02-13-2020 06:09 AM
Hello,
I am not sure if this is possible but how would I create a Vlan 30 on only port 4 and have users who are connected to a switch on that port only on Vlan 30 on a cisco asa 5506? Is it possible to have another dhcp for this vlan? So in other words a small team will be connected to a switch on port 4 that only has access to Vlan 30 on a 5506 and should only get dhcp (if possible if not we can static assign) from that Vlans pool. The switch is a normal switch that is plugged into port 4.
Solved! Go to Solution.
02-13-2020 12:43 PM
If I am understanding this discussion correctly there is no need for a layer 3 switch. A layer 2 switch should be ok. If a switch is connected to Gi1/3 and all its ports are in the same vlan it should do most of what you want. You could give it any vlan number you want or you could leave it at the default of vlan 1. The ASA will not care and the switch will not care. The main thing that I do not see in the posted config is any DHCP for 192.168.98.0.
02-13-2020 08:39 AM - edited 02-13-2020 08:50 AM
Hello
if i understand you correctly
You want small vlan isolated from the rest of network with users in this vlan receiving dhcp allocation from the asa - correc? If yes then this is indeed applicable to do.
What you need to do is create the L3 interface for this vlan and dhcp scope on the asa and attach the switch to port 4 via an access port in the same vlan on the switch and any clients then attaching to the switch should be able to receive addrsssing and route accordingly
As the asa by default negates inter lan communication you should only need to add a net statement for internet access if applicable
02-13-2020 08:42 AM
yes that is exactly what I need. How would I go about doing that if possible in ASDM?
02-13-2020 08:53 AM
Hello
never done it in asdm tbh - however i can gladly provide a cli example if you wish
Could you post the running configuration of the fw if possible?
02-13-2020 09:04 AM
I removed the sensitive info but let me know if I took away too much (or left too much) the 192.168.98.x (gig 3) network is the one that I attempted to create with no luck. Basically the Vlan will be 192.168.98.x getting dhcp from the asa. Do I need a layer 3 switch to do this or can the asa do the work and I can use a normal switch? Sorry if that is what you said and I misunderstood.
: Saved
:
: Serial Number: ********
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
: Written by **** at 20:35:04.303 UTC Wed Feb 12 2020
!
ASA Version 9.6(4)3
!
hostname ciscoasa
enable password ******* encrypted
names
no mac-address auto
ip local pool net-10vpnclient 10.0.0.1-10.0.0.10 mask 255.255.255.0
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address **.***.***.*** 255.255.255.248
!
interface GigabitEthernet1/2
nameif guest
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
nameif inside
security-level 100
ip address 192.168.98.1 255.255.255.0
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.0.0.0_28
subnet 10.0.0.0 255.255.255.240
object network obj_192.168.98.0
subnet 192.168.98.0 255.255.255.0
access-list split standard permit 192.168.98.0 255.255.255.0
access-list out_to_in extended permit icmp any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu guest 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static obj_192.168.98.0 obj_192.168.98.0 destination static NETWORK_OBJ_10.0.0.0_28 NETWORK_OBJ_10.0.0.0_28 no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
access-group out_to_in in interface outside
route outside 0.0.0.0 0.0.0.0 96.93.205.118 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable 444
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 guest
http 192.168.98.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
keypair vpn
crl configure
crypto ca trustpool policy
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
enable inside
anyconnect image disk0:/anyconnect-win-3.1.14018-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.14018-k9.pkg 2
anyconnect profiles isotecvpn_client_profile disk0:/isotecvpn_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_isotecvpn internal
group-policy GroupPolicy_isotecvpn attributes
wins-server none
dns-server value
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain none
webvpn
anyconnect profiles value isotecvpn_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username
tunnel-group isotecvpn type remote-access
tunnel-group isotecvpn general-attributes
address-pool net-10vpnclient
default-group-policy GroupPolicy_isotecvpn
tunnel-group isotecvpn webvpn-attributes
group-alias isotecvpn enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:
: end
02-13-2020 12:43 PM
If I am understanding this discussion correctly there is no need for a layer 3 switch. A layer 2 switch should be ok. If a switch is connected to Gi1/3 and all its ports are in the same vlan it should do most of what you want. You could give it any vlan number you want or you could leave it at the default of vlan 1. The ASA will not care and the switch will not care. The main thing that I do not see in the posted config is any DHCP for 192.168.98.0.
02-13-2020 02:16 PM - edited 02-13-2020 02:16 PM
@Richard Burts wrote:
If I am understanding this discussion correctly there is no need for a layer 3 switch. A layer 2 switch should be ok.
Thats correct richard, my understanding is the L3 is going to be on the asa along with its own dhcp scope
02-14-2020 05:16 AM
My sincerest apologies. The comment I posted was incorrect. 192.168.98.x is the Lan network that is working. We created a new lan on another port that is 192.168.90.x and enabled dhcp but we are unable to get out to the internet as I am sure I am missing rules. What would I need to add to get that lan out to the internet? Currently we do not have access to the firewall to get the latest configuration (that shows this update) as the client is closed for the day but that is the only change.
02-15-2020 07:54 AM
When I read a post that says that a new network has been configured and it can not access the Internet my first reaction is to suspect that address translation may not include the new network. But looking at the posted config I find this
object network obj_any
nat (any,outside) dynamic interface
so we need to look for other issues. It would be best if we could see a current config that has the changes for the new network. But if that is not available at this time can you tell us more about how the new network was configured? Which interface? What IP address and mask was configured on the interface? What security level was assigned? Can you give us the parameters specified in the DHCP pool? When devices are connected on the switch do they receive IP addresses? If so are the mask and default gateway correct? Also am I understanding correctly that the devices in this new network should have access to Internet but not to any other resources in your network?
02-19-2020 04:59 AM
02-19-2020 06:49 AM
Thanks for the update. Glad that you were able to work out a solution and that our suggestions were helpful.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: