08-05-2013 02:50 PM - edited 03-11-2019 07:21 PM
Hi my name is Isaias. I have recently been tasked with a project at work. I am the IT guy for a small law firm. So what they have is a Time Warner Surfboard Router>Asa 5505Firewall, Cisco Switch, Small Business Windows Server 2008. I have been tasked with adding an additional Private Network that will consist of Windows Server 2012 (Domain Controller, DHCP, DNS, File share) that will host 10 Windows 8 PCs. So I am not too experienced with Cisco Firewalls and would like to know how should i proceed in establishing two Vlans on the Firewall to separate the two networks. The server that I will be installing will be handling DHCP>DNS>DC>Fileshare. Where can i go to learn how to use the ASA and configure one of its physical ports as a Vlan and what considerations should i take? I assume that all i have to do is logon to the Firewall using the Gui and configure the interface that i will be using with a static address, turn off dhcp for that interface to allow the server to assign addresses? would like some assistance on how this gets done. Thank you.
08-05-2013 03:08 PM
Hi,
Well the ASA5505 model has a built in switch module and only uses Vlan interfaces. At a very basic setup it will have 2 different Vlan interface of which 1 is used for the LAN and 1 is used for the WAN.
The amount of Vlan interfaces it support and IF it supports Trunking depends the License on your ASA5505 unit.
This can be confirmed with the command
show version
On the CLI (Command Line Interface) of the ASA while connected to the unit by SSH or Telnet.
So the first step is to know what your ASA5505 License is.
If you ASA is a Base License version then you WONT have support on the ASA for Vlan Trunking. And if we consider that you only have a single Cisco switch for the LAN then you would have to do the following
This should enable you to have 2 different Vlans on the L2 switch and the ASA wihtout using Trunking inbetween
What you would also have to notice is that the Base License ASA5505 only allows for a Restricted 3rd Vlan (DMZ Restricted). It means that ONE of your 3 Vlan interfaces on the ASA has to be blocked from forming connections to one other Vlan. If we presume that noone needs to connect from the Internet to this new Vlan then you can configure your Vlan interface leading to the Internet from the ASA to be blocked from connecting to the new Vlan and your all set.
If you on the other hand have a Security Plus License on the ASA5505 then you can do this without so much limitations.
As said above, the ASA5505 Security Plus License doesnt have that many limitations so you wont have any Restricted Vlans to worry about.
- Jouni
08-06-2013 08:11 AM
Thank you for this very informative post! Thing is i am a desktop tech and I am not too profecient at configuring switches via CLI. I was hoping all i needed to do was configure the Firewall through the Gui interface and setup one of its physical ports on a different Vlan with a different IP address 192.168.2.0 255.255.255.0 and leave the rest of the ports on its 192.168.1.0, 255,255,255,0 Network. Then I can attach a different unmanaged switch to that one port on the firewall. i would also have to make sure that I turn off DHCP on that particular port and assign it a static address for access back to the firewall although access is not that important because all i would have to do is go one one of the computers on the .1 network as its already set up. lastly i guess my last option would be to install a new router between the ISP router and the firewall so that the new router would then feed the firewall with its IP address and the new Network .2 with its own address as well and maybe i can subnet it that way. I am rather new to networking but i have been studying like crazy to understand th concept of subnetting and how or what equipment to use to make it happen. Unforuatley i am not too well versed on how to configure switches and firewalls yet. Although i have been watching multiple hours of videos and training myself.
08-06-2013 08:14 AM
Oh and also I will find out about the license that the Firewall has to see if its even possible to get another Vlan on the firewall. If not then are there any other alternatives if i dont know how to configure the firewall? Thank you so much for your help.
08-06-2013 08:16 AM
Could I use the DMZ zone as this additional Vlan and change the security level to 100?
08-06-2013 08:37 AM
Hi,
If you plan to use an extra unmanaged/dumb switch for the new network then that is certainly possible.
In that case you can configure the new Vlan interface on the ASA and configure the new network under it. You can then configure one of the ASAs physical interfaces as an Access port to that new Vlan. After this you can simply connect the new switch to this port and connect the hosts to the switch. Main thing is to keep the current switch and new switch separated from eachother.
I presumed from your original post that you were not going to use any new switches. But naturally if you do it might simplify the changes for you.
If you can access the CLI / Command Line Interface of the ASA then simply providing some current configurations we could confirm what you need on the ASA to make this happen.
Notice that on the ASDM side you can also use the CLI and send these CLI commands to the device
You can go to
Naturally we also need to know the license on the ASA as I mentioned above in the earlier post. Whichever license you have you should be able to accomodate a new Vlan on the ASA even thought there might be restrictions applied compared to the better license.
You can use a software called Putty to form SSH or Telnet connections to the ASA or even Console connection if you have the cable an a computer with the proper port for the cable.
I dont personally use ASDM almost at all for configurations so I am not very good in advicing in its use.
- Jouni
03-06-2014 08:34 AM
I successfully added a second vlan, and computers in it see the Internet, but do not see each other.
Any advise would be greatly apreciated!
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide