Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
825
Views
5
Helpful
1
Replies

ASA Internal VLAN configuration

Rory Hamaker
Level 1
Level 1

‎11-05-2018 11:58 AM - edited ‎02-21-2020 08:26 AM

I am sure i am close but just not quite getting it. I am working on a 5516 series ASA with 4 vlans currently. VLAN 20 can get out to the internet and has a net range of 172.110.95.x and my desktop office machines are sitting on it working perfectly fine. What i need is to get the other 3 internal vlans talking internal without exposing them to the internet. So vlan 6 is servers, with a class C range of 192.168.1.x; VLAN 3 are test systems 192.168.3.x, and VLAN 11 are a differnet set of test system on 192.168.11.x.

 

I need everyone to be able to talk to server VLAN 6 but not to each other.


Running config below:

 


:
ASA Version 9.8(3)8
!

names
name 172.110.95.1 DevInternal
name 10.248.17.66 SaicOut
no mac-address auto

!
interface GigabitEthernet1/1
shutdown
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3.100
vlan 25
nameif InsideDev
security-level 100
ip address DevInternal 255.255.255.0
!
interface GigabitEthernet1/3.101
vlan 3
nameif TestTeam
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet1/3.102
vlan 11
nameif GlobalHawk
security-level 100
ip address 192.168.11.1 255.255.255.0
!
interface GigabitEthernet1/3.103
vlan 6
nameif Servers
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet1/3.104
no vlan
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
channel-group 20 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
channel-group 20 mode active
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface Port-channel20
lacp max-bundle 8
no nameif
no security-level
no ip address
!
interface Port-channel20.150
vlan 908
nameif SAIC-Out
security-level 0
ip address SaicOut 255.255.255.224
!
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network InsideDev
subnet 172.110.95.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq smtp
service-object tcp destination eq telnet
service-object udp destination eq bootpc
service-object udp destination eq bootps
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group network LocalNetworks
network-object 172.110.95.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
access-list DevNetInternal_access_in remark Implicit rule: Permit all traffic to less secure networks
access-list DevNetInternal_access_in extended permit ip any any
access-list SAIC-out.100_access_in extended permit ip any any
access-list SAIC-out.100 extended permit icmp any any
access-list SAIC-Out_access_in extended permit ip any 10.248.17.64 255.255.255.224
access-list Dev-Int_access_in extended permit ip any 172.110.95.0 255.255.255.0
access-list DevNetInt_access_in extended permit object-group DM_INLINE_SERVICE_1 172.110.95.0 255.255.255.0 172.110.95.0 255.255.255.0
access-list OUT extended permit icmp any any
access-list base_access_in extended permit ip any any
access-list TestTeam_access_in extended deny ip 192.168.3.0 255.255.255.0 10.248.17.64 255.255.255.224
access-list TestTeam_access_in extended permit ip 192.168.3.0 255.255.255.0 172.110.95.0 255.255.255.0
access-list TestTeam_access_in extended permit icmp any any
access-list TestTeam_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list InsideDev_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu SAIC-Out 1500
mtu InsideDev 1500
mtu TestTeam 1500
mtu GlobalHawk 1500
mtu Servers 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-792-152.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any
nat (any,outside) dynamic interface
object network InsideDev
nat (InsideDev,SAIC-Out) dynamic interface
access-group OUT in interface SAIC-Out
access-group InsideDev_access_in in interface InsideDev
access-group TestTeam_access_in_1 in interface TestTeam
route SAIC-Out 0.0.0.0 0.0.0.0 10.248.17.65 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.110.95.0 255.255.255.0 InsideDev
no snmp-server location
no snmp-server contact
sysopt noproxyarp outside
sysopt noproxyarp inside
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=dev-SAIC-asa5516
crl configure
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.1.5 255.255.255.255 inside
ssh 172.110.95.120 255.255.255.255 InsideDev
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 198.151.13.53
dhcpd domain develop.ds.amrdec.army.mil
dhcpd auto_config SAIC-Out
!
dhcpd address 172.110.95.100-172.110.95.220 InsideDev
dhcpd enable InsideDev
!
dhcpd address 192.168.3.100-192.168.3.200 TestTeam
dhcpd dns 192.168.100.5 interface TestTeam
dhcpd enable TestTeam
!
dhcpd address 192.168.11.100-192.168.11.200 GlobalHawk
dhcpd dns 192.168.100.5 interface GlobalHawk
dhcpd enable GlobalHawk
!
dhcpd address 192.168.100.50-192.168.100.200 Servers
dhcpd dns 192.168.100.5 interface Servers
dhcpd enable Servers
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

: end

 

0 Helpful
1 Reply 1

Rory Hamaker
Level 1
Level 1

‎11-05-2018 12:28 PM

Not sure what happened, but all is well and working as expected.  Sorry to take up space here for no reason

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card