01-06-2015 08:59 AM - edited 03-07-2019 10:06 PM
Hello,
I'm trying to solve a network design problem. I have ideas about how to go about it, but I wanted to ask if its possible to do with the equipment I have and perhaps if I need change up where VLANs would be configured etc. All suggestions welcome, new hardware is being purchased so if adjustments in models is advised or required then great.
I have multiple locations with the following configuration:
They have a copper hand off to a Cisco 2921 router from one ISP that goes into one interface and another interface is connected to the inside Cisco ASA 5505 or a ASA 5510. Beyond the ASA are switches.
My end goal is to route 2 or more groups of PCs out their own separate external IP addresses. So, essentially, 2-3 VLANs where each VLAN would have it's own external IP address. Lets say, Staff and Public networks need their own external IP addresses. It would be helpful to be able to use ACLs to allow certain services from one VLAN to another.
For the VLAN configuation I was not sure if i matters if I have the VLANs inside the ASA or on a core switch within the network. I can, of course, setup a switch with the information and connect that switch to one firewall interface and assign VLANs to ports or Connect the two switches to 2 interfaces on the ASA. Its just a matter of ACLs etc, and if its better on the switch or the ASA.
Once the VLANs are setup I was wondering if its possible, on the ASA, to setup sub-interfaces on the external port of the ASA on the outside interface connecting to the router. So on 0/0, I would have 0/0.1 for staff, 0/0.2 for public for example. And I could assign each of these sub-interfaces with an IP from the ISP. Then issue is how do I go about routing internet traffic from the staff network on VLAN100 out 0/0.1, which would have xxx.xxx.xxx.100 for example. And the same for public; VLAN200 out 0/0.2 which would have some IP of something like xxx.xxx.xxx.200.
The problem I face is, there is a cloud filtering service I need them to be filtered by. However, I need the Staff network to have a different filtering level from the Public PCs for their internet access. However, this cloud service has one rule set per IP address. SO, the only solution is to get different these different internal networks (Staff and Public) to come from a different IP addresses so I can setup the rules differently for each.
I hope this makes sense, sorry this is long and wordy; its my first question here.
Mike
01-06-2015 11:45 AM
Mike-
Welcome to the forums! What you're wanting to accomplish is pretty easy in the ASA. You can NAT different subnets with different IP addresses. For example-
object network 192.168.100.0-24_STAFF
subnet 192.168.100.0 255.255.255.0
nat (inside,outside) dynamic 198.0.51.1
object network 192.168.106.0-24_PUBLIC
subnet 192.168.106.0 255.255.255.0
nat (inside,outside) dynamic 198.0.51.44
This would NAT 192.168.100.0 /24 to 198.0.51.1 and NAT 192.168.106.0 /24 to 198.0.51.44. The VLAN SVI's can live on the switches or on the ASA, but more than likely you would want them on the switches.
Hope it helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide