Hi Jouni,

Vlan 55 is a vlan that exist only on the 2960 and does not extend past the firewall, they are only handing an Ethernet connection off to my ASA which  is in Vlan 55.

The IP address range of vlan 55 is 10.63.210.128/25 and the gateway of that vlan is 10.63.210.129. Since that is a private IP address range I am assuming it is getting natted again to a public IP address space.

Desmond

Hi,

Is there any specific reason this Vlan55 is separate from all the other Vlans?

So I guess next we could do the following steps (Presuming the ASA is still configured like in your previous posted configuration)

Remove the Subinterface

no interface Ethernet0/2.1

Aquire an IP address for the ASA

Unless you manage the Vlan55 address space you will have to ask someone to give an IP address from the Vlan55 network that you can configure on the ASA "outside" interface. When you get that IP address use it with the below configuration.

interface Ethernet0/2

description Link to 2960           

nameif outside           

security-level 0

ip address 10.63.210.xxx 255.255.255.128

Define a default route

We will route all traffic to networks that are not local to the default gateway of Vlan55. Which I presume holds the Internet connectivity

route outside 0.0.0.0 0.0.0.0 10.63.210.129

Define NAT0 / NAT Exempt for the LAN networks behind ASA

As the Internet connection isnt directly connected to the ASA "outside" interface there is no need to NAT the LAN networks. So we will configure the below NAT0

access-list INSIDE-NAT0 remark NO NAT for LAN networks Behind ASA

access-list INSIDE-NAT0 permit ip 192.168.162.0 255.255.255.0 any

access-list INSIDE-NAT0 permit ip 192.168.3.0 255.255.255.0 any

access-list INSIDE-NAT0 permit ip 172.17.1.0 255.255.255.0 any

nat (inside) 0 access-list INSIDE-NAT0

Add ICMP Inspection on the ASA

This will help allowing ICMP traffic through the ASA if you are testing something with ICMP. Naturally we have to consider that there is other device controlling Internet traffic so it might prevent something.

policy-map global_policy            

class inspection_default

  inspect icmp

  inspect icmp error

Request that route for the 3 LAN networks are routed from the Internet router/device towards the ASA outside IP address

We need the Internet Router/device to know where your LAN networks recide since we are not doing any NAT for the 3 LAN networks

Request that the Internet Router/device is configured with NAT rules which will allow the 3 LAN networks behind the ASA to be NATed towards Internet

We need  the Internet Router/device also to have NAT rules on it for your 3 LAN networks so they will get NATed to a public IP address to enable Internet connectivity.

Also one optional thing you can try which DOESNT require any configurations on the Internet Router to my understanding.

First you will need some IP address from the Vlan55 that you know is free and not used by any device. You then configure the "outside" interface just like in the above example. You also configure the default route just like above.

But instead of NAT0 you configure PAT for the 3 LAN networks

global (outside) 1 interface

nat (inside) 1 192.168.162.0 255.255.255.0

nat (inside) 1 192.168.3.0 255.255.255.0

nat (inside) 1 172.17.1.0 255.255.255.0

What this will do is PAT all the traffic from the 3 LANs to the "outside" ip address of the ASA. As that IP address is part of the Vlan55 network it probably means that it has all the necesary configurations on the Internet Router/device and you potentially will be able to access Internet.

Even either of the above options work this is not an ideal setup. It would be best if the actual public IP address (or range/subnet) was configured directly on the ASA rather than some other device. And also that the Vlan55 was behind the ASA. Perhaps as its own interface if it needs to be kept separate by the other 3 LAN networks by the firewall.

But  to my understanding the main priority is to get Internet connectivity.

Whew, finally done with the writing.

- Jouni

Jouni if you were here I would have to bear hug you dude!!!

First, I thank you for the assistance and the explanation of why this is being done. I will try your configuration suggestions on Monday or Tuesday and let you know what the results are. I am trying to get a better grasp of security as I want to go deeper in the field of study as I gain more knowledge of the Cisco security devices. You sound like you have a wealth of knowledge in the field of security and I hope I can one day gain that level of knowledge and expertise...Is that self taught or professional training?

Desmond

Hi,

Basically when I was studying 2002-2007 I only covered the Ciscos CCNA and CCNP material for Routing&Swithing. I decided to do my Final work / Bachelors Thesis on building a small business network with Cisco Firewalls/Routers/Switches.

I was completely clueless with regards to firewalls as we didnt have any courses related to Cisco firewalls.

After I graduated I got to work at my local ISP and there quickly found myself configuring Firewall/VPN environments. I would say 99% of what I know are a result of simply learning from my colleagues and simply testing and going through existing configurations. Naturally all the documentation on the Internet/Cisco site are valuable also.

I would still say that you learn the most by just doing and when you run into some problem you usually learn even more since you really need to determine what is happening and how everything works.

Courses only get you so far. Typically the courses I have gone into try to cram way too much content into short amount of time and not enough lab practices which ends up with the result that you end up forgetting the information unless you can directly apply the course contents in your work right away.

- Jouni

Jouni -

I have a similar set up to Desmond , thanks for answering some questions already.  I've couple of others.

My current network looks like this:

ISP ---> Router (2901) ---> unmanaged switch ===> this switch has 3 connections A. 2901   |  B.  current firewall |  C is current vpn 3000.

I plan to put a 5510 in place of current firewall.  Actually I have 2 which I plan to run active/passive.

In your opinion should I try to implement getting rid of the 2901 completely (the VPN 3000 is already getting phased out for the 5510)?

As it is the 2901 has very little actual configurations happening and I've been wondering about that.  Few acls thats about it.

Also currently there are NAT rules in the current firewall which reading this sounds like they arent needed, but I'll ask in separate thread since this one is answered.

Hell Jouni,

I set up everything as you suggested and the ASA is able to hit the Internet (Ping 8.8.8.8). I try the same test with a laptop plugged into the 3750 switch (Vlan 100)  that sits behind the ASA and it fails, not able to ping 8.8.8.8. Am I leaving something out in my config? I am actually using the PAT suggestion that you sent.

Thanks,

Desmond

Yes Mam All fine but plz tell us dynamic command and acl also it will helpfull for the beginners.