troubleshooting Question

ASA 5506 Configuration assistance

Avatar of Jonathan Joye
Jonathan Joye asked on
* ASA5506RoutersCisco
5 Comments1 Solution24 ViewsLast Modified:
Hello all,
And thank you for taking a moment to look at this.

Objective:
I would like to use my ASA as the single router for two separate internal networks. My current configuration takes the internet and separates it between two individual routers. Effectively two separate networks.  I am sure I could consolidate this down to the one router.

- Network 1 is my internal business network, complete with switches, servers and workstations.
- Network 2 is a training network. I have several AP's providing wifi throughout the building for training displays, laptops, etc.  
 
My first question is:
Can the ASA 5506 provide DHCP for one vlan but not another?
-  I have DHCP servers on interface GigabitEthernet1/2 (Network 1) and have disabled the DHCPD settings on the ASA.
-  I would like to connect the training network (Network 2) up to interface GigabitEthernet1/3 or 1/4

My second question is:
 How,  how do I code that?  My "google-foo" is apparently lacking, or I'm just not understanding something.
- How do I write up that second vlan so that I am able to use the ASA as the same edge router?
- Also how do I insure that no data can pass between Network 1 and Network 2?

Current Router config:
I have paired the included text down a bit. If I omitted something please ask. 
- I do have a number of network objects that I removed that point to "Inside_1"
- I also have a route inside statement that is for some ISP managed equipment elsewhere on my network.


ASA Version 9.12(1)2
!
hostname COMPANY
domain-name COMPANY.local

names
no mac-address auto

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address <OUTSIDE IP> <SUBNET>
!
interface GigabitEthernet1/2
 bridge-group 1
 nameif inside_1
 security-level 100
!
interface GigabitEthernet1/3
 bridge-group 1
 nameif inside_2
 security-level 100
!
interface GigabitEthernet1/4
 bridge-group 1
 nameif inside_3
 security-level 100
!
interface GigabitEthernet1/5
 bridge-group 1
 nameif inside_4
 security-level 100
!
interface GigabitEthernet1/6
 bridge-group 1
 nameif inside_5
 security-level 100
!
interface GigabitEthernet1/7
 bridge-group 1
 nameif inside_6
 security-level 100
!
interface GigabitEthernet1/8
 bridge-group 1
 nameif inside_7
 security-level 100
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
interface BVI1
 nameif inside
 security-level 100
 ip address 10.x.x.x 255.x.x.x
!
ftp mode passive
dns server-group DefaultDNS
 domain-name COMPANY.local
same-security-traffic permit inter-interface
object network obj_any1
 subnet 0.0.0.0 0.0.0.0
object network obj_any2
 subnet 0.0.0.0 0.0.0.0
object network obj_any3
 subnet 0.0.0.0 0.0.0.0
object network obj_any4
 subnet 0.0.0.0 0.0.0.0
object network obj_any5
 subnet 0.0.0.0 0.0.0.0
object network obj_any6
 subnet 0.0.0.0 0.0.0.0
object network obj_any7
 subnet 0.0.0.0 0.0.0.0

pager lines 24
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any1
 nat (inside_1,outside) dynamic interface
object network obj_any2
 nat (inside_2,outside) dynamic interface
object network obj_any3
 nat (inside_3,outside) dynamic interface
object network obj_any4
 nat (inside_4,outside) dynamic interface
object network obj_any5
 nat (inside_5,outside) dynamic interface
object network obj_any6
 nat (inside_6,outside) dynamic interface
object network obj_any7
 nat (inside_7,outside) dynamic interface

object network XXX
 nat (inside_1,outside) static interface service XXX XXX XXX

access-group acl_out in interface outside
access-group acl_in in interface inside

route outside 0.0.0.0 0.0.0.0 <ISP GATEWAY> 1
route inside 192.x.x.x x.x.x.x 10.x.x.x 1

user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 10.x.x.x 255.255.255.0 inside_1
http 10.x.x.x 255.255.255.0 inside_2
http 10.x.x.x 255.255.255.0 inside_3
http 10.x.x.x 255.255.255.0 inside_4
http 10.x.x.x 255.255.255.0 inside_5
http 10.x.x.x 255.255.255.0 inside_6
http 10.x.x.x 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context

END:

Thank you for you time. 
ASKER CERTIFIED SOLUTION
Don Johnston
Instructor

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Top Expert 2015

The Distinguished Expert awards are presented to the top veteran and rookie experts to earn the most points in the top 50 topics.

Join our community to see this answer!
Unlock 1 Answer and 5 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 5 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros