cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

151
Views
0
Helpful
4
Replies
Highlighted
Beginner

asa 5510 fulfilling the needs

i must segmenting my network. the network would look like in attachment. i have switches cisco catalyst 2960 and all my users go to internet over asa 5510. number of users is 250. the asa 5510 can fullfill the needs? i have one more question. my VLAN70 contains servers.how users from outside of the asa 5510 to access to VLAN70 not like NAT? in VLAN70 contains DNS servers, Domain Controller. those users over NAT wouldn't see Domain controller for authentication. because i'm created VLAN90 that i'd sidestepped the ASA5510 and over VLAN's infratructure i will enable access to server. is this solution possible?

Everyone's tags (2)
4 REPLIES 4
Beginner

5510s are end of life and

5510s are end of life and would suggest replacing with a 5512X or a 5508X.
However, a 5510 will do what you want.  I assume the 2960-24 Master has ports in each VLAN and then a trunk to the ASA?
You need to create a subinterfaces off your ASA for those VLANs.  Then you can control everything through the ASA with ACLS.
You could make ACLs to allow whatever you want inbound to whatever subinterface you desire.
!
Example:
access-list INBOUND permit tcp any X.X.X.X X.X.X.X eq XX
access-group INBOUND in interface OUTSIDE
!
Example:
interface Ethernet0/1
 no nameif
 security-level 100
 no ip address
!
interface Ethernet0/1.2
 description VLAN70 Connection
 vlan 20
 nameif vlan20
 security-level 100
 ip address X.X.X.X X.X.X.X
!
interface Ethernet0/1.4
 description VLAN70 Connection
 vlan 40
 nameif vlan40
 security-level 100
 ip address X.X.X.X X.X.X.X
!
interface Ethernet0/1.5
 description VLAN70 Connection
 vlan 50
 nameif vlan50
 security-level 100
 ip address X.X.X.X X.X.X.X
!
interface Ethernet0/1.6
 description VLAN70 Connection
 vlan 60
 nameif vlan60
 security-level 100
 ip address X.X.X.X X.X.X.X
!
interface Ethernet0/1.7
 description VLAN70 Connection
 vlan 70
 nameif vlan70
 security-level 100
 ip address X.X.X.X X.X.X.X
!
interface Ethernet0/1.8
 description VLAN70 Connection
 vlan 80
 nameif vlan80
 security-level 100
 ip address X.X.X.X X.X.X.X
!
interface Ethernet0/1.9
 description VLAN70 Connection
 vlan 90
 nameif vlan90
 security-level 100
 ip address X.X.X.X X.X.X.X
Beginner

As regards VLAN90, where the

As regards VLAN90, where the cable went from router to asa 5510 port which belongs to VLAN90 (is this posible?). this construction i would use that users from the others network can authenticating to active directory(VLAN70) and they use the other services. i dont know how use active directory over ASA5510's NAT. can you help me?

Beginner

If I am understanding you

If I am understanding you correctly:

If you have open public IP addresses you could do some static NATing so that your inside server(s) are accessible to the outside world.
Depending on the configuration and Windows OS....you would need to refer to MS for ports to allow---->(https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx)
You could do something like:
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address PUBLICIPADDRESS1 SUBNETMASK
!
interface Ethernet0/1
 no nameif
 security-level 100
 no ip address
!
interface Ethernet0/1.7
 description VLAN70 Connection
 vlan 70
 nameif vlan70
 security-level 100
 ip address X.X.X.X X.X.X.X
!
access-list inbound remark Active Directory
access-list inbound extended permit tcp any host PRIVATEIPADDRESS eq PORT
access-list inbound extended permit tcp any host PRIVATEIPADDRESS range PORT PORT
!
object network Active Directory
 host PRIVATEIPADDRESS
!
object network Active Directory
 nat (vlan70,outside) static PUBLICIPADDRESS2
!
access-group inbound in interface outside
!
Now devices from the outside can access PUBLICIPADDRESS2 via the outside on the ports you designate in the ACL
Beginner

the users from outside ASA

the users from outside ASA 5510 are not from public networks(internet). those users are from the other networks of my company. the ISP is made tunnels from those networks over ISP router to outside ASA5510. my construction  with VLAN90 from attached picture will work?the accessing from one VLAN to another also works over NAT?

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards