topic Seb, in Network Security

ASA port question

JonRM1970 — Tue, 12 Mar 2019 06:56:35 GMT

I have an ASA 5510 running 9.1(2).

I am not entirely familiar with the ASA firewall, but know enough to be dangerous with it.

What I am looking for is some help on the syntax and proceedure to get a second subnet added into the device and working.

What I have:

ASA 5510 running two ports (Inside (ethe 0/1: local office 10.10.10.x sunbet, and Outside ethe 0/0: ISP to cloud, and

2 VPN tunnels 1. to PIX 501, and 2. to Data Center off-site)

PIX 501 (running to ISP on ethe0/0 and Development subnet ethe0/1 on 10.10.20.x, with one VPN to ASA 5510)

The PIX has a VPN tunnel to the ASA, which allows it to go to the data center and remain seperate fromt he office subnet.

I would like to take the PIX off line and add its subnet traffic to the ASA on one of the free ports if possible. The requirements I need are:

10.10.20.x stay seperate but still be able to get to the datacenter via the VPN tunnel on asa 5510.

10.10.10.x not change.

VPN to datacenter remain up and not changed.

I would like to add the PIX traffic to the ether 0/2 port. Any help and guidance would greatly be appreciated.

I have attached a diagram showing as much detail as I can. If more is needed I an continue via e-mail if needed.

-Jon

Hi Jon,

Seb Rupik — Wed, 25 Nov 2015 08:36:28 GMT

Hi Jon,

There is a lot of guess work in this config as we don't have you ASA config to go by...

!
interface Eth0/2
 switchport access vlan 20
!
interface Vlan20
 nameif old_pix_lan
 security-level 90
 ip address 10.10.20.254 255.255.255.0
!

...I've guessed that the PIX network was just a /24 so the gateway might be 10.10.20.254 ?

!
object network old_pix_network
 subnet 10.10.20.0 255.255.255.0
 description old_pix_network
!
object network dc_network
 subnet <dc_subnet_id> <dc_netmask>
!

...you never said what the DC subnet was.

!
access-list acl_l2l_dc extended permit ip 10.10.20.0 255.255.255.0 <dc_subnet_id> <dc_netmask>
!
nat (old_pix_lan,outside) source static old_pix_network old_pix_network destination static dc_network dc_network
!

...you will have an ACL confiured which is used by the crytpo map statement to connect to the DC. I've taken a wild guess and called it 'acl_l2l_dc'. This needs to be changed to match what is already configured!

The second is a NAT exemption rule, so you don't NAT the old_pix_network as it leaves eth0/0 and therefore is correctly identified by the above ACL. Of course, if NAT is done on your ISP modem for your entire network the you can leave it out.

Would be usefull to see your ASA config to fill in the blanks.

cheers,

Seb.

Seb,

JonRM1970 — Wed, 25 Nov 2015 14:55:05 GMT

Seb,

if you have an e-mail you would be willing to give me, I can give you a sanitized copy of all three configs. Did not want to post them here due to community boards.

-Jon

Seb,

JonRM1970 — Mon, 30 Nov 2015 20:22:29 GMT

Seb,

I sent an e-mail back with a problem that I ran into.

-Jon