Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1308
Views
0
Helpful
10
Replies

ASA 5505 and LAN to LAN routing

MarcinChameleon
Level 1
Level 1

‎01-06-2012 05:30 AM - edited ‎03-11-2019 03:11 PM

Hi,

I am just about to buy ASA 5505. I need outside interface with Public interface that can NAT to two internal (priv)( networks.

Can I have two inside interfaces, like192.168.1.0 and 10.2.0.0 that can talk to each other??

Can I do it without vlans? Reason why, I would need to reconfog my current switches.

On cisco web they saying that:

"With the Base license, the third VLAN can only be configured to initiate traffic to one other VLAN" - but I need two inside netwroks be able talk to each other.

Please help. TIA to all.

Marcin.

Labels:
0 Helpful
10 Replies 10

varrao
Level 10
Level 10

‎01-06-2012 07:43 AM

Hi Marcin,

With the base license on the ASA 5505 you would have restricted license on the box, whihc means you can only initiate traffic from Inside 1 to outside n from Inside1 to Inside 2 but not vice versa. If you would complete inter-vlan routing then you would need the security plus license for it. You can chcek your license by using the command:

show version

This would tell you whether it is base or security plus.

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

MarcinChameleon
Level 1
Level 1
In response to varrao

‎01-06-2012 08:11 AM

Thanks for reply Varun.

I ordered Security Plus today.

I need to have tunnels to both inside interfaces, and also internal traffic 192.168.1.0 to 10.2.0.0 and vice - versa.

Do you know if I can have more than 1 IPSEC VPN tunnel?

0 Helpful

varrao
Level 10
Level 10
In response to MarcinChameleon

‎01-06-2012 08:36 AM

Hi Marcin,

Yes you can definitely do that, here's a license guide for ASA 5505:

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/license/license82.html#wp190062

Hope that helps,

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

MarcinChameleon
Level 1
Level 1
In response to varrao

‎01-06-2012 09:00 AM

Great.

Last two questions:

1. Do I need to create vlan on my switchto make it working or is there a way to make vlans transparent, so switch can stay how it is?

2. Can I you ASDM as web gui for that? if yes, where I can downloaded or does software come with the hardware?

Thank you.

0 Helpful

varrao
Level 10
Level 10
In response to MarcinChameleon

‎01-06-2012 09:17 AM

On ASA 5505, you definitely need to create Vlan instead of physical interfaces, since there is a switch module in the ASA 5505, here is a sample config on how to configure it:

interface Ethernet0/2

switchport access vlan 60

interface Vlan60

nameif Outside

security-level 100

ip address 192.168.226.1 255.255.255.0

2nd Question:

Yes you can definitely use the GUI for it, here's the guide:

http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/about.html

and here's the download link:

http://www.cisco.com/cisco/psn/software/release.html?mdfid=279916854&flowid=4373&softwareid=280775065

Hope this helps,

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

MarcinChameleon
Level 1
Level 1
In response to varrao

‎01-06-2012 09:32 AM

I thought for Outside interface security should be 0, and for inside interfaces security level 100?

But if I will configure ASA with vlans, do I need to reconfigure my current switch to handle traffic or inter-vlan traffic will be done on ASA level?

0 Helpful

varrao
Level 10
Level 10
In response to MarcinChameleon

‎01-06-2012 09:40 AM

Hi Marcin,

that completely depends upon your topology and the configuration, if you have a trunk configured on the switch then the ASA interface would also be a trunk port and the configuration would be the same as the switch. The inter-vlan routing can be done on the ASA itself with the help of nats, ACL n routes.

N plz ignore the security-level, thats a mistake, Outside is indeed 0, by default

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

MarcinChameleon
Level 1
Level 1
In response to varrao

‎01-07-2012 08:00 AM

Hi,

Switch does not have any vlan configured. Watchguard x1000 which I am replacing had 1 WAN and 2 LAN interfaces (192.168.x.x and 10.2.0.x) Basically watchguard did all routing hence no vlans needed.

So having switch without vlans configured, what's the best fo ASA configuration so traffic goes both ways between both LANs?

TIA

Marcin.

0 Helpful

varrao
Level 10
Level 10
In response to MarcinChameleon

‎01-07-2012 08:31 AM

Hi Marcin,

If you are using only 3 interfaces on the ASA then you can just connect those 3 to the watchgaurd or the switch, whatever device you have upstream and downstream on the ASA, just treat them as normal interfaces going into the other devices. It should'nt be an issue.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

MarcinChameleon
Level 1
Level 1
In response to varrao

‎01-07-2012 02:50 PM

Hi,

But I want to replace watchguard with ASA, becasue Watchguard went mental

So on ASA I will have WAN interface (pulic IP) and two LAN interfaces with diffrent ranges of IPs as metioned before.

So you are saying no vlan configuration is needed???

Tahnks

Marcin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card