Jouni thank you so much for your response!!!

I am replacing a SOHO firewall that is currently connected that only allows one subnet (Vlan) out to the Internet, according to the previous engineer.

So for the traffic going to the internet I would put a nat statement for the 3 vlans to the outside interface?

Thanks

Desmond

Hi,

Are you saying that you have another device connected to the L3 Switch that is currently handling Internet traffic? You already have a default route pointing to another device?

- Jouni

Sorry for the confusion.

The current setup has a 3750 switch connected to a Linksys SOHO router that is handling traffic for the Internet

Currently, this set up only allows one of my vlans to access the Internet.

I am replacing the Linksys device with an ASA 5520 and I want all 3 of the vlans to have Internet access which is the reason for the replacement. I hope I am explaining this with some clarity.

Thanks,

Desmond

Do you plan to make this change gradually or do you simply want to prepare the ASA configuration for the complete replacement of the Linksys and then do the change?

There might be a possibility to for example do Policy Based Routing on the 3750 for the 2 Vlans that dont have Internet access and forward all their Internet bound traffic to the ASA while still leaving the 1 Vlan to use the Linksys.

This would let you test the Internet through the ASA while still having the original Internet connection.

I am not sure how the Policy Based Routing (PBR) will affect the 3750 performance. I have had one occasion where it caused slight problems with the performance of the device.

What will the ASA use for Internet connection? Does it have a new Internet connection OR will the current Linksys connection be changed to provide the connection to the ASA and the ASA would then handle the firewalling etc.

Hopefully I made sense

- Jouni

Jouni,

I am actually looking just to replace the older, less featured device with a new ASA 5520.

The ASA 5520 will replace the Lnksys so the same currently used connections will also be used for the ASA connection..

I am usisng the ASA to firewall off my new created  network from the other production network they have in place.

Thanks,

Desmond

Jouni thank you for all of your assistance with this issue, I am confident that I will get this up and running with the assistance you provided!

Thanks again!

Desmond

No problem

Can you please mark the question as answered (button in the reply message) or rate the reply.

Naturally ask more if the need arises.

- Jouni

Jouni I need you assistance once again.

I just got to the site and set up the asa, but the configuration has changed a bit.

The ASA inside interface is connected to a 3750 switch by the routed connection that you suggested on yesterday and I am able to ping the 3750 from the ASA but the outside interface of the ASA is connected to a 2960 switch that is handing off a connection to the VLan 55 that they are stating is the only VLan that has access to the Internet.

How would I then configure the ASA to send traffic to the outside interface that has no ip address?

Thanks in advance.

Desmond

Hi,

Did you edit the original post?

But anyway, I am not sure I understood correctly but seems to me that the LAN portion + ASA is possibly configured fine (Have not seen the configurations so cant say for sure)

Now if your Internet connection from the ISP is provided through a 2960 switch and its has a Access mode port on Vlan55 towards the ASA then naturally you just connect that port to the ASA "outside" interface.

You say that you dont know how to route the traffic to the Internet from the ASA. To me it seems that there is only 2 options. You either have to know the ISP gateway IP address to which you configure the default route on the ASA OR if the previous Internet router was using DHCP to aquire the public IP address (and default route) from the ISP, then you will have to configure the ASA to also use DHCP on its outside interface.

But again, I am not all that sure on how the ASA and the switch on the "outside" is configured so its impossible to say what the situation is and give specific instructions.

- Jouni

Jouni!!!

Yes I did edit it with my new issues.

I have attached the config if you want to take a quick look.

I have the interface labeled and the Gi0/2 is connected to the 2960. I have also added a subinterface for the Vlan configuration, not sure if that was correct or not.

Thanks,

Desmond

Hi,

Do you have access to the 2960 switch?

To be honest if you have been originally assigned a public IP address range or a static public IP address then you should be able to get that information either from the old device or directly from the ISP.

If the old device was getting the public IP address from the ISP with DHCP then you will have to use DHCP on the "outside" interface.

If you have already replaced the old Linksys Internet router would it be possible that you could check its configurations to see how its WAN interface is configured. This would tell us how we need to configure the ASA "outside" interface. IF indeed the ASA will use the same line to Internet as the old Internet router/device was using.

I dont think you need to configure a subinterface on the ASA. IF the 2960 has a Access port towards your ASA you can simply connect the ASA Gi0/2 to that 2960 Access port. Provided that switch has a connection to ISP.

- Jouni

I just had someone check the 2960 port that connects to my ASA and it is just an access port that is in the 55 vlan.

I thought it may have been set up differently but its just an access port.

That being the case, Vlan 55 is the only vlan that can access the internet. Is there soemway I can take 172.172.1.0 Vlan (for example)  and nat it to the VLAN 55?

I dont know I am just throwing out things...