Solved: How can I setup multiple internal/private networks on a Cisco ASA 5506-x?

errMsg · ‎04-04-2020

I have a 5506-x asa and im trying to segment my internal network into several "zones".

For example:

192.168.1.0/25 LAN

192.168.1.128/25 WIFI LAN

192.168.2.0/24 IOT

192.168.3.0/24 LAB

I have the base license and can create a max of 5 VLANS

I don't know if I need to setup separate networks on each interface or create vlans on a trunk port to get this going. I also need to be able to communicate between these networks

Thanks for any direction:)

Sheraz.Salim · ‎04-04-2020

it depends what you want.

might this help you.

!
interface GigabitEthernet1/1
 nameif Outside
 security-level 0
 ip address dhcp setroute
!
interface GigabitEthernet1/3
 no shut
!
interface GigabitEthernet1/3.100
 vlan 100
 nameif LAN
 security-level 100
 ip address x.x.x.x
!
interface GigabitEthernet1/3.200
 vlan 200
 nameif WIFI-LAN
 security-level 100
 ip address x.x.x.x
!
interface GigabitEthernet1/3.300
 vlan 300
 nameif IOT
 security-level 100
 ip address x.x.x.x
!
interface GigabitEthernet1/3.400
 vlan 400
 nameif LAB
 security-level 100
 ip address x.x.x.x
!
object network LAN
 subnet 192.168.1.0 255.255.255.128
 nat (LAN,Outside) dynamic interface
!
object network WIFI-LAN
 subnet 192.168.1.128 255.255.255.128
 nat (WIFI-LAN,Outside) dynamic interface
!
object network IOT
 subnet 192.168.2.0 255.255.255.0
 nat (OIT,Outside) dynamic interface
!
object network LAB
 subnet 192.168.3.0 255.255.255.0
 nat (LAB,Outside) dynamic interface
!


on switch side example 

switch-port48 ----connect-to------5506-X-PORT-3
!
interface gig1/0/48
 switchport trunk allow vlan add 100,200,300,400 
 switchport mode trunk
 no shut
!

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎04-04-2020

it depends what you want.

might this help you.

!
interface GigabitEthernet1/1
 nameif Outside
 security-level 0
 ip address dhcp setroute
!
interface GigabitEthernet1/3
 no shut
!
interface GigabitEthernet1/3.100
 vlan 100
 nameif LAN
 security-level 100
 ip address x.x.x.x
!
interface GigabitEthernet1/3.200
 vlan 200
 nameif WIFI-LAN
 security-level 100
 ip address x.x.x.x
!
interface GigabitEthernet1/3.300
 vlan 300
 nameif IOT
 security-level 100
 ip address x.x.x.x
!
interface GigabitEthernet1/3.400
 vlan 400
 nameif LAB
 security-level 100
 ip address x.x.x.x
!
object network LAN
 subnet 192.168.1.0 255.255.255.128
 nat (LAN,Outside) dynamic interface
!
object network WIFI-LAN
 subnet 192.168.1.128 255.255.255.128
 nat (WIFI-LAN,Outside) dynamic interface
!
object network IOT
 subnet 192.168.2.0 255.255.255.0
 nat (OIT,Outside) dynamic interface
!
object network LAB
 subnet 192.168.3.0 255.255.255.0
 nat (LAB,Outside) dynamic interface
!


on switch side example 

switch-port48 ----connect-to------5506-X-PORT-3
!
interface gig1/0/48
 switchport trunk allow vlan add 100,200,300,400 
 switchport mode trunk
 no shut
!

please do not forget to rate.

errMsg · ‎04-05-2020

here is my config. Im trying to set this VLAN 40 on interface gi1/5.40

I dont know what is wrong

!
interface GigabitEthernet1/5.40
vlan 40
nameif atlantis_lab
security-level 100
ip address 192.168.4.1 255.255.255.0
!

object network atlantis_lab
subnet 192.168.4.0 255.255.255.0

object network atlantis_lab
nat (atlantis_lab,outside) dynamic interface

dhcpd address 192.168.4.5-192.168.4.200 atlantis_lab
dhcpd enable atlantis_lab

Pulkit Saxena · ‎04-06-2020

Hi,

This looks fine, did you verify the configuration on connected interface of switch ? It should have this VLAN allowed.

-
Pulkit

Pulkit Saxena · ‎04-04-2020

It depends on how you want to configure, one of the ways is already mentioned by Sheraz with configuration example.
You can also have a look at the below document to have an understanding of ASA 5505/5506 switchports :
https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/int5505.html

-
Pulkit