cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3254
Views
0
Helpful
10
Replies

Create a Vlan and enable dhcp on asa 5506

LogicalIT
Level 1
Level 1

Hello,

 

I am not sure if this is possible but how would I create a Vlan 30 on only port 4 and have users who are connected to a switch on that port only on Vlan 30 on a cisco asa 5506? Is it possible to have another dhcp for this vlan? So in other words a small team will be connected to a switch on port 4 that only has access to Vlan 30 on a 5506 and should only get dhcp (if possible if not we can static assign) from that Vlans pool. The switch is a normal switch that is plugged into port 4.

1 Accepted Solution

Accepted Solutions

If I am understanding this discussion correctly there is no need for a layer 3 switch. A layer 2 switch should be ok. If a switch is connected to Gi1/3 and all its ports are in the same vlan it should do most of what you want. You could give it any vlan number you want or you could leave it at the default of vlan 1. The ASA will not care and the switch will not care. The main thing that I do not see in the posted config is any DHCP for 192.168.98.0.

HTH

Rick

View solution in original post

10 Replies 10

Hello

if i understand you correctly

You want small vlan isolated from the rest of network with users in this vlan receiving dhcp allocation  from the asa - correc? If yes then this is indeed applicable to do.

What you need to do is create the L3 interface for this vlan and dhcp scope on the asa and attach the switch to port 4 via an access port in the same vlan on the switch and any clients then attaching to the switch should be able to receive addrsssing and route accordingly

As the asa by default negates inter lan communication you should only need to add a net statement for internet access if applicable

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

yes that is exactly what I need. How would I go about doing that if possible in ASDM?

Hello

never done it in asdm tbh - however i can gladly provide a cli example if you wish

 Could you post the running configuration of the fw if possible?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

I removed the sensitive info but let me know if I took away too much (or left too much) the 192.168.98.x (gig 3) network is the one that I attempted to create with no luck. Basically the Vlan will be 192.168.98.x getting dhcp from the asa. Do I need a layer 3 switch to do this or can the asa do the work and I can use a normal switch? Sorry if that is what you said and I misunderstood.

 

: Saved

:
: Serial Number: ********
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
: Written by **** at 20:35:04.303 UTC Wed Feb 12 2020
!
ASA Version 9.6(4)3
!
hostname ciscoasa
enable password ******* encrypted
names
no mac-address auto
ip local pool net-10vpnclient 10.0.0.1-10.0.0.10 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address **.***.***.*** 255.255.255.248
!
interface GigabitEthernet1/2
nameif guest
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
nameif inside
security-level 100
ip address 192.168.98.1 255.255.255.0
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.0.0.0_28
subnet 10.0.0.0 255.255.255.240
object network obj_192.168.98.0
subnet 192.168.98.0 255.255.255.0
access-list split standard permit 192.168.98.0 255.255.255.0
access-list out_to_in extended permit icmp any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu guest 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static obj_192.168.98.0 obj_192.168.98.0 destination static NETWORK_OBJ_10.0.0.0_28 NETWORK_OBJ_10.0.0.0_28 no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
access-group out_to_in in interface outside
route outside 0.0.0.0 0.0.0.0 96.93.205.118 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable 444
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 guest
http 192.168.98.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
keypair vpn
crl configure
crypto ca trustpool policy

quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
enable inside
anyconnect image disk0:/anyconnect-win-3.1.14018-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.14018-k9.pkg 2
anyconnect profiles isotecvpn_client_profile disk0:/isotecvpn_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_isotecvpn internal
group-policy GroupPolicy_isotecvpn attributes
wins-server none
dns-server value
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain none
webvpn
anyconnect profiles value isotecvpn_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username
tunnel-group isotecvpn type remote-access
tunnel-group isotecvpn general-attributes
address-pool net-10vpnclient
default-group-policy GroupPolicy_isotecvpn
tunnel-group isotecvpn webvpn-attributes
group-alias isotecvpn enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:
: end

 

If I am understanding this discussion correctly there is no need for a layer 3 switch. A layer 2 switch should be ok. If a switch is connected to Gi1/3 and all its ports are in the same vlan it should do most of what you want. You could give it any vlan number you want or you could leave it at the default of vlan 1. The ASA will not care and the switch will not care. The main thing that I do not see in the posted config is any DHCP for 192.168.98.0.

HTH

Rick

@Richard Burts 


@Richard Burts wrote:

If I am understanding this discussion correctly there is no need for a layer 3 switch. A layer 2 switch should be ok.


Thats correct richard, my understanding is the L3 is going to be on the asa along with its own dhcp scope

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

My sincerest apologies. The comment I posted was incorrect. 192.168.98.x is the Lan network that is working. We created a new lan on another port that is 192.168.90.x and enabled dhcp but we are unable to get out to the internet as I am sure I am missing rules. What would I need to add to get that lan out to the internet? Currently we do not have access to the firewall to get the latest configuration (that shows this update) as the client is closed for the day but that is the only change. 

When I read a post that says that a new network has been configured and it can not access the Internet my first reaction is to suspect that address translation may not include the new network. But looking at the posted config I find this

object network obj_any
nat (any,outside) dynamic interface

so we need to look for other issues. It would be best if we could see a current config that has the changes for the new network. But if that is not available at this time can you tell us more about how the new network was configured? Which interface? What IP address and mask was configured on the interface? What security level was assigned? Can you give us the parameters specified in the DHCP pool? When devices are connected on the switch do they receive IP addresses? If so are the mask and default gateway correct? Also am I understanding correctly that the devices in this new network should have access to Internet but not to any other resources in your network?

 

HTH

Rick

Sorry for the late response I got everything working and it was just as simple as adding dhcp to a new interface and putting a switch for the devices. Thanks!

Thanks for the update. Glad that you were able to work out a solution and that our suggestions were helpful.

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: