Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
851
Views
0
Helpful
2
Replies

ASA 5505 Security Plus VLAN Sanity Check

Go to solution
lcaruso
Level 6
Level 6

‎12-14-2010 06:44 AM - edited ‎03-11-2019 12:22 PM

Hello,

If anyone out there with ASA 5505 Security Plus VLAN experience would help me out, I’d really appreciate it. I’m attempting to plan an implementation on a production 5505, but I don’t have the Security Plus license to try things out in a test lab setting, so I have no idea if these commands will work as intended until I get onsite and try them. I have not done a configuration like this one before, and I have not found a similar example.

This particular ASA is running 8.2(3) and ASDM 6.34-53. From what I have learned, because the 5505s have built-in switches and don’t provide subinterfaces, they are configured differently with regard to VLANs than higher level firewalls and routers and switches.

The new requirements for the 5505 (already in production) are to implement two Cisco 1142N Access Points in Autonomous Mode on the two ASA PoE ports. Each AP will have two SSIDs and two VLANs. One SSID/VLAN combination will only be allowed to access the ASA outside interface; the other combination will be allowed to access both the inside and outside ASA interfaces.

The AP configurations are identical other than a unique ip address. In other words, one SSID is for employees and the other is for the public. Wireless clients connecting to the APs will hopefully get their ip setup from the dhcp server on the ASA. Private addresses will be handed out to all wireless clients, including those with access to internal networks.

This approach relies on no-forward interface and access lists for security since, as I understand it, you need the same-security traffic to pass inter-interface. Access lists and NAT are not shown since I’m not that far along yet (just trying to validate the basics here). Since I don’t have a 5505 with a Security Plus license, all I can do is write out the commands as I would try them.

Thanks in advance for taking the time to look this over and comment.

VLAN     Use

10           Native AP

20           Access Inside and Outside

30           Access Outside only

interface Vlan1

no forward interface Vlan30

nameif inside

security-level 100

ip address 192.168.75.253 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 75.x.x.x 255.255.255.252

interface Vlan10

nameif trunk

security-level 100

ip address 10.10.10.253 255.255.255.0

interface Vlan20

no forward interface Vlan30

nameif wired_pri

security-level 100

ip address 10.20.20.253 255.255.255.0

interface Vlan30

no forward interface Vlan1

no forward interface Vlan20

nameif wired_pub

security-level 100

ip address 10.30.30.253 255.255.255.0

interface Ethernet0/0

description *** Internet Connection ***

switchport access vlan 2

switchport access vlan 20

switchport access vlan 30

interface Ethernet0/1

description *** LAN Connection ***

switchport access vlan 1

switchport access vlan 20

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

description *** AP1 Connection ***

switchport mode trunk

switchport encapsulation dot1q

switchport access vlan 10

switchport trunk allowed vlan 20,30

interface Ethernet0/7

description *** AP2 Connection ***

switchport mode trunk

switchport encapsulation dot1q

switchport access vlan 10

switchport trunk allowed vlan 20,30

same-security-traffic permit inter-interface

dhcpd address 10.20.20.20-10.20.20.50 wired_pri

dhcpd dns 208.67.222.222 208.67.220.220 interface wired_pri

dhcpd domain 4-c.org interface wired_pri

dhcpd enable wired_pri

dhcpd address 10.30.30.30-10.30.30.50 wired_pub

dhcpd dns 208.67.222.222 208.67.220.220 interface wired_pub

dhcpd domain 4-c.org interface wired_pub

dhcpd enable wired_pub

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mirober2
Cisco Employee
Cisco Employee

‎12-14-2010 07:47 AM

Hello,

The configuration is close but not quite right. The main issues are that a) a port can only be a trunk port or an access port, not both; b) an access port can only carry 1 VLAN

For example, if Ethernet0/1 is going to carry traffic for both VLAN 10 and VLAN 20, you would configure it as a trunk port:

interface Ethernet0/1
   switchport trunk allowed vlan 10,20
   switchport mode trunk

With this configuration, you need to make sure the switch connected to e0/1 is using 802.1q to tag packets with their appropriate VLAN. Then, you would configure VLANs 10 and 20 as individual interfaces that will have different security policies applied:

interface Vlan10
    nameif inside
    security-level 100
    ip address x.x.x.x y.y.y.y
!
interface Vlan20
     nameif wifi
     security-level 90
     ip address a.a.a.a b.b.b.b

For ports that will carry only a single VLAN, you'll set those up as access ports:

interface Ethernet0/0
    switchport access vlan 2

Packets coming in e0/0 should not be tagged with any VLAN header. You would then configure the VLAN 2 interface to apply the security policies:

interface Vlan2
    nameif outside
    security-level 0
    ip address c.c.c.c d.d.d.d

Here is a link that describes this setup process in depth, which should help you figure out what you want to do with the configuration:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1072137

Hope that helps.

-Mike

View solution in original post

0 Helpful
2 Replies 2

Go to solution
mirober2
Cisco Employee
Cisco Employee

‎12-14-2010 07:47 AM

Hello,

The configuration is close but not quite right. The main issues are that a) a port can only be a trunk port or an access port, not both; b) an access port can only carry 1 VLAN

For example, if Ethernet0/1 is going to carry traffic for both VLAN 10 and VLAN 20, you would configure it as a trunk port:

interface Ethernet0/1
   switchport trunk allowed vlan 10,20
   switchport mode trunk

With this configuration, you need to make sure the switch connected to e0/1 is using 802.1q to tag packets with their appropriate VLAN. Then, you would configure VLANs 10 and 20 as individual interfaces that will have different security policies applied:

interface Vlan10
    nameif inside
    security-level 100
    ip address x.x.x.x y.y.y.y
!
interface Vlan20
     nameif wifi
     security-level 90
     ip address a.a.a.a b.b.b.b

For ports that will carry only a single VLAN, you'll set those up as access ports:

interface Ethernet0/0
    switchport access vlan 2

Packets coming in e0/0 should not be tagged with any VLAN header. You would then configure the VLAN 2 interface to apply the security policies:

interface Vlan2
    nameif outside
    security-level 0
    ip address c.c.c.c d.d.d.d

Here is a link that describes this setup process in depth, which should help you figure out what you want to do with the configuration:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1072137

Hope that helps.

-Mike

0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to mirober2

‎12-14-2010 08:00 AM

Thanks very much for your detailed response and the link you provided. I really appreciate your clarifying this for me. It helps a lot.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card