asa 5505 inter vlan routing
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-26-2015 08:50 AM - edited 03-11-2019 10:33 PM
Hello,
We are running out of IP's. I created a superscope on our Microsoft DHCP server, 192.168.1.0-192.168.3.254
We have an ASA 5505 no router, and L2 cisco switches (SG300)
Clients get proper IP's from DHCP, but can not communicate between subnets
I can ping out to 8.8.8.8 but not with a qualified name
Can this be done with L2 devices ?
I have one vlan on the ASA and switches
Do I need to create VLAN 2 for the other subnets ?
Do I need a net work object on the ASA for each subnet ?
Static route from net obj to gateway ?
This is a 24/7 enviroment, very difficult to test live
Thanks very much
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-26-2015 07:42 PM
What is your current gateway device, is it the ASA?
You can't do this solely at layer 2, you will need to configure an additional vlan on your access switches and the ASA.
Can you post your ASA config? It will make it easier to provide a solution :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-27-2015 12:21 PM
ok thanks alot
ASA Version 7.2(4)
!
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.252.0
!
interface Vlan2
nameif outside
security-level 0
ip address 255.255.255.248
!
interface Vlan12
no forward interface Vlan1
nameif dmz
security-level 90
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 12
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name eagleindinc.local
same-security-traffic permit intra-interface
object-group service mailserver tcp
port-object eq 3389
port-object eq www
port-object eq https
port-object eq imap4
port-object eq smtp
object-group service ftpserver tcp
port-object eq ftp
port-object eq ftp-data
port-object eq ssh
object-group network MXtoolbox
network-object 208.123.79.0 255.255.255.0
network-object 64.18.0.0 255.255.240.0
network-object 70.90.41.0 255.255.255.0
object-group service SolarSoft tcp-udp
description udp397
port-object eq 397
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group service UDP397 udp
description SolarSofts UDP
port-object eq 397
object-group service tcp397 tcp
description SolarSofts 397 port
port-object eq 397
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object udp
protocol-object tcp
object-group network BH
network-object host BlockedHoste
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object udp
protocol-object tcp
access-list outside_access_in extended deny object-group DM_INLINE_PROTOCOL_3 host any
access-list outside_access_in extended deny ip host any
access-list outside_access_in extended deny ip host any
access-list outside_access_in extended deny ip host any
access-list outside_access_in extended permit tcp any host eq smtp
access-list outside_access_in extended permit tcp any host object-group mailserver
access-list outside_access_in extended permit icmp host any
access-list outside_access_in extended permit tcp host host object-group tcp397
access-list outside_access_in extended permit udp host host object-group UDP397
access-list outside_access_in extended permit tcp any host object-group ftpserver
access-list outside_access_in extended permit tcp any host eq https
access-list outside_access_in remark testing incomming from mark c
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host any
access-list outside_access_in remark Dale Showers Home connection
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 host any inactive
access-list remoteusers_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list remoteusers_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list edi extended permit ip host 192.168.1.123 any
access-list edi extended permit ip any host 192.168.1.123
access-list inside_access_in extended deny object-group DM_INLINE_PROTOCOL_4 object-group BH any
access-list inside_access_in extended deny tcp any host eq smtp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpn 192.168.15.0-192.168.15.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 1 10.10.10.0 255.255.255.0
static (inside,outside) tcp interface smtp 192.168.1.12 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.116 3389 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.12 https netmask 255.255.255.255
static (inside,outside) tcp interface imap4 192.168.1.116 imap4 netmask 255.255.255.255
static (inside,outside) 192.168.1.149 netmask 255.255.255.255
static (inside,outside) 192.168.1.159 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
route inside 192.168.254.0 255.255.255.0 192.168.1.1 1
route outside 0.0.0.0 0.0.0.0 207.243.48.25 1
timeout xlate 15:00:00
timeout conn 15:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server ActiveDirectory protocol nt
aaa-server ActiveDirectory (inside) host 192.168.1.3
timeout 5
nt-auth-domain-controller AD1
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
fragment timeout 15 inside
fragment timeout 15 outside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 10.10.10.50-10.10.10.55 dmz
dhcpd dns 10.10.10.11 interface dmz
dhcpd option 3 ip 10.10.10.1 interface dmz
dhcpd enable dmz
!
priority-queue outside
ntp server prefer
group-policy remoteusers internal
group-policy remoteusers attributes
dns-server value 192.168.1.3 192.168.1.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remoteusers_splitTunnelAcl
default-domain value eagleindinc.local
username
tunnel-group remoteusers type ipsec-ra
tunnel-group remoteusers general-attributes
address-pool vpn
authentication-server-group ActiveDirectory LOCAL
default-group-policy remoteusers
tunnel-group remoteusers ipsec-attributes
pre-shared-key
!
class-map edi_traffic
match access-list edi
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
policy-map QoS_policy
class edi_traffic
priority
!
service-policy global_policy global
service-policy QoS_policy interface outside
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-27-2015 06:02 PM
Hi,
Looking through the config, i'm guessing the 192.168.0.0/22 (vlan 1) subnet is the one that's currently running out of address space and you need to configure the next subnet on a new vlan?
Switch Config:
You will need to define the new vlan on your switches (vlan 3), and configure the access ports on the switches as trunk ports.
ASA Config:
Change the ASA access ports (connecting to your switches) into trunk ports:
int e0/0
switchport mode trunk
switchport trunk encapsulation dot1q
int e0/1
switchport mode trunk
switchport trunk encapsulation dot1q
Define the new vlan on the ASA:
interface vlan 3
nameif inside2
security-level 100
ip address 192.168.7.254 255.255.252.0 (I have defined the last available address in the subnet but you can change this to match your DHCP scope gateway address)
Permit communications between two interfaces:
same-security-traffic permit inter-interface (this won't bypass any ACLs you create on those interfaces)
NAT:
nat (inside2) 1 0.0.0.0 0.0.0.0
DHCP:
If your DHCP server does not have an interface in the new subnet, you will need to configure a DHCP relay.
dhcprelay server <dhcp ip address> <inside or dmz interface, whichever interface your dhcp sits on>
dhcprelay enable inside2
dhcprelay setroute inside2
dhcprelay timeout 60
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2015 02:00 AM
Your issue is that you are running the Base license on the ASA so creating however many VLANs on the L2 switch will not help in routing between the subnets as you would need a device to do the routing, in this case the ASA.
Without the security plus license you will not be able to have more than 3 active VLANs and you will not be able to create trunk ports. and the 3rd VLAN will only be able to communicate with one other VLAN.
So unless you put a router between your ASA and the inside network you will need to upgrade to the Security Plus license.
--
Please remember to select a correct answer and rate helpful posts
Please remember to select a correct answer and rate helpful posts