asked on
ASA 5506 Configuration assistance
Hello all,
And thank you for taking a moment to look at this.
Objective:
I would like to use my ASA as the single router for two separate internal networks. My current configuration takes the internet and separates it between two individual routers. Effectively two separate networks. I am sure I could consolidate this down to the one router.
- Network 1 is my internal business network, complete with switches, servers and workstations.
- Network 2 is a training network. I have several AP's providing wifi throughout the building for training displays, laptops, etc.
My first question is:
Can the ASA 5506 provide DHCP for one vlan but not another?
- I have DHCP servers on interface GigabitEthernet1/2 (Network 1) and have disabled the DHCPD settings on the ASA.
- I would like to connect the training network (Network 2) up to interface GigabitEthernet1/3 or 1/4
My second question is:
How, how do I code that? My "google-foo" is apparently lacking, or I'm just not understanding something.
- How do I write up that second vlan so that I am able to use the ASA as the same edge router?
- Also how do I insure that no data can pass between Network 1 and Network 2?
Current Router config:
I have paired the included text down a bit. If I omitted something please ask.
- I do have a number of network objects that I removed that point to "Inside_1"
- I also have a route inside statement that is for some ISP managed equipment elsewhere on my network.
ASA Version 9.12(1)2
!
hostname COMPANY
domain-name COMPANY.local
names
no mac-address auto
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address <OUTSIDE IP> <SUBNET>
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 10.x.x.x 255.x.x.x
!
ftp mode passive
dns server-group DefaultDNS
domain-name COMPANY.local
same-security-traffic permit inter-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
object network XXX
nat (inside_1,outside) static interface service XXX XXX XXX
access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 <ISP GATEWAY> 1
route inside 192.x.x.x x.x.x.x 10.x.x.x 1
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 10.x.x.x 255.255.255.0 inside_1
http 10.x.x.x 255.255.255.0 inside_2
http 10.x.x.x 255.255.255.0 inside_3
http 10.x.x.x 255.255.255.0 inside_4
http 10.x.x.x 255.255.255.0 inside_5
http 10.x.x.x 255.255.255.0 inside_6
http 10.x.x.x 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
END:
Thank you for you time.
And thank you for taking a moment to look at this.
Objective:
I would like to use my ASA as the single router for two separate internal networks. My current configuration takes the internet and separates it between two individual routers. Effectively two separate networks. I am sure I could consolidate this down to the one router.
- Network 1 is my internal business network, complete with switches, servers and workstations.
- Network 2 is a training network. I have several AP's providing wifi throughout the building for training displays, laptops, etc.
My first question is:
Can the ASA 5506 provide DHCP for one vlan but not another?
- I have DHCP servers on interface GigabitEthernet1/2 (Network 1) and have disabled the DHCPD settings on the ASA.
- I would like to connect the training network (Network 2) up to interface GigabitEthernet1/3 or 1/4
My second question is:
How, how do I code that? My "google-foo" is apparently lacking, or I'm just not understanding something.
- How do I write up that second vlan so that I am able to use the ASA as the same edge router?
- Also how do I insure that no data can pass between Network 1 and Network 2?
Current Router config:
I have paired the included text down a bit. If I omitted something please ask.
- I do have a number of network objects that I removed that point to "Inside_1"
- I also have a route inside statement that is for some ISP managed equipment elsewhere on my network.
ASA Version 9.12(1)2
!
hostname COMPANY
domain-name COMPANY.local
names
no mac-address auto
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address <OUTSIDE IP> <SUBNET>
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 10.x.x.x 255.x.x.x
!
ftp mode passive
dns server-group DefaultDNS
domain-name COMPANY.local
same-security-traffic permit inter-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
object network XXX
nat (inside_1,outside) static interface service XXX XXX XXX
access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 <ISP GATEWAY> 1
route inside 192.x.x.x x.x.x.x 10.x.x.x 1
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 10.x.x.x 255.255.255.0 inside_1
http 10.x.x.x 255.255.255.0 inside_2
http 10.x.x.x 255.255.255.0 inside_3
http 10.x.x.x 255.255.255.0 inside_4
http 10.x.x.x 255.255.255.0 inside_5
http 10.x.x.x 255.255.255.0 inside_6
http 10.x.x.x 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
END:
Thank you for you time.
* ASA5506RoutersCisco
Last Comment
Jonathan Joye
I would use a separate network interface on the ASA for each network you are wanting to setup. Use port 1 for your incoming ISP, port 2 for your internal network, and port 3 for the sandbox. Setup a separate DHCP per interface as well. This will negate the need for the VLANs as a mechanism to prevent crosstalk on the networks.
ASKER
I've never had a need to do that until now so I am not sure how to do that. Do you know what that would look like or a link to a example config?
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Have a look at different examples
https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-configuration-examples-list.html
https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-configuration-examples-list.html
ASKER
With Don Johnston's assistance I was able to troubleshoot and correct my config with his assistance.
For anyone who may follow this is what I wound up with:
interface GigabitEthernet1/3
bridge-group 2
nameif training_1
security-level 50
!
interface BVI2
nameif training
security-level 50
ip address x.x.x.1 x.x.x.0
!
dhcpd address x.x.x..100-x.x.x.250 training
dhcpd dns 8.8.8.8 1.1.1.1 interface training
dhcpd domain domain.local interface training
dhcpd option 3 ip x.x.x.1 interface training
dhcpd enable training
!
object network INTERNET-NAT-ALL
subnet 0.0.0.0 0.0.0.0
!
object network INTERNET-NAT-ALL
nat (any,outside) dynamic interface
For anyone who may follow this is what I wound up with:
interface GigabitEthernet1/3
bridge-group 2
nameif training_1
security-level 50
!
interface BVI2
nameif training
security-level 50
ip address x.x.x.1 x.x.x.0
!
dhcpd address x.x.x..100-x.x.x.250 training
dhcpd dns 8.8.8.8 1.1.1.1 interface training
dhcpd domain domain.local interface training
dhcpd option 3 ip x.x.x.1 interface training
dhcpd enable training
!
object network INTERNET-NAT-ALL
subnet 0.0.0.0 0.0.0.0
!
object network INTERNET-NAT-ALL
nat (any,outside) dynamic interface