topic Re: ASA 5512 configuration question? in Network Security

ASA 5512 configuration question?

unrealone1 — Tue, 12 Mar 2019 03:24:41 GMT

Hi all,

I need to setup a network enviroment, I have the following equipment: ASA 5512-X & 2960-S Series 48-Port

Couple of questions.

See the 4 networks below I want to setup as an example.

Can I set these 4 networks as seperate VLANs from a single Interface on the ASA5512 ?

Can each of these have it's own DHCP for each VLAN?

E.g

Network 1 VLAN100 DHCP 192.168.100.x

Network 2 VLAN200 DHCP 192.168.200.x

Network 3 VLAN300 DHCP 192.168.300.x

Network 4 VLAN400 DHCP 192.168.400.x

Re: ASA 5512 configuration question?

Jouni Forss — Fri, 03 Jan 2014 17:19:27 GMT

Hi,

Yes, you can configure a Trunk interface on the 2960 switch and ASA5512-X and configure subinterfaces on the ASA for each of the Vlans configured on the 2960.

You can also configure DHCP on the ASA for each of these interfaces. You can have a single DHCP Pool per interface and the DHCP pool maximum size is a /24 subnet.

If we were to presume that you have a blank ASA configuration you could do the following

Leave the actual physical interface without configurations unless you want to set the Duplex and Speed settings manually/staticly and perhaps set a description
Configure Subinterfaces for each of the Vlans you need

Configurations might for example look like this

interface GigabitEthernet0/1

description LAN Trunk

interface GigabitEthernet0/1.100

vlan 100

description Network 1

nameif LAN-1

security-level 100

ip address 192.168.10.1 255.255.255.0

interface GigabitEthernet0/1.200

vlan 200

description Network 2

nameif LAN-2

security-level 100

ip address 192.168.20.1 255.255.255.0

interface GigabitEthernet0/1.300

vlan 300

description Network 3

nameif LAN-3

security-level 100

ip address 192.168.30.1 255.255.255.0

interface GigabitEthernet0/1.400

vlan 400

description Network 4

nameif LAN-4

security-level 100

ip address 192.168.40.1 255.255.255.0

Hope this helps

- Jouni

Re: ASA 5512 configuration question?

unrealone1 — Fri, 03 Jan 2014 17:57:16 GMT

That's excellent many thanks Jouni. One other question.....

I have an Outside interface WAN on the ASA which I would like to plug my 25mb up and down link into.

Is it possible to say throttle bandwidth, e.g. 15mb for vlan100 and then 5mb for vlan 200,300 & 400 ?

Re: ASA 5512 configuration question?

Jouni Forss — Fri, 03 Jan 2014 18:43:53 GMT

Hi,

To be honest I have not configured these on the ASA

But seems to me that the general format of the configuration might be something like this

access-list LAN-1-BANDWITH remark NO RESTRICTION FOR INTERNAL TRAFFIC

access-list LAN-1-BANDWITH deny ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list LAN-1-BANDWITH deny ip 192.168.0.0 255.255.0.0 192.168.10.0 255.255.255.0

access-list LAN-1-BANDWITH remark RESTRICTION FOR EXTERNAL TRAFFIC

access-list LAN-1-BANDWITH permit ip 192.168.10.0 255.255.255.0 any

access-list LAN-1-BANDWITH permit ip any 192.168.10.0 255.255.255.0

class-map LAN-1-BANDWITH

match access-list LAN-1-BANDWITH

policy-map global_policy

class LAN-BANDWITH

police input 15000000

police output 15000000

The above presumes that you have the default "policy-map global_policy" existing in the configuration and attached globally with the command

service-policy global_policy global

Maybe you can test it out. I am not sure if the "deny" statements would help you avoid having this limiation between your different LAN networks. My initial test seemed to indicate it worked.

I am not sure how you should do the limiting for the other Vlans. Maybe a combined limit for them or one of the above for each of the Vlans.

Hope this helps

Let me know if it works and remember to mark a reply as the correct answer if it answered your question.

- Jouni