cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3034
Views
0
Helpful
5
Replies

Configure Two Ports on an ASA5510 with 2 Different Inside Networks

terrabyte777
Level 1
Level 1

How can I configure two ports on an ASA5510 (version 8.4(5))or so with 2 different inside networks to go out one outside interface or two inside and two outside routing one inside to one outside and the other inside to the remaining outside?


Specifically I got all three interfaces with dhcp and all basic configuration, I got one inside (10.1.0.0) successfully going out the internet (208.83.73.193 for instance) but I'm not sure about the second internal interface (192.168.1.0) to get it out to the internet.


I don't need VPN or any connectivity between the two internal networks.

This is may basic configuration:


interface Ethernet0/0

nameif Internet

security-level 0

ip address 208.83.73.x 255.255.255.240


interface Ethernet0/1

nameif Internal

security-level 100

ip address 10.1.1.1 255.255.0.0


interface Ethernet0/2

description Guest Network Interface

nameif GuestNetwork

security-level 100

ip address 192.168.1.1 255.255.255.0


route Internet 0.0.0.0 0.0.0.0 208.83.73.206 1

route Internet 192.168.1.0 255.255.255.0 208.83.73.206 1


dhcpd address 10.1.5.100-10.1.5.254 Internal

dhcpd dns 10.1.2.7 10.2.1.200 interface Internal

dhcpd wins 10.1.2.7 interface Internal

dhcpd lease 432000 interface Internal

dhcpd domain

xxx.xxxxx.xxxx.gov

interface Internal

dhcpd enable Internal


dhcpd address 192.168.1.2-192.168.1.50 GuestNetwork

dhcpd dns 208.67.222.222 208.67.220.220 interface GuestNetwork

dhcpd enable GuestNetwork


object network obj-10.1.0.0

nat (Internal,Internet) dynamic interface


I tried to configure nat for the guest network the same way I configured it for the 10.1.0.0 network and also static nat and it didn't work (may be I did it wrong).

If getting this acomplished is possible I would greatly apreciate a sample configuration of whatever I need to do to get it done

Please help,

I also found this two articles from Cisco that applies to ASA Version 8.3 and I'm guessing it might also apply to Version 8.4(5) please let me know if so:

http://www.cisco.com/en/US/products/ps6120/product s_configuration_example09186a0080b7c939.shtml

http://www.cisco.com/en/US/products/ps6120/product s_configuration_example09186a0080b1ee95.shtml

Thanks

1 Accepted Solution

Accepted Solutions

two inside networks to one outside is not different to a DMZ and inside to outside. Both come from a higher security-level and go to a lower security level. In your case, there the second inside-netword is for guest-users, I would use a lower security-level as the guest-network is probably not as trusted as the inside-network.

The second requirement (two inside, two outside) would need a form of policy-based routing what the ASA doesn't support the way you want to use it (there are some hacks with NAT, but that's really awful). What you could use for that are the security-contexts. One context with inside1/outside1, the other context with inside2/outside2. There you can easily route traffic from inside1 to outside1 and from inside2 to outside2.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

Jose

I would think that 2 inside networks to one outside network should work and think that the config that you have posted should be pretty close to what is needed.

In general 8.3 and 8.4 are pretty similar and I would expect any command given in the documentation for 8.3 should work for 8.4.

The main thing that I question in your config is the static route for 192.168.1.0. As a connected network it should work without any static route.

HTH

Rick

HTH

Rick

terrabyte777
Level 1
Level 1

Yeah the static route was added after unsuccessfully. playing around with nat rules just for testing and then got removed, I did not notice it got include in the discussion.

And in regards of the two article links I posted they actually said that what I'm trying to accomplish is only possible if I add a router before the ASA.

Sent from Cisco Technical Support iPhone App

two inside networks to one outside is not different to a DMZ and inside to outside. Both come from a higher security-level and go to a lower security level. In your case, there the second inside-netword is for guest-users, I would use a lower security-level as the guest-network is probably not as trusted as the inside-network.

The second requirement (two inside, two outside) would need a form of policy-based routing what the ASA doesn't support the way you want to use it (there are some hacks with NAT, but that's really awful). What you could use for that are the security-contexts. One context with inside1/outside1, the other context with inside2/outside2. There you can easily route traffic from inside1 to outside1 and from inside2 to outside2.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

That's right! Thanks a lot!

Sent from Cisco Technical Support iPhone App

terrabyte777
Level 1
Level 1

This is how I was able to configure it:

interface Ethernet0/2
nameif Guest
security-level 50
ip address 192.168.1.1 255.255.255.0

object network Guest
subnet 192.168.1.0 255.255.255.0
nat (Guest,internet) dynamic interface


access-list Guest-network extended permit udp any any
access-list Guest-network extended permit ip any any
access-group Guest-network in interface Guest

dhcpd address 192.168.1.2-192.168.1.50 Guest
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd enable Guest

Sent from Cisco Technical Support iPhone App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: