5505 with 2 internal subnets with access to external (internet)

andrew.schulz1 — Tue, 12 Mar 2019 06:38:55 GMT

I have a 5505 that I want to create a second internal (trusted) LAN and provide it access to the internet. Config is below. Note VLAN7 is the network I want to allow to external internet.

ASA Version 8.0(4)
!
hostname NovFWL01
enable password 0D.bxnoHeg2V7AbW encrypted
passwd WuNclyuagDCHVEGC encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.20.1.1 255.255.255.0
!
interface Vlan3
no forward interface Vlan1
nameif DMZ
security-level 50
ip address XXX.XXX.XXX.XXX 255.255.255.248
!
interface Vlan7
nameif test
security-level 100
ip address 10.100.0.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 7
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
boot system disk0:/asdm-602.bin
ftp mode passive
access-list outside_in extended permit tcp any host XXX.XXX.XXX.XXX eq 8280
access-list inside_out extended permit ip host 10.20.1.10 any
access-list inside_out extended permit ip host 10.20.1.25 any
access-list inside_out extended permit ip host 10.20.1.33 any
access-list inside_out extended permit ip host 10.20.1.22 any
access-list inside_out extended permit ip host 10.20.1.44 any
access-list inside_out extended permit ip host 10.20.1.12 any
access-list inside_out extended permit tcp any host 10.20.1.11 eq www
access-list inside_out extended permit tcp any host 10.20.1.11 eq https
access-list inside_out extended permit tcp any any
access-list inside_out extended permit ip any any
access-list test_out extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu test 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (DMZ) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (test) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 0.0.0.0 0.0.0.0
route DMZ 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server host inside 10.20.1.13 community X_snmp
snmp-server location XYZ
no snmp-server contact
snmp-server community X_snmp
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.20.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config test
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password LXR8sMpwIcYNd6ej encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:490df27da4bf36bfd654fbbf7bd15d5e
: end

Hi,The configuration should

Vibhor Amrodia — Fri, 25 Sep 2015 16:16:58 GMT

Hi,

The configuration should be fine. I think as you have this command "no forward interface Vlan1" so i am thinking that you don't have the Sec + license.

Check that once.

Thanks and Regards,

Vibhor Amrodia

Thank you for the reply

andrew.schulz1 — Fri, 25 Sep 2015 23:09:27 GMT

Thank you for the reply Vibhor. Yes, I checked the license and you are correct, I'm not running the Security + license. I should have checked that first.

Thanks.

topic Thank you for the reply in Network Security

5505 with 2 internal subnets with access to external (internet)

Hi,The configuration should

Thank you for the reply