Solved: Hi,adding to the answer of

bahmansadiq · ‎10-13-2015

Hi everyone,

I just started working in a company which they have only one ASA 5520 firewall but no router, can i use this firewall to router the network?

how my topology will be? Is it possible to do router on a stick in ASA firewall?

all we have is one Cisco SW 2960 and one ASA 5520, can i make a network with them?

Ganesh Hariharan · ‎10-15-2015

Hi,

thank you for your response, how can give DG for every vlan in ASA? can i make sub interfaces in asa  like Router?

if its possible send me a draft topology how it looks?



highly appreciated

Hi,

Check out the below link, which gives good explanation of interface creation and usage.

http://www.gomjabbar.com/2012/05/08/cisco-asa-5520-creating-subinterfaces/#sthash.E9zKJP4g.dpbs

Hope it Helps..

-GI

Rate if it Helps..

View solution in original post

Ganesh Hariharan · ‎10-13-2015

Hi everyone,


I just started working in a company  which they have only one ASA 5520 firewall but no router, can i use this firewall to router the network?

how my topology will be? Is it possible to do router on a stick in ASA firewall?

all we have is one Cisco SW 2960 and one ASA 5520, can i make a network with them?

Hi,

Yes , You can use ASA in routed mode with static routing enabled for small network .As you are having cisco 2960 L2 switch create a trunk with with to ASA interface and all VLANs gateway will be ASA.

If you are having internet outlet connecting with ASA drop a single default route towards internet.

with Having ASA as gateway you can protect the host communication with having ACL rules in place in ASA.

Hope it Helps..

-GI

Rate if it Helps..

bahmansadiq · ‎10-15-2015

Hi,

thank you for your response, how can give DG for every vlan in ASA? can i make sub interfaces in asa like Router?

if its possible send me a draft topology how it looks?

highly appreciated

Ganesh Hariharan · ‎10-15-2015

Hi,

thank you for your response, how can give DG for every vlan in ASA? can i make sub interfaces in asa  like Router?

if its possible send me a draft topology how it looks?



highly appreciated

Hi,

Check out the below link, which gives good explanation of interface creation and usage.

http://www.gomjabbar.com/2012/05/08/cisco-asa-5520-creating-subinterfaces/#sthash.E9zKJP4g.dpbs

Hope it Helps..

-GI

Rate if it Helps..

Stefan Menning · ‎10-16-2015

Hi,

adding to the answer of Ganesh, you should also use:

same-security-traffic permit intra-interface on the ASA in global config mode. This enables the asa to send traffic out off the same interface that it was received on. Default asa behavior is to drop such traffic.

Best Regards,

Stefan

Masoud Pourshabanian · ‎10-16-2015

Hello

Suppose

you have 3 VLANs: 11,12,13 (192.168.x.x)

Your ASA is connected to Internet on port G0/0 (126.1.1.1)

Your 2960 is connected to ASA on port G0/1 (both links are trunk).

To configure,

1- Assign your Public IP to port G0/0

2- Default route to your service provider

3- Create several SVIs on interface G0/1

4- Assign a VLAN to each SVI

5- NAT (Your private address to public address)

6- Remember to put a policy from inside to outside to access to internet (It is denied by default).

7- same-security-traffic permit intra-interface allows your LAN bypass the firewall when communicating with each other.

Configuration looks like this( there might be some errors because it is handwriting)

GigabitEthernet0/0
nameif outside
security-level 0
ip address 126.1.1.1 255.255.255.252

interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.11
vlan 11
nameif Accounting
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/1.12
vlan 12
nameif Technical
security-level 100
ip address 192.168.12.1 255.255.255.0

interface GigabitEthernet0/1.13
vlan 13
nameif Managers
security-level 100
ip address 192.168.13.1 255.255.255.0

route outside 0.0.0.0 0.0.0.0 126.1.1.2

same-security-traffic permit intra-interface

object network MyAccountingLan
subnet 192.168.11.0.255.255.255.0

nat (Accounting,outside) source dynamic MyAccountingLan interface

And so on .....

Hope it helps,

Masoud

bahmansadiq · ‎10-20-2015

hi Masoud,

I have configured the ASA firewall and SW exactly the way you guys thought me but I can not ping my asa from SW and PC using it management interface IP / inside interface ip

also nat command doesn't work the way you have done it?

attached please find the configuration both in SW and ASA kindly see whats wrong that I cant ping and bring asdm

Than you

Masoud Pourshabanian · ‎10-20-2015

Hello,

For the first step, allow ICMP on ASA with this command.

ICMP permit 192.168.10.0 255.255.255.0 Network-Managment.

You should be able to ping ASA(VLAN 10) from Switch and from the PC after applying this command.

bahmansadiq · ‎10-21-2015

Hi Masoud,

i hoghly appreciate your patience, I did put the icmp permit command they way u asked me but still I can not get pig to my pc / Sw or even I cannot ping any port in ASA itself .

Looking forward to hear from you.

thank you

Masoud Pourshabanian · ‎10-21-2015

Check to see whether interface trunk is up. Try to change Native VLAN to 1 just for test. Keep VLAN 10 for ping purpose. After that, try this ping

Ping from PC to 192.168.10.10(switch)

Switch to ASA

PC to ASA

bahmansadiq · ‎10-21-2015

I did trunk the Sw port as:

sw trunk encapsulation dot1q

sw mode trunk

Sw trunk native vlan 10 allowed vlan all

There might be some misconfiguration in Asa itself, will u be free after 3 hours to take a remote session for me to look at it once ?

Masoud Pourshabanian · ‎10-21-2015

Did you change native VLAN to 1? I am going to sleep. It is midnight here now.

Please share the last configuration.

bahmansadiq · ‎10-21-2015

Alright , I am gonna change it and send you the final, email me your contact at Bahman.sadiq@gmail.com

thank you

good night

ASA firwall configuration