Re: Two private networks on an ASA5510

saidfrh18 · ‎03-12-2013

Currently a network consists of two subnets, one subnet is behind a ASA and the other behind a PIX, both connecting to the ISP's routers. If the PIX is retired, is it possible to create/consolidate the two networks protected by the ASA5510 with the default gateway being the ISP?

How can two private networks be protected by the ASA5510? One conceptual way is to create the VLANS on a layer 3 switch, on the "inside" interface of the ASA. In this senario what would the "inside" network's IP address? If the above is possible, how would natting occur?

Is there an efficient configuration to protect two networks protected by the 5510, other than creating a DMZ?

Is it possible to create two private networks with same level of security, 100 on a three network interface connections?

Thanks.

jocamare · ‎03-12-2013

How can two private networks be protected by the ASA5510?

You can have the L3 switch take care of routing, add a route for the new network on the ASA pointing to the switch and have the ASA do a nat translation for all the hosts behind the inside interface.

something like this [post-8.3]

object network internal-nets

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic interface

In this senario what would the "inside" network's IP address?

The address on the switch will be similar to the one on the PIX, the network ID will remain the same.

Is there an efficient configuration to protect two networks protected by the 5510, other than creating a DMZ?

A DMZ is kind of a gray-area where traffic from secure and non-secure networks can meet. It normally hosts servers accessible from the outside.

Answering your question, you can create a second internal interface with the highest security level and have it access the outside the same way the other internal users do.

You can have a three network interface configuration. Inside, Inside 1 and the outside.

saidfrh18 · ‎03-12-2013

jocamare

Thank you. In your reply,

In this senario what would the "inside" network's IP address?

"The address on the switch will be similar to the one on the PIX, the network ID will remain the same."

For example, The network protected by the ASA is 192.168.10.0. The network protected by the PIX is 192.168.20.

The above networks will be consolidated behind the ASA, by creating two VLANS on a L3 switch. Do you suggest assigning the switch's management VLAN's IP address 192.168.20.1?

jocamare · ‎03-12-2013

That's right.

The switch is going to have a VLAN configured with the 192.168.20.1 IP address and will be the gateway for the hots in that network.

It will also have an IP address on the 192.168.10.0 network that will let you configure a default route on the switch pointing to the ASA's internal IP address.

The ASA will also need a routing pointing to the 192.168.20.0 network using the IP address of the switch as next hop.

saidfrh18 · ‎03-12-2013

"It will also have an IP address on the 192.168.10.0 network that will let you configure a default route on the switch pointing to the ASA's internal IP address. " How is this done?

jocamare · ‎03-12-2013

Ha, yeah, a somewhat confusing statement.

Here, an example.

192.168.20.0----SW----192.168.10.0-----ASA---outside

The switch will have one interface on both networks.

The one on the .20 network will work as default gateway for users on that subnet.

The one on the .10 network will work as next hop when the ASA needs to communicate with the 192.168.20.0 network.

It will be necessary to configure routes on the SWITCH and ASA.

The one on the SW will be a default route pointing to the ASA as next hop.

The one on the ASA will tell the unit where the 192.168.20.0 network resides.

Hope this is clear enough.

saidfrh18 · ‎03-12-2013

Thank you.

saidfrh18 · ‎03-13-2013

Is it possible to configure the ASA to protect 4 internal network,if so how? Thus there would be four VLANs and a L3 switch.

jocamare · ‎03-13-2013

Yes, it will be possible to configure 4 networks, even more if you want.

While doing this, remember the ASA limitations. But 4 networks, depending of its size [i'm thinking /24 nets], should not be a problem for the ASA.

You can configure 4 vlans on the L3 sw, plus the one that is directly behind the ASA, or just all four networks behind the SWITCH and a small network [/30] behind the ASA.

saidfrh18 · ‎03-13-2013

I am still confused.Could you kindly provide a sample ASA configuration for a three VLAN network protected by the ASA?

Much appreciated.

jocamare · ‎03-13-2013

There's nothing much you have to do on the ASA more than letting the guy know where the networks reside and how to contact them. [routes]

Same example:

Here, an example.

192.168.20.0

192.168.30.0----SW----192.168.10.0-----ASA---outside

192.168.40.0

The switch will have one interface in all networks.

The ones on the .20/.30/.40 network will work as default gateway for users on that subnet.

The one on the .10 network will work as next hop when the ASA needs to communicate with the 192.168.20.0 network.

It will be necessary to configure routes on the SWITCH and ASA.

The one on the SW will be a default route pointing to the ASA as next hop.

The ones on the ASA will tell the unit where the 192.168.20.0, 192.168.30.0 and 192.168.40.0 networks reside.

The nat configuration on the ASA remains the same, creating a PAT translation for all the devices behind the inside interface.

James Leinweber · ‎03-14-2013

You can also have scenarios where the different subnets are carried on different switch vlans. You can exceed the number of physical interfaces on the ASA if you use subinterfaces and trunk ports. E.g.

192.168.20.0 -- vlan 200 192.168.20.1 Gi0/1

192.168.30.0 - vlan 300 --- SW == 192.168.30.1 Gi0/2.1 == ASA -- outside

192.168.40.0 - vlan 400 192.168.40.1 Gi0/2.2

On the switch this might look like:

-------------

vlan 66

name no_clients

vlan 200

name A

vlan 300

name B

vlan 400

name C

interface gi0/1

description client on subnet A

switchport access vlan 200

switchport mode access

interface gi0/2

description client on subnet B

switchport access vlan 300

switchport mode access

interface gi0/3

description client on subnet C

switchport access vlan 400

switchport mode access

...

interface gi0/40

description firewall Gi0/1 on subnet A

switchport access vlan 200

switchport mode access

interface gi0/41

description firewall GI0/2 trunk - subnets B, C

switchport trunk encapsulation dot1q

switchport trunk native vlan 66

switchport trunk allowed vlan 1,300,400

switchport mode trunk

switchport nonegotiate

On the ASA, the interfaces might look like:

----------------

interface Gi0/1

nameif a-lan

security-level 80

ip address 192.168.20.1 255.255.255.0

interface Gi0/2

description trunk master

no nameif

no security-level

no ip address

interface Gi0/2.1

vlan 300

nameif b-lan

security level 70

ip address 192.168.30.1 255.255.255.0

inteface Gi0/2.2

vlan 400

nameif c-lan

security level 60

ip address 192.168.40.1 255.255.255.0

If the switch isn't doing any routing, it doesn't need any IP addresses on the client vlans. It would need an address on a separate management vlan (not shown).

Typically one would use identity NAT between the vlan's the ASA is routing, and PAT externally.

Also, we pretty much ignore the security levels, and group access-lists on all of the interfaces to control what traffic can go where.

-- Jim Leinweber, WI State Lab of Hygiene

saidfrh18 · ‎03-14-2013

Thank you.