02-17-2014 07:34 PM - edited 03-11-2019 08:46 PM
Hi Forum
I have a doubt how to implement a new scenario
My customer have a 5520 (with four Interfaces) firewall with the following version:
ASA Version 8.2(5) and his configuration is
interface GigabitEthernet0/1
nameif lan1
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif lan2
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/0
description ISP1
nameif outside
security-level 0
ip address a.b.c.252 255.255.255.248
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
access-list Public_access_in extended permit icmp any any
access-list ACL-RED-VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.112.0 255.
access-list ACL-INSIDE-NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.112.0
!
icmp permit any outside
icmp permit any inside
!
global (outside) 1 interface
nat (inside) 0 access-list ACL-INSIDE-NONAT
nat (lan1) 1 192.168.1.0 255.255.255.0
nat (lan2) 1 192.168.2.0 255.255.255.0
!
static (lan2,outside) tcp a.b.c.253 8080 192.168.2.11 8080 netmask 255.255.255.255
static (lan2,outside) tcp a.b.c.253 8081 192.168.2.13 8081 netmask 255.255.255.255
!
access-group Public_access_in in interface outside
!
route outside 0.0.0.0 0.0.0.0 a.b.c.249 1
!
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
!
! The rest is omited
So, the LAN's segment (192.168.1.0/24 and 192.168.2.0/24) leave to Internet by outside Interface and also I have set a VPN between our side and the remote LAN site (192.168.112.0/24)
Now, my customer want to add a new LAN Segment (for example 192.168.3.0/24) and has recently purchased a new service of ISP.
He want that this New LAN segment leave by the new ISP Provider and possible a new VPN between this new segment to another side will be appear.
In resumen:
The old configuration is not going to change.
For the new service LAN 192.168.3.0/24 must be go to internet using the seconf ISP service z.y.x.194 255.255.255.248.
What change I must be do in the interface G0/3
I suppose that I must be create subinterface in the interface G0/3, like this.
! line 1
interface GigabitEthernet0/3
no nameif
no security-level 0
no ip address
no shutdown
! line 2
interface GigabitEthernet0/3.100
vlan 100
nameif lan3
security-level 50
ip address 192.168.3.1 255.255.255.0
! line 3
interface GigabitEthernet0/3.200
vlan 200
nameif outside2
security-level 0
ip address x.y.z.194 255.255.255.248
! line 4
route outside2 0.0.0.0 0.0.0.0 x.y.z.193 250
! line 5
global (outside2) 2 interface
nat (tikary) 2 192.168.3.0 255.255.255.0
! line 6
access-group Public_access_in in interface outside2
Also from the segment 192.168.2.x/24 must to access to other LAN Segment (192.168.1.0/24 and 192.168.3.0/24)
Please correct me, or you have any other reference to observe like a reference.
Regards
ARGB
02-18-2014 05:34 AM
Now, my customer want to add a new LAN Segment (for example 192.168.3.0/24) and has recently purchased a new service of ISP. He want that this New LAN segment leave by the new ISP Provider and possible a new VPN between this new segment to another side will be appear.
If I am understanding correctly, your company has now accuired a new ISP connection and you want this new subnet to use that new connection for internet and VPN? This is partially not possible. You wil NOT be able to use this connection as an active link to the internet.
the ASA only supports one active default gateway at any given time. If you want to use the second ISP connection actively, you need to either put a router or another firewall into the mix.
As for the VPN link You can set up a seperate site to site VPN that specifies the 192.168.3.0/24 subnet as the source and the remote site as the destination. So long as the remote site has a seperate tunnel group for its connection this should work.
--
Please remember to rate and select a correct answer
02-18-2014 10:13 AM
Hello.
It's possible to run ASA in multiple context mode, having different default gateways and set of VPNs.
But you need to update your firware to version 9.x
If you choose to stay with 8.2(5), then, I would agree with Marius, you need additional router to do the job.
02-20-2014 02:53 AM
Hi MikhailovskyVV.
These are the versions of my device:
ASA> show version
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
I can download the following images "asa913-k8.bin" and "asdm-715.bin"
ASA# dir flash:
Directory of disk0:/
100 -rwx 15390720 11:59:42 Mar 13 2013 asa825-k8.bin
101 -rwx 16280544 15:11:44 Mar 13 2013 asdm-645.bin
102 -rwx 28672 19:00:00 Dec 31 1979 FSCK0000.REC
3 drwx 4096 19:03:10 Dec 31 2002 log
10 drwx 4096 19:03:22 Dec 31 2002 crypto_archive
11 drwx 4096 19:03:24 Dec 31 2002 coredumpinfo
104 -rwx 4096 19:00:00 Dec 31 1979 FSCK0001.REC
105 -rwx 12998641 15:07:10 Mar 13 2013 csd_3.5.2008-k9.pkg
106 drwx 4096 15:07:14 Mar 13 2013 sdesktop
107 -rwx 6487517 15:07:48 Mar 13 2013 anyconnect-macosx-i386-2.5.2014-k9.pkg
108 -rwx 6689498 15:07:56 Mar 13 2013 anyconnect-linux-2.5.2014-k9.pkg
109 -rwx 4678691 15:08:00 Mar 13 2013 anyconnect-win-2.5.2014-k9.pkg
255320064 bytes total (192139264 bytes free)
ASA# show version
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"
ASA up 1 day 18 hours
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: GigabitEthernet0/0 : address is e4d3.f112.0e9c, irq 9
1: Ext: GigabitEthernet0/1 : address is e4d3.f112.0e9d, irq 9
2: Ext: GigabitEthernet0/2 : address is e4d3.f112.0e9e, irq 9
3: Ext: GigabitEthernet0/3 : address is e4d3.f112.0e9f, irq 9
4: Ext: Management0/0 : address is e4d3.f112.0ea0, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5520 VPN Plus license.
Serial Number: JMX171180JB
Running Activation Key: 0xe638dc68 0xf4a83e3e 0xcc129924 0xb180fcc0 0x0b190e9d
Configuration register is 0x1
Configuration last modified by enable_15 at 05:57:50.617 PEST Wed Feb 19 2014
ASA#
Can I upgrade directly from 8.2(5) to 9.1 (I know that actual configuration will be lost and also I know that the syntax configuration is different between the versions, but this is not a problem for me, because I can re-configure it very fast).
My doubt is if exist any other license that will be afected during the upgrade. As you can see exist any other files in the flash memory and some features related to the license appear in the command "show version" and at the final line appear a message "This platform has an ASA 5520 VPN Plus license". My doubt is "after the upgrade (from 8.2 to IOS 9.1) these features will be change, any license will be afected????.
The object final is the following:
I have in this moment three LAN's segment (for example lan1, lan2 and lan3) and two WAN's (isp1 and isp2)
lan1 and lan2 leave for isp1 and exits VPN (site to site) connection between lan1 with different site. It in this moment is operation with any problem.
The problem is the third lan3 because this must be use the second isp2, also this lan3 will be open a VPN with another site. This requirement I can not do it with 8.2 IOS Version. This requirement is like a PBR in router.
The version 9.1 can handle this feature (PBR)
Please let me know
Regards
Andres
02-20-2014 03:17 AM
Can I upgrade directly from 8.2(5) to 9.1 (I know that actual configuration will be lost and also I know that the syntax configuration is different between the versions, but this is not a problem for me, because I can re-configure it very fast).
You can not upgrade directly from 8.2(5) to 9.1. You will need to first upgrade to 8.4(6) and from there you can upgrade to 9.1. Keep in mind that there are memory requirements when upgrading to 8.3 and higher. The minimum memory requirement for the 5520 when upgrading to 8.3 or higher is 2GB.
My doubt is if exist any other license that will be afected during the upgrade
You should not have any issues with your licenses when upgrading. But as when doing any major change you should make sure you have a backup of your licenses and configuration. If you have lost this or forget to take a backup contact Cisco licensing for further help licensing@cisco.com
The problem is the third lan3 because this must be use the second isp2, also this lan3 will be open a VPN with another site
In this case you must use active/active failover setup. you can configure this when using 8.2(5) and there is no need to upgrade to 9.1...yet.
The version 9.1 can handle this feature (PBR)
No ASA can do PBR. The ASA is a firewall not a router. If you want to do PBR then you need to insert a router into your network. You can manipulate traffic to an extent by using static routing and NAT but anything past that you will not be able to.
--
Please remember to rate and select a correct answer
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide