Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2315
Views
0
Helpful
4
Replies

ASA5505 - Setting up a LAN to access Internet

Go to solution
james00010
Level 1
Level 1

‎07-26-2013 03:19 AM - edited ‎03-07-2019 02:36 PM

Hi there,

I am new to the Networking and CISCO world, although I used to play around iptables and Untangle firewalls. Unfortunately my laptop does not have a serial port and until I get a USB-to-RS232 adapter I am going to use ASDM for the setup of my infrastructure. So basically I want to replace Untangle with my newly delivered ASA5505 to obtain the following fairly simple infrastructure:

VLAN1 - management (192.168.1.1)

VLAN2 - outside interface internet (x.x.x.x)

VLAN3 - lan (192.168.100.x)

First of all suffice to say that I am on the base licence. Can I make the lan (vlan3) connect to the internet? I have restricted flow from vlan3 to vlan1 to be able to use a third vlan, and hopefully connect it to the internet. For some reason, I am not able to reach the internet from vlan3 although I got a DHCP .100 address on the client and can connect to the others.

When I connect the laptop to the management interface, I have internet access.

The only static route I have is the default internet one. I am assuming all the other VLANs communicate with each other.

Can someone help me please?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
JohnTylerPearce
Level 7
Level 7

‎07-26-2013 04:51 AM

I'm assuming the Outside Interface is at Security Level 0 and the LAN interface is at Security Level 100.

If the LAN interface, cannot get access to the Internet, make sure there is a dynamic PAT entry for the network.

The internal IP Addresses with need to have a public IP assoicated with them, to communicate to the internet, so like I said above, make sure there is a dynamic PAT entry. You can configure this with the ASDM.

If you have just a static route which goes to the nxt hop of your Outside interface that is a good first step.

If you have multiple internal networks behind the LAN interface, you need to create a static map to point towards them.

Please let me know if you have any further questions.

View solution in original post

0 Helpful

Go to solution
ipcruiser81
Level 1
Level 1

‎07-26-2013 03:53 PM

Hi,

Yes with the base license you can have up to 3 VLANs, however, the 3rd VLAN can only forward traffic in one direction.

From what you've described, it sounds like you could be missing NAT/PAT configuration. Make sure VLAN 3 subnet is PATed on the internet facing interface of the firewall, which is your outside interface in this case. Also, clients should have VLAN 3 as its default gateway. VLAN 3 should be able to reach the internet however wont be able to initiate connections out to clients in VLAN 1.

Rgds

View solution in original post

0 Helpful
4 Replies 4

Go to solution
JohnTylerPearce
Level 7
Level 7

‎07-26-2013 04:51 AM

I'm assuming the Outside Interface is at Security Level 0 and the LAN interface is at Security Level 100.

If the LAN interface, cannot get access to the Internet, make sure there is a dynamic PAT entry for the network.

The internal IP Addresses with need to have a public IP assoicated with them, to communicate to the internet, so like I said above, make sure there is a dynamic PAT entry. You can configure this with the ASDM.

If you have just a static route which goes to the nxt hop of your Outside interface that is a good first step.

If you have multiple internal networks behind the LAN interface, you need to create a static map to point towards them.

Please let me know if you have any further questions.

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to JohnTylerPearce

‎07-26-2013 07:38 AM

Hello

On the outside interface - ( facing the internet)  you  can either:

1) enable dhcp and use the set-route command to use the default-gateway from the allocated ip range

     int vlan

     nameif outside

     ip address dhcp setroute

2) apply a static Ip address and set a default route to point to the next hop ip of the isp public ip

   

int vlan

     nameif outside

     ip address X.X.X.X  Y.Y.Y.Y

     route outside 0 0  X.X.X.X  ( isp public next-hop ip)

Please don't forget to rate any posts that have been helpful.

Thanks.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
ipcruiser81
Level 1
Level 1

‎07-26-2013 03:53 PM

Hi,

Yes with the base license you can have up to 3 VLANs, however, the 3rd VLAN can only forward traffic in one direction.

From what you've described, it sounds like you could be missing NAT/PAT configuration. Make sure VLAN 3 subnet is PATed on the internet facing interface of the firewall, which is your outside interface in this case. Also, clients should have VLAN 3 as its default gateway. VLAN 3 should be able to reach the internet however wont be able to initiate connections out to clients in VLAN 1.

Rgds

0 Helpful

Go to solution
james00010
Level 1
Level 1

‎08-13-2013 12:47 PM

Thanks for the replies.

I needed to add a dynamic NAT entry similar to the default mgmt<-->internet one for the lan interface.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card