cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1277
Views
0
Helpful
1
Replies

ASA 5510 Connected to MPLS and LAN via 6506-E Core Switch

mscha2000
Level 1
Level 1

I am attempting to install an asa 5510 at my hq.  Our MPLS network is provided by our ISP and the routers are managed by them.  They will be working with me to add the needed routes to the routers. Using version 8.4.1  That said, here is my challenge:

I am connecting the MPLS routers and WAAS device to my core switch(also performing inter-vlan routing) in VLAN 2. There are 3 connections needed for the mpls equipment and they are all in vlan 2 on my core switch.  The firewall (ASA 5510 with security plus licensing) also has an interface (outside) in vlan 2.

e0/0

shutdown

no nameif

no sec-level

no ip address

e0/0.1

vlan 2

nameif outside

sec-level 0

ip address 192.168.9.2 255.255.255.240

In vlan 1 (native vlan) I have 1 physical interface from the firewall (connected to the core switch interface which I have made a trunk port with all vlans allowed)with sub interfaces as follows:

e0/1

shutdown (there is some debate as to whether this needs to be shut or not and whether it needs to be named, have a sec and an IP - tac said yes and no with 2 different techs)

no nameif

no sec-level

no ip address

e0/1.1

vlan 1

nameif inside

sec-level 100

IP address 192.168.5.8 255.255.254.0 (vlan 1 is for all hosts and has a range of 4.1 - 5.254... I changed the ip's here because I'm paranoid)

e0/1.2

vlan 10

nameif inside2

sec-lev 100

ip address 192.168.6.2 255.255.255.0

There are 2 other vlans also but they are similar in config and do not have weight here.  I can ask my question without the specifics on them.

For now, I do not want to disturb the traffic, I only want it to traverse the firewall first then I will get more restrictive as I have a large enough sample of data to determine what should be allowed etc...

As it stands right now the Core switch has a default gateway of the HSRP address of the mpls routers.  This will change to the firewall's inside ip Then in turn the firewall will have a default gateway\default route to the mpls.  with this config I am hoping to pass outbound traffic from the lan to the mpls through the firewall and then inbound traffic from the mpls to the lan through the firewall.  All Lan hosts have the core switch vlan 1 as their default gateway but I'm thinking it would be best to change to the firewall (not sure this is necessary).

I have all vlans that need to reach each other in the same security level (100) and allowed on the trunk port of the core switch where the firewall's inside interface is connected as stated before. Here are some of the routes (again I changed the ip's but this should give the idea)

route outside 0.0.0.0 0.0.0.0 192.168.9.1 1

route inside 192.168.4.0 255.255.254.0 192.168.5.6 1

route inside2 192.168.6.0 255.255.255.0 192.168.6.1 1

So, here are my issues(please keep in mind this is 8.4.1 and I'm using the cli as I'm old school):

A) is the default gateway\ default route \ static route schema I am envisioning the best way to acheive this?

B) Do I need NAT PAT statements for any of the vlans to communicate? (servers are in vlan 1 and printers\voip phones are in different vlans but obviously need to communicate with the servers)

C) If translation is needed is the below valid:

*** same-security-traffic permit inter-interface

***   object network obj-192.0.0.0

           subnet 192.0.0.0 255.0.0.0 (use your imagination I'm trying to align with the rest of my examples above)

       object network obj_any

           subnet 0.0.0.0 0.0.0.0

access-list 101 extended permit ip any any    ( I know these 2 statements defeat the firewall but I'm not blocking until I know the traffic better)

access-list 101 extended permit icmp any any     

Please don't point me to configuration guides or suggest TAC as they have been a bit inconsistent with this issue thus far.  What am I missing because I cannot get to where inside interface of the firewall is pingable by the lan and the outside interface of the firewall is pingable by the lan.

Thank you for any help! - I will send the config as it is if you need it.

1 Reply 1

brquinn
Level 1
Level 1

"What am I missing because I cannot get to where inside interface of the firewall is pingable by the lan and the outside interface of the firewall is pingable by the lan."

Traffic to-the-box is handled differently than traffic through-the-box. If you want to be able to ping your ASA interfaces, use the 'icmp permit any '. Note that you can only ping local interfaces. You cannot ping a dmz interface if your host is on the inside for example.

A) Routes look fine to me.

B) If you are not translating anything, then you do not need any NAT configuration. There is no longer a concept of nat-control.

C) The example you provided does not contain any NAT. You have merely defined two objects.

Here is a good video that may help you to understand the changes in 8.3 and 8.4 and how to do initial configurations.

https://supportforums.cisco.com/docs/DOC-12324

I hope this helps.

Thanks,

Brendan

Review Cisco Networking for a $25 gift card