
nameif MPLSRouter
security-level 100
ip address 123.123.25.66 255.255.255.224
!
interface Vlan601
nameif VLAN601
security-level 100
ip address 123.123.24.64 255.255.255.224
!
interface Vlan602
nameif VLAN602
security-level 100
ip address 123.123.24.97 255.255.255.224
!
interface Vlan603
nameif VLAN603
security-level 100
ip address 123.123.24.66 255.255.255.192
ArneLovius its a 5506-X buddy not a 5505.
@PeteLong, good point well made!
ASKER
Okay,
So the 5506-X can't be used as switch ports.
How do I overcome that?
Thanks in advance
So the 5506-X can't be used as switch ports.
How do I overcome that?
Thanks in advance
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
If you have three public subnets from your ISP, you could either use a L3 switch, or if your ASA is suitably licensed have each subnet connected to a dedicated (or VLAN trunk) interface on the ASA that then connects to the VLAN on the switch.