Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
334
Views
0
Helpful
3
Replies

ASA port question

JonRM1970
Level 1
Level 1

‎11-24-2015 06:55 AM - edited ‎03-11-2019 11:56 PM

I have an ASA 5510 running 9.1(2).

I am not entirely familiar with the ASA firewall, but know enough to be dangerous with it.

What I am looking for is some help on the syntax and proceedure to get a second subnet added into the device and working.

What I have:

  ASA 5510 running two ports (Inside (ethe 0/1: local office 10.10.10.x sunbet, and Outside ethe 0/0: ISP to cloud, and

                   2 VPN tunnels 1. to PIX 501, and 2. to Data Center off-site)

  PIX 501 (running to ISP on ethe0/0 and Development subnet ethe0/1 on 10.10.20.x, with one VPN to ASA 5510)

 The PIX has a VPN tunnel to the ASA, which allows it to go to the data center and remain seperate fromt he office subnet.

  I would like to take the PIX off line and add its subnet traffic to the ASA on one of the free ports if possible. The requirements I need are:

    10.10.20.x stay seperate but still be able to get to the datacenter via the VPN tunnel on asa 5510.

    10.10.10.x not change.

    VPN to datacenter remain up and not changed.

I would like to add the PIX traffic to the ether 0/2 port. Any help and guidance would greatly be appreciated.

I have attached a diagram showing as much detail as I can. If more is needed I an continue via e-mail if needed.

-Jon

Labels:
Preview file
68 KB
0 Helpful
3 Replies 3

Seb Rupik
VIP Alumni
VIP Alumni

‎11-25-2015 12:36 AM

Hi Jon,

There is a lot of guess work in this config as we don't have you ASA config to go by...

!
interface Eth0/2
 switchport access vlan 20
!
interface Vlan20
 nameif old_pix_lan
 security-level 90
 ip address 10.10.20.254 255.255.255.0
!

...I've guessed that the PIX network was just a /24 so the gateway might be 10.10.20.254 ?

!
object network old_pix_network
 subnet 10.10.20.0 255.255.255.0
 description old_pix_network
!
object network dc_network
 subnet <dc_subnet_id> <dc_netmask>
!

...you never said what the DC subnet was.

!
access-list acl_l2l_dc extended permit ip 10.10.20.0 255.255.255.0 <dc_subnet_id> <dc_netmask>
!
nat (old_pix_lan,outside) source static old_pix_network old_pix_network destination static dc_network dc_network
!

...you will have an ACL confiured which is used by the crytpo map statement to connect to the DC. I've taken a wild guess and called it 'acl_l2l_dc'. This needs to be changed to match what is already configured!

The second is a NAT exemption rule, so you don't NAT the old_pix_network as it leaves eth0/0 and therefore is correctly identified by the above ACL. Of course, if NAT is done on your ISP modem for your entire network the  you can leave it out.

Would be usefull to see your ASA config to fill in the blanks.

cheers,

Seb.

0 Helpful

JonRM1970
Level 1
Level 1
In response to Seb Rupik

‎11-25-2015 06:55 AM

Seb,

 if you have an e-mail you would be willing to give me, I can give you a sanitized copy of all three configs. Did not want to post them here due to community boards.

-Jon

0 Helpful

JonRM1970
Level 1
Level 1
In response to Seb Rupik

‎11-30-2015 12:22 PM

Seb,

 I sent an e-mail back with a problem that I ran into.

-Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card