07-13-2010 12:46 PM - edited 03-11-2019 11:11 AM
Hi
We have LAN/WAN Infrastructure. We are using Cisco ASA 5510 .One of our branch office they have 30 computers in office room and 5 computers in lobby .All computers in LAN has same series IP (10.10.70.1/24)and they able to go internet and intranet (LAN) access also .Now our management wants to separate 5 Computer (which was in lobby). This(5 Computer) for public ,they only need internet no intranet(LAN). Does anyone have any suggestions, or ideas as to how I could do this? Please have a look attachment my branch ASA configuration.
Any help would be much appreciated.
Thanks in advance.
Aminul
Solved! Go to Solution.
07-14-2010 01:47 PM
Hello,
Unfortunately, your DMZ interface can't use the same subnet as your inside interface. To accomplish this 3 interface setup, you will have to use the 10.10.71.x subnet for the DMZ. It is possible to set up another dhcp range (10.10.71.0) for the DMZ interface on the ASA using the commands that NT sent before (dhcpd address 10.10.71.2-10.10.71.31 dmz, dhcpd dns interface dmz, dhcpd enable dmz).
If these 5 PCs are connected to the same switch as the LAN, all you will need to do is create another VLAN on the switch and make the ports on the switch that these 5 PCs are connected to access-ports in that newly created VLAN. Then add another access-port in the newly created vlan for the uplink connection to the port on the ASA that you designate the "DMZ". In the example below the uplink would be connected to Ethernet0/7 on the ASA.
interface Vlan3
no forward interface Vlan1
ip address 10.10.71.1 255.255.255.0
nameif dmz
security-level 50
interface Ethernet0/7
switchport access vlan 3
Finally, for all this to work make sure that "ip routing" is not enabled on your switch because otherwise the switch will route the traffic from the 5 PCs to the LAN, bypassing the firewall entirely. In addition, make sure that you don't forget the "nat (dmz)" statement that NT suggested as this will allow users on the DMZ to pass through the firewall on the way to the internet.
Warm Regards,
BK
07-13-2010 01:23 PM
Hello,
You can configure the 5 PC's in the DMZ. Since you have ASA5505 with base
license, anyways, the DMZ devices will not be able to communicate with the
inside (They can only communicate with one another interface and we can
configure them to be communicating to internet).
On the ASA:
Interface VLAN3
IP address 10.10.71.1 255.255.255.0
Exit
dhcpd address 10.10.71.2-10.10.71.31 dmz
dhcpd dns interface dmz
dhcpd enable dmz
nat (dmz) 1 0.0.0.0 0.0.0.0
This will make sure that your DMZ devices will get an IP from the ASA in a
different range and will also be able to go out to internet. The implicit
deny between VLAN 3 and VLAN 1 will prevent these subnets from communicating
with each other.
Note: When you are configuring the DNS server, please make sure that it
points to an external DNS server.
Hope this helps.
Regards,
NT
07-14-2010 11:23 AM
Hi NT
Thanks for your reply. I would like use same segment IP (10.10.70.0).Is there any way to use same series IP (10.10.70.0) for my 5 pc. Right now we are using ASA as dhcp for (10.10.70.0).Can I configure another dhcp(10.10.71.0) on ASA.This 5 pc are using same switch in LAN.what will be configuration for my 5 pc and how they (5 pc) get ip from 10.10.71.0. Appreciate if you could let me know the feed back.
Regards,
Aminul
07-14-2010 01:47 PM
Hello,
Unfortunately, your DMZ interface can't use the same subnet as your inside interface. To accomplish this 3 interface setup, you will have to use the 10.10.71.x subnet for the DMZ. It is possible to set up another dhcp range (10.10.71.0) for the DMZ interface on the ASA using the commands that NT sent before (dhcpd address 10.10.71.2-10.10.71.31 dmz, dhcpd dns interface dmz, dhcpd enable dmz).
If these 5 PCs are connected to the same switch as the LAN, all you will need to do is create another VLAN on the switch and make the ports on the switch that these 5 PCs are connected to access-ports in that newly created VLAN. Then add another access-port in the newly created vlan for the uplink connection to the port on the ASA that you designate the "DMZ". In the example below the uplink would be connected to Ethernet0/7 on the ASA.
interface Vlan3
no forward interface Vlan1
ip address 10.10.71.1 255.255.255.0
nameif dmz
security-level 50
interface Ethernet0/7
switchport access vlan 3
Finally, for all this to work make sure that "ip routing" is not enabled on your switch because otherwise the switch will route the traffic from the 5 PCs to the LAN, bypassing the firewall entirely. In addition, make sure that you don't forget the "nat (dmz)" statement that NT suggested as this will allow users on the DMZ to pass through the firewall on the way to the internet.
Warm Regards,
BK
07-14-2010 02:19 PM
Hi
I am really appreciating your support and valuable comments. As per your instruction I am going to implement. Thanks again for your tutoring.
Thanks
Aminul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide