06-29-2013 12:27 PM - edited 02-21-2020 04:55 AM
How can I configure two ports on an ASA5510 (version 8.4(5))or so with 2 different inside networks to go out one outside interface or two inside and two outside routing one inside to one outside and the other inside to the remaining outside?
Specifically I got all three interfaces with dhcp and all basic configuration, I got one inside (10.1.0.0) successfully going out the internet (208.83.73.193 for instance) but I'm not sure about the second internal interface (192.168.1.0) to get it out to the internet.
I don't need VPN or any connectivity between the two internal networks.
This is may basic configuration:
interface Ethernet0/0
nameif Internet
security-level 0
ip address 208.83.73.x 255.255.255.240
interface Ethernet0/1
nameif Internal
security-level 100
ip address 10.1.1.1 255.255.0.0
interface Ethernet0/2
description Guest Network Interface
nameif GuestNetwork
security-level 100
ip address 192.168.1.1 255.255.255.0
route Internet 0.0.0.0 0.0.0.0 208.83.73.206 1
route Internet 192.168.1.0 255.255.255.0 208.83.73.206 1
dhcpd address 10.1.5.100-10.1.5.254 Internal
dhcpd dns 10.1.2.7 10.2.1.200 interface Internal
dhcpd wins 10.1.2.7 interface Internal
dhcpd lease 432000 interface Internal
dhcpd domain
interface Internal
dhcpd enable Internal
dhcpd address 192.168.1.2-192.168.1.50 GuestNetwork
dhcpd dns 208.67.222.222 208.67.220.220 interface GuestNetwork
dhcpd enable GuestNetwork
object network obj-10.1.0.0
nat (Internal,Internet) dynamic interface
I tried to configure nat for the guest network the same way I configured it for the 10.1.0.0 network and also static nat and it didn't work (may be I did it wrong).
If getting this acomplished is possible I would greatly apreciate a sample configuration of whatever I need to do to get it done
Please help,
I also found this two articles from Cisco that applies to ASA Version 8.3 and I'm guessing it might also apply to Version 8.4(5) please let me know if so:
http://www.cisco.com/en/US/products/ps6120/product s_configuration_example09186a0080b7c939.shtml
http://www.cisco.com/en/US/products/ps6120/product s_configuration_example09186a0080b1ee95.shtml
Thanks
Solved! Go to Solution.
06-29-2013 04:34 PM
two inside networks to one outside is not different to a DMZ and inside to outside. Both come from a higher security-level and go to a lower security level. In your case, there the second inside-netword is for guest-users, I would use a lower security-level as the guest-network is probably not as trusted as the inside-network.
The second requirement (two inside, two outside) would need a form of policy-based routing what the ASA doesn't support the way you want to use it (there are some hacks with NAT, but that's really awful). What you could use for that are the security-contexts. One context with inside1/outside1, the other context with inside2/outside2. There you can easily route traffic from inside1 to outside1 and from inside2 to outside2.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
06-29-2013 01:19 PM
Jose
I would think that 2 inside networks to one outside network should work and think that the config that you have posted should be pretty close to what is needed.
In general 8.3 and 8.4 are pretty similar and I would expect any command given in the documentation for 8.3 should work for 8.4.
The main thing that I question in your config is the static route for 192.168.1.0. As a connected network it should work without any static route.
HTH
Rick
06-29-2013 02:09 PM
Yeah the static route was added after unsuccessfully. playing around with nat rules just for testing and then got removed, I did not notice it got include in the discussion.
And in regards of the two article links I posted they actually said that what I'm trying to accomplish is only possible if I add a router before the ASA.
Sent from Cisco Technical Support iPhone App
06-29-2013 04:34 PM
two inside networks to one outside is not different to a DMZ and inside to outside. Both come from a higher security-level and go to a lower security level. In your case, there the second inside-netword is for guest-users, I would use a lower security-level as the guest-network is probably not as trusted as the inside-network.
The second requirement (two inside, two outside) would need a form of policy-based routing what the ASA doesn't support the way you want to use it (there are some hacks with NAT, but that's really awful). What you could use for that are the security-contexts. One context with inside1/outside1, the other context with inside2/outside2. There you can easily route traffic from inside1 to outside1 and from inside2 to outside2.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
06-29-2013 07:26 PM
That's right! Thanks a lot!
Sent from Cisco Technical Support iPhone App
07-01-2013 11:07 AM
This is how I was able to configure it:
interface Ethernet0/2
nameif Guest
security-level 50
ip address 192.168.1.1 255.255.255.0
object network Guest
subnet 192.168.1.0 255.255.255.0
nat (Guest,internet) dynamic interface
access-list Guest-network extended permit udp any any
access-list Guest-network extended permit ip any any
access-group Guest-network in interface Guest
dhcpd address 192.168.1.2-192.168.1.50 Guest
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd enable Guest
Sent from Cisco Technical Support iPhone App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: