ASA 5525 configuration

dallewis1 · ‎07-25-2015

Need help in configuring internet access for a particular sub-net on an ASA 5525 firewall.

I am pretty new to ASA. From the configuration, all sub-nets are in a separate vlan and all the vlans configured have internet access. I introduced a new vlan and there is no internet access for devices in that vlan.

A portion of my ASA config is as follows:

object network INSIDE
subnet 0.0.0.0 0.0.0.0
object network obj-XX.XXX.XXX..0
subnet XX.XXX.XXX.0 XXX.XXX.XXX.0
object network NETWORK_OBJ_XX.XXX.XX.XX_24
subnet XX.XXX.XXX.0 XXX.255.255.0
description
object network NETWORK_OBJ_
subnet XX.XX.XXX.0 XXX.XXX.XX.0
description VPN
object network NETWORK_OBJ_VLAN
subnet XXX.XX.XX.0 XX.XX.252.0
description VLAN20
object network NETWORK_OBJ_VLAN60
subnet XXX.XXX.XXX.0 XXX.XXX.XXX.0
description VLAN60
object network NETWORK_OBJ_VLAN62
subnet XXX.XXX.XXX.0 255.255.255.0
description VLAN62

Dinesh Moudgil · ‎07-25-2015

Please share which subnet/vlan is not able to access internet and also share the natting rules configured on the firewall.

Regards.
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

dallewis1 · ‎07-25-2015

The subnet/vlan not able to access internet is:

object network NETWORK_OBJ_VLAN25
subnet 192.168.100.0 255.255.255.254

description VLAN25

This config was entered by me:

ASA1(config)# object network NETWORK_OBJ_VLAN24 5

ASA1(config-network-object)# subnet 192.168.100.0 255.255.254.0

ASA1(config-network-object)# description VLAN 25

ASA1(config-network-object)# END

ASA1# conf t

ASA1(config)# route inside 192.168.100.0 255.255.254.0 XX.XX.XX.X 1

ASA1(config)# end

These are the commands for nating in the firewall

nat (inside,outside) source static VPN-xxxxxxx-NETWORKS destination static VPN-XXXXXXXXno-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.255.255.0_24 NETWORK_OBJ_10.255.255.0_24
!
object network INSIDE
nat (inside,outside) dynamic interface

Marius Gunnerud · ‎07-25-2015

Are you using subinterfaces on the ASA to connect to the VLANs / subnets on the local LAN or is it just a single routed interface between the ASA and a layer 3 swith or router on the LAN?

could you post the output of show int ip brief. Remember to remove any public IPs from the configuration that you post.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

dallewis1 · ‎07-25-2015

I believe there are subinterfaces on the ASA to connect to the VLANS. ASA is directly connected to a 3560 switch and config is as follows:

interface Port-channel30
description po towards Firewall-1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 300,666
switchport mode trunk
spanning-tree portfast

inside interface config on the ASA is as follows:

interface Port-channel1.300
vlan 300
nameif inside
security-level 100

I dont have access to the ASA right now to display the output of the sh int ip brief.

Marius Gunnerud · ‎07-26-2015

Since you are using subinterfaces on the ASA for your VLANs you would just need to create a new subinterface and configure it to be in the new VLAN along with a security-level, interface name, and an IP address...also remember to issue the no shutdown command.

Then make sure that the switch at the other end is allowing that VLAN over the trunk link.

interface Port-channel30

switchport trunk allowed vlan add <VLAN number>

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts