10-27-2011 10:35 PM - edited 03-11-2019 02:43 PM
Hallo Community,
iam new in asa world so i need your help very much!!
i have to config a new vlan(its name vlan220, ip: x.x.220.0/24), vlan220 must have internet and should communicate with another vlan(its name vlan200, ip: x.x.200/24).
in ASDM device setup > interfaces i confg the vlan220 so i have now the following:
Ethernet0/1.200 security level 50 and
Ethernet0/1.220 security level 50
but i dont know how to go on so that the 2 vlans can communicat and vlan220 to get internet!!!
can somebody help me?
is there maybe a step by step guide?
Thank you very much
Best regards Tony
10-27-2011 10:44 PM
Hi Tony,
Well first thing is that you will need to check a box on the Acess rules section that says "Allow traffic to flow between same security interfaces" or something like that. Then Two static rules and two dynamic rules. I can easily drop the commands here, but it seems like you want to have it via ASDM.
What version are you using on the ASA firewall? (ASA code). Depending on that, the syntax on the commands changes, and it looks different on ASDM too.
Mike
10-27-2011 10:49 PM
Hi Tony,
Its very difficult to tell you how to do it from the ASDM, but if you ask me the equivalent CLUI commands, those would be:
nat (vlan220) 5 0.0.0.0 0.0.0.0
global (outside) 5 interface
outside should be the name of your internet facing interface.
for inter-vlan access:
same-security-traffic permit inter-interface
static (vlan220,vlan200) xx.xx.xx.220 xx.xx.xx.220
static (vlan200.vlan220) xx.xx.xx.200 xx.xx.xx.200
If you still wanna go for the ASDM, you cna refer this guide:
http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/nat_82.html
Moreover you can google and find some youtube videos as well, that woudl certainly help.
Thanks,
Varun
10-27-2011 11:20 PM
i have asa version 8.2(1), ASDM Version 3.2(1)
10-27-2011 11:47 PM
it must be ASDM 6.2.1, here's the guide for it:
http://www.cisco.com/en/US/docs/security/asdm/6_2/user/guide/nat.html
Thanks,
Varun
10-27-2011 11:54 PM
Hi Tony,
Basically what you can do (and this is something that I do particulary) is to paste configuration on the command line and then take a look at it on the ASDM, then you can guide yourself doing the rest, for example. To communicate with the two DMZs you need to check the box on the Firewall Rules section.
Then you will need to configure the nat, so, lets say for example that one of your DMZs (DMZ1 sec level 50) is 10.10.10.0/24 and the other is (DMZ2 sec level 50) 20.20.20.0/24
You dont really need to translate this networks to any other IP, so basically you can configure a NAT statement that will translate those IPs to the same ones. You can drop this lines on the CLI build in on the ASDM (Make sure you select Multiple lines)
These will be the lines that you need
static (DMZ1,DMZ2) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
Click on send, then go to the NAT rules section and see the line there, click on edit and check how it was configured by the ASDM, now the only thing you need to do is to create another one but from DMZ2 going to DMZ1 and with the network 20.20.20.0.
For the Internet access it will be the following on the CLI of the ASDM (Again multiple Lines and assuming you have an interface connected to the outside with 1 public IP to access the internet, the name is outside and it has security level of 50 or less)
nat (DMZ1) 1 0 0
global (outside) 1 interface
That will translate the internal DMZ1 subnet to the outside IP address of the firewall doing a PAT. Now you can go back to the NAT rules and check how that was created.
Let me know if you have any doubts.
Mike
10-27-2011 11:57 PM
i can also try with CLUI copmmands!!
10-28-2011 12:05 AM
Nice Tony,
Give it a try and if you have issues let me know.
Mike.
10-28-2011 01:54 AM
hey Mike thank u for helping , i did what u told me, i have in the NAT rules:
on DMZ1 side:
type: static source: DMZ1 interface: DMZ2 Adress DMZ1
on the DMZ2 side:
type: static source: DMZ2 interface: DMZ1 Adress DMZ2
type: Dynamic source: any interface: outside Adress outside
but i dont have internet on DMZ2, and the 2 DMZ donot communicate
what shall i also do
Tony
10-28-2011 03:05 AM
Hi Tony,
What tests did you do and which failed?
Post following outputs:
-sh route
-sh run nat
-sh run global
-sh run static
-sh run | i same-security
Regards.
Alain
10-28-2011 04:11 AM
-sh route:
C x.x.x.0 255.255.255.0 is directly connected, DMZ2
C y.y.y.0 255.255.255.0 is directly connected, DMZ1
S 192.168.253.1 255.255.255.255 [1/0] via 217.5.98.6, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 217.5.98.6, outside
-sh run nat
nat (DMZ1) 0 access-list DMZ1_nat0_outbound
nat (DMZ1) 1 y.y.y.0 255.255.255.0
nat (DMZ2) 1 x.x.x.0 255.255.255.0
-sh run global
global (outside) 1 interface
-sh run static
static (DMZ1,outside) tcp interface www access-list DMZ1_nat_static
static (DMZ1, DMZ2) y.y.y.0 y.y.y.0 netmask 255.255.255.0
static (DMZ2, DMZ1) x.x.x.0 x.x.x.0 netmask 255.255.255.0
-sh run | i same-security
same-security-traffic permit intra-interface
and when i make packet tracer from DMZ2 to DMZ1 port 80 on interface DMZ2
i get the packet is dropped (see attachment)
Tony
10-28-2011 04:39 AM
HI Tony,
You have the wrong command added, you need to add this:
same-security-traffic permit inter-interface
Hope that helps.
Thanks,
Varun
10-28-2011 05:19 AM
cooooool,
i can access DMZ1 fom DMZ2,
but on DMZ2 i still have no internet
Tony
10-28-2011 05:45 AM
Hi,
What do you mean by no internet on DMZ2 ? you're trying to get to internet from DMZ2? Isn't it the contrary you want that is port forward some services on DMZ2 for hosts on the internet?
Anyway NAT config for DMZ2 to internet is ok as well as the routing so you must investigate ACLs:
Can you post: sh access-list and sh run access-group
Alain.
10-28-2011 06:08 AM
i want also that clients in dmz2 to have internet
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide