12-14-2010 06:44 AM - edited 03-11-2019 12:22 PM
Hello,
If anyone out there with ASA 5505 Security Plus VLAN experience would help me out, I’d really appreciate it. I’m attempting to plan an implementation on a production 5505, but I don’t have the Security Plus license to try things out in a test lab setting, so I have no idea if these commands will work as intended until I get onsite and try them. I have not done a configuration like this one before, and I have not found a similar example.
This particular ASA is running 8.2(3) and ASDM 6.34-53. From what I have learned, because the 5505s have built-in switches and don’t provide subinterfaces, they are configured differently with regard to VLANs than higher level firewalls and routers and switches.
The new requirements for the 5505 (already in production) are to implement two Cisco 1142N Access Points in Autonomous Mode on the two ASA PoE ports. Each AP will have two SSIDs and two VLANs. One SSID/VLAN combination will only be allowed to access the ASA outside interface; the other combination will be allowed to access both the inside and outside ASA interfaces.
The AP configurations are identical other than a unique ip address. In other words, one SSID is for employees and the other is for the public. Wireless clients connecting to the APs will hopefully get their ip setup from the dhcp server on the ASA. Private addresses will be handed out to all wireless clients, including those with access to internal networks.
This approach relies on no-forward interface and access lists for security since, as I understand it, you need the same-security traffic to pass inter-interface. Access lists and NAT are not shown since I’m not that far along yet (just trying to validate the basics here). Since I don’t have a 5505 with a Security Plus license, all I can do is write out the commands as I would try them.
Thanks in advance for taking the time to look this over and comment.
VLAN Use
10 Native AP
20 Access Inside and Outside
30 Access Outside only
interface Vlan1
no forward interface Vlan30
nameif inside
security-level 100
ip address 192.168.75.253 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 75.x.x.x 255.255.255.252
interface Vlan10
nameif trunk
security-level 100
ip address 10.10.10.253 255.255.255.0
interface Vlan20
no forward interface Vlan30
nameif wired_pri
security-level 100
ip address 10.20.20.253 255.255.255.0
interface Vlan30
no forward interface Vlan1
no forward interface Vlan20
nameif wired_pub
security-level 100
ip address 10.30.30.253 255.255.255.0
interface Ethernet0/0
description *** Internet Connection ***
switchport access vlan 2
switchport access vlan 20
switchport access vlan 30
interface Ethernet0/1
description *** LAN Connection ***
switchport access vlan 1
switchport access vlan 20
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
description *** AP1 Connection ***
switchport mode trunk
switchport encapsulation dot1q
switchport access vlan 10
switchport trunk allowed vlan 20,30
interface Ethernet0/7
description *** AP2 Connection ***
switchport mode trunk
switchport encapsulation dot1q
switchport access vlan 10
switchport trunk allowed vlan 20,30
same-security-traffic permit inter-interface
dhcpd address 10.20.20.20-10.20.20.50 wired_pri
dhcpd dns 208.67.222.222 208.67.220.220 interface wired_pri
dhcpd domain 4-c.org interface wired_pri
dhcpd enable wired_pri
dhcpd address 10.30.30.30-10.30.30.50 wired_pub
dhcpd dns 208.67.222.222 208.67.220.220 interface wired_pub
dhcpd domain 4-c.org interface wired_pub
dhcpd enable wired_pub
Solved! Go to Solution.
12-14-2010 07:47 AM
Hello,
The configuration is close but not quite right. The main issues are that a) a port can only be a trunk port or an access port, not both; b) an access port can only carry 1 VLAN
For example, if Ethernet0/1 is going to carry traffic for both VLAN 10 and VLAN 20, you would configure it as a trunk port:
interface Ethernet0/1
switchport trunk allowed vlan 10,20
switchport mode trunk
With this configuration, you need to make sure the switch connected to e0/1 is using 802.1q to tag packets with their appropriate VLAN. Then, you would configure VLANs 10 and 20 as individual interfaces that will have different security policies applied:
interface Vlan10
nameif inside
security-level 100
ip address x.x.x.x y.y.y.y
!
interface Vlan20
nameif wifi
security-level 90
ip address a.a.a.a b.b.b.b
For ports that will carry only a single VLAN, you'll set those up as access ports:
interface Ethernet0/0
switchport access vlan 2
Packets coming in e0/0 should not be tagged with any VLAN header. You would then configure the VLAN 2 interface to apply the security policies:
interface Vlan2
nameif outside
security-level 0
ip address c.c.c.c d.d.d.d
Here is a link that describes this setup process in depth, which should help you figure out what you want to do with the configuration:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1072137
Hope that helps.
-Mike
12-14-2010 07:47 AM
Hello,
The configuration is close but not quite right. The main issues are that a) a port can only be a trunk port or an access port, not both; b) an access port can only carry 1 VLAN
For example, if Ethernet0/1 is going to carry traffic for both VLAN 10 and VLAN 20, you would configure it as a trunk port:
interface Ethernet0/1
switchport trunk allowed vlan 10,20
switchport mode trunk
With this configuration, you need to make sure the switch connected to e0/1 is using 802.1q to tag packets with their appropriate VLAN. Then, you would configure VLANs 10 and 20 as individual interfaces that will have different security policies applied:
interface Vlan10
nameif inside
security-level 100
ip address x.x.x.x y.y.y.y
!
interface Vlan20
nameif wifi
security-level 90
ip address a.a.a.a b.b.b.b
For ports that will carry only a single VLAN, you'll set those up as access ports:
interface Ethernet0/0
switchport access vlan 2
Packets coming in e0/0 should not be tagged with any VLAN header. You would then configure the VLAN 2 interface to apply the security policies:
interface Vlan2
nameif outside
security-level 0
ip address c.c.c.c d.d.d.d
Here is a link that describes this setup process in depth, which should help you figure out what you want to do with the configuration:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1072137
Hope that helps.
-Mike
12-14-2010 08:00 AM
Thanks very much for your detailed response and the link you provided. I really appreciate your clarifying this for me. It helps a lot.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: