Cisco ASA 5505, Adding Vlan

isaiasperez77 · ‎08-05-2013

Hi my name is Isaias. I have recently been tasked with a project at work. I am the IT guy for a small law firm. So what they have is a Time Warner Surfboard Router>Asa 5505Firewall, Cisco Switch, Small Business Windows Server 2008. I have been tasked with adding an additional Private Network that will consist of Windows Server 2012 (Domain Controller, DHCP, DNS, File share) that will host 10 Windows 8 PCs. So I am not too experienced with Cisco Firewalls and would like to know how should i proceed in establishing two Vlans on the Firewall to separate the two networks. The server that I will be installing will be handling DHCP>DNS>DC>Fileshare. Where can i go to learn how to use the ASA and configure one of its physical ports as a Vlan and what considerations should i take? I assume that all i have to do is logon to the Firewall using the Gui and configure the interface that i will be using with a static address, turn off dhcp for that interface to allow the server to assign addresses? would like some assistance on how this gets done. Thank you.

Jouni Forss · ‎08-05-2013

Hi,

Well the ASA5505 model has a built in switch module and only uses Vlan interfaces. At a very basic setup it will have 2 different Vlan interface of which 1 is used for the LAN and 1 is used for the WAN.

The amount of Vlan interfaces it support and IF it supports Trunking depends the License on your ASA5505 unit.

This can be confirmed with the command

show version

On the CLI (Command Line Interface) of the ASA while connected to the unit by SSH or Telnet.

So the first step is to know what your ASA5505 License is.

If you ASA is a Base License version then you WONT have support on the ASA for Vlan Trunking. And if we consider that you only have a single Cisco switch for the LAN then you would have to do the following

Configure a new Vlan on the L2 switch
Assign the physical ports to which you are connecting hosts and server to that new Vlan as Access Ports
Choose a single port that you will connect to the ASA and assing that port to this new Vlan also as Access Port
You then configure a new Vlan interface on the ASA for this new network
You will configure one of the free physical ports of the ASA to this new Vlan as an Access Port
You will attach a network cable between the new ASA port and the L2 Switch port you chose to be the port leading to the ASA

This should enable you to have 2 different Vlans on the L2 switch and the ASA wihtout using Trunking inbetween

What you would also have to notice is that the Base License ASA5505 only allows for a Restricted 3rd Vlan (DMZ Restricted). It means that ONE of your 3 Vlan interfaces on the ASA has to be blocked from forming connections to one other Vlan. If we presume that noone needs to connect from the Internet to this new Vlan then you can configure your Vlan interface leading to the Internet from the ASA to be blocked from connecting to the new Vlan and your all set.

If you on the other hand have a Security Plus License on the ASA5505 then you can do this without so much limitations.

You configure a new Vlan interface on the ASA5505
You configure a new Vlan on the L2 switch and set all the needed physical ports to the mentioned Vlan for the new hosts/servers.
You configure one of the physical interfaces of the ASA5505 as a Trunk that will pass the 2 LAN Vlans (new and current one) on the Trunk
You configure one of the L2 switch physical interfaces as a Trunk and set it to pass the 2 LAN Vlans (new and current one) on the Trunk
You move the current cable between L2 switch and ASA5505 to the new ports configured as Trunk

As said above, the ASA5505 Security Plus License doesnt have that many limitations so you wont have any Restricted Vlans to worry about.

- Jouni

isaiasperez77 · ‎08-06-2013

Thank you for this very informative post! Thing is i am a desktop tech and I am not too profecient at configuring switches via CLI. I was hoping all i needed to do was configure the Firewall through the Gui interface and setup one of its physical ports on a different Vlan with a different IP address 192.168.2.0 255.255.255.0 and leave the rest of the ports on its 192.168.1.0, 255,255,255,0 Network. Then I can attach a different unmanaged switch to that one port on the firewall. i would also have to make sure that I turn off DHCP on that particular port and assign it a static address for access back to the firewall although access is not that important because all i would have to do is go one one of the computers on the .1 network as its already set up. lastly i guess my last option would be to install a new router between the ISP router and the firewall so that the new router would then feed the firewall with its IP address and the new Network .2 with its own address as well and maybe i can subnet it that way. I am rather new to networking but i have been studying like crazy to understand th concept of subnetting and how or what equipment to use to make it happen. Unforuatley i am not too well versed on how to configure switches and firewalls yet. Although i have been watching multiple hours of videos and training myself.

isaiasperez77 · ‎08-06-2013

Oh and also I will find out about the license that the Firewall has to see if its even possible to get another Vlan on the firewall. If not then are there any other alternatives if i dont know how to configure the firewall? Thank you so much for your help.

isaiasperez77 · ‎08-06-2013

Could I use the DMZ zone as this additional Vlan and change the security level to 100?

Jouni Forss · ‎08-06-2013

Hi,

If you plan to use an extra unmanaged/dumb switch for the new network then that is certainly possible.

In that case you can configure the new Vlan interface on the ASA and configure the new network under it. You can then configure one of the ASAs physical interfaces as an Access port to that new Vlan. After this you can simply connect the new switch to this port and connect the hosts to the switch. Main thing is to keep the current switch and new switch separated from eachother.

I presumed from your original post that you were not going to use any new switches. But naturally if you do it might simplify the changes for you.

If you can access the CLI / Command Line Interface of the ASA then simply providing some current configurations we could confirm what you need on the ASA to make this happen.

Notice that on the ASDM side you can also use the CLI and send these CLI commands to the device

You can go to

Tools Menu (top menu)
Command Line Interface
The above will provide you with a GUI interface through which you can send the CLI commands to the ASA from the ASDM without using any separate CLI GUI.

Naturally we also need to know the license on the ASA as I mentioned above in the earlier post. Whichever license you have you should be able to accomodate a new Vlan on the ASA even thought there might be restrictions applied compared to the better license.

You can use a software called Putty to form SSH or Telnet connections to the ASA or even Console connection if you have the cable an a computer with the proper port for the cable.

I dont personally use ASDM almost at all for configurations so I am not very good in advicing in its use.

- Jouni

GravityCo · ‎03-06-2014

I successfully added a second vlan, and computers in it see the Internet, but do not see each other.

Any advise would be greatly apreciated!

Thanks!