08-28-2012 09:38 AM - edited 03-07-2019 08:34 AM
Hello everyone,
I will begin to tell that i'm very close to noob status in this area.
I will try to explain my problem for you, and see if anyone can help me.
The setup is like this:
I have to different cabinets, A and B , each cabinet has a ASA5505 connected to an ISP, a layer 2 switch and some servers.
Each cabinet has it's own subnet.
Between these cabinets is a cat cable. (not connected yet)
The goal is for the servers in each cabinet to be able to communicate to eachother without accessing the internet.
Should this just be a matter of connecting the two ASA's and it will find the subnet on the other side?
Do I have to add some static routes?
NAT's?
ACL changes?
Please point me in the right direction.
I have attached a picture explaining the setup.
Thanks in advance.
Martin
Solved! Go to Solution.
08-29-2012 02:37 AM
You have to configure on both ASAs a new VLAN, with a new subnet. This can be used as a transfer network between the ASAs. The static routes point to the other sides IP in that subnet. The ACLs on these new VLAN-interfaces have to permit the needed traffic and the NAT has to be adjusted with NAT-Excemption.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-28-2012 10:53 AM
You connect the cable, add a static route on both ASA and add ACL to the new interface to permit trafic between the two firewall. It's pretty simple, no hidden trick here.
08-28-2012 11:09 AM
Thanks!, i'll try that.
Might get back with more questions.
/Martin
08-29-2012 02:09 AM
Hi Dominic,
It does not seem to work,
Shouldn't there be a problem when i connect a cable from Vlan1 (10.0/24) on ASA-A to Vlan1 (70.0/24) on ASA-B ?
If I look in the ARP and routing tables, the ASA does not "see" the network on the other side.
Thanks again!
/Martin
08-29-2012 02:37 AM
You have to configure on both ASAs a new VLAN, with a new subnet. This can be used as a transfer network between the ASAs. The static routes point to the other sides IP in that subnet. The ACLs on these new VLAN-interfaces have to permit the needed traffic and the NAT has to be adjusted with NAT-Excemption.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-29-2012 04:02 AM
Thanks Karsten! , it got it to work.
As you said, I added 1 vlan on each ASA,
ASA A got 192.168.50.0/24 with ip 192.168.50.1
ASA B got 192.168.50.0/24 with ip 192.168.50.2
and I added the static routes
ASA A points to 192.168.50.2 when traffic is intended for the B network
ASA B points to 192.168.50.1 when traffic is intended for the A network
I allowed same security level networks to pass traffic to each other.
No NAT's where needed to make it work.
Next I will look into ACL to limit the traffic allowed between the networks.
Thanks all for your help.
Have a nice day!
/Martin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: