topic hi Cristian, in Network Security

Routing Vlans on ASA

philbert_manalo — Tue, 12 Mar 2019 08:03:42 GMT

Hi,

I want all my vlans access to the internet, unfortunately it failed. as i see i am having problem with my routing on the asa. what is the right command that i will use. my static route is "outside.any.any.public ip". thank you!

Regards,

Philbert

hi,

johnlloyd_13 — Tue, 26 Jul 2016 01:52:01 GMT

hi,

are you referring to static default route on the ASA?

the commands should be:

route outside 0.0.0.0 0.0.0.0 <ISP GW IP>

or the shorthand command:

route outside 0 0 <ISP GW IP>

And if DHCP dont forget the

Cristian Nilsson — Thu, 28 Jul 2016 11:32:17 GMT

And if DHCP dont forget the "set route"

interface Vlan20
 nameif OUTSIDE
 security-level 0
 ip address dhcp setroute

//Cristian

hi Cristian,

philbert_manalo — Fri, 29 Jul 2016 03:06:46 GMT

hi Cristian,

what if my DHCP is coming from the AD server? do i still need to setroute?

Regards,

Philbert

hi Johnlloyd,

philbert_manalo — Fri, 29 Jul 2016 03:08:20 GMT

hi Johnlloyd,

what if i have vlans?an they get their IP on the AD server

Regards,

Philbert

Hi,

Kasun Bandara — Fri, 29 Jul 2016 06:23:27 GMT

Hi, can you please send the configuration to check? basically, you should add default route to outside interface. and then, create a policy to enable traffic between those interfaces with ACL. Regards

The set-route command should

Cristian Nilsson — Fri, 29 Jul 2016 23:05:57 GMT

The set-route command should be applied on your OUTSIDE interface connected to ISP, but only if you get IP by DHCP from ISP.

If you have a static IP assigned to OUTSIDE interface you should use the command route OUTSIDE 0 0 x.x.x.x instead, where x.x.x.x is your IPS gateway.

Regards,

Cristian

Hi;

ahmedshoaib — Sat, 30 Jul 2016 10:44:03 GMT

Hi;

As I understand that you have multiple Vlan configure on your firewall and you want all vlan should get access to internet. To access the internet you need to do 2 things:

Configure default gateway: (which you already configured)

route outside 0 0 <ISP GW IP>

Configure the NAT for all the vlan, those you want to access the internet (i.e I took 2 vlan 10 & 20)

interface GigabitEthernet0/1.10

vlan 10

nameif Inside_vlan10

security-level 100

ip address 192.168.10.1 255.255.255.0

interface GigabitEthernet0/1.20

vlan 20

nameif Inside_vlan20

security-level 100

ip address 192.168.20.1 255.255.255.0

object network net-192.168.10

subnet 192.168.10.0 255.255.255.0

nat (Inside_vlan10,Outside) dynamic interface

object network net-192.168.20

subnet 192.168.20.0 255.255.255.0

nat (Inside_vlan20,Outside) dynamic interface

Thanks & Best regards;