Re: Configuring ASA5510 to allow VLAN's to internet and to each

cdhoward2 · ‎01-30-2012

Here is what I have. Windows Domain Controller running DHCP with configured scopes.

I have one ASA5510

And 4 HP Procurve switches with VLANS preconfigure from vender.

Here are my DHCP scopes/VLANS:

VLAN1 -Default 10.2.x.x/17

VLAN201 -DHCP 10.2.201.x/24

VLAN202 - WLAN EMP 10.2.202.x/24

VLAN203 - WLAN Guest 10.2.203.x/24

VLAN 252 - MGMT 10.2.254.x/24

Here is how I configured the DHCP Scopes:

Changes needed to make to the DHCP Server (AUSPDC) in order to get things working with the new switches.

1) Configure 3 new DHCP scopes on your DHCP server.

a) scope for 10.2.201.x/24 to serve LAN employees and give them a gateway address of 10.2.201.254.

b) a scope for 10.2.202.x/24 to serve WLAN employees and give them a gateway address of 10.2.202.254.

c) a scope for 10.2.203.x/24 to serve WLAN Guests and give them a gateway address of 10.2.203.254.

I just upgraded and decided to go with the VLAN configuration. None of my VLANS can get out to the internet or each other due to I think My ignorance in configuring the firewall.

The PC's are getting proper IP address but they cannot get out or to the other VLANs. I tried to duplicate what is working for VLAN1 but it is not working.

Can someone tell me what I need to do to get my network back online?

Here is my config.

Result of the command: "show running-config"

: Saved

:

ASA Version 8.2(3)

!

hostname CiscoASA

domain-name hand.local

enable password 1FVULuGal5s1/ADt encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 10.2.201.0 VLAN201 description DHCP

name 10.2.202.0 VLAN202 description WLAN EMP

name 10.2.203.0 VLAN203 description WLAN Guest

name 10.2.254.0 VLAN252 description MGMT

name 10.2.70.3 Gateway

name 10.2.201.254 VLAN2GW

name 10.2.0.0 MainSwitchGW

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 72.**.**.50 255.255.255.240

ospf cost 10

!

interface Ethernet0/1

nameif inside

security-level 0

ip address Gateway 255.255.0.0

ospf cost 10

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

management-only

!

time-range All

!

boot system disk0:/asa823-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 10.2.1.254

domain-name hand.local

same-security-traffic permit inter-interface

object-group network DM_INLINE_NETWORK_1

network-object MainSwitchGW 255.255.0.0

network-object MainSwitchGW 255.255.128.0

object-group network DM_INLINE_NETWORK_2

network-object 10.100.1.0 255.255.255.0

network-object host Gateway

network-object VLAN201 255.255.255.0

object-group network DM_INLINE_NETWORK_3

network-object MainSwitchGW 255.255.128.0

network-object MainSwitchGW 255.255.255.128

access-list hand_splitTunnelAcl standard permit MainSwitchGW 255.255.0.0

access-list hand_splitTunnelAcl standard permit MainSwitchGW 255.255.128.0

access-list hand_splitTunnelAcl standard permit VLAN201 255.255.255.0

access-list outside_access_in extended permit tcp any host 72.**.**.51 eq ftp

access-list outside_access_in extended permit tcp any host 72.**.**.51 eq ftp-data

access-list outside_access_in extended permit tcp any host 72.**.**.54 eq www

access-list outside_access_in remark ****Inbound to the Mail Server****

access-list outside_access_in extended permit tcp host 66.162.93.196 host 72.**.**.55 eq smtp time-range All

access-list outside_access_in extended permit tcp host 216.136.51.62 host 72.**.**.55 eq smtp time-range All

access-list outside_access_in extended permit tcp 70.42.242.0 255.255.255.0 host 72.**.**.55 eq smtp

access-list outside_access_in extended permit tcp any host 72.**.**.55 eq https time-range All

access-list outside_access_in extended permit tcp any host 72.**.**.55 eq www time-range All

access-list outside_access_in extended permit tcp any host 72.**.**.55 eq pop3 time-range All

access-list outside_access_in extended permit tcp any host 72.**.**.55 eq imap4 time-range All

access-list outside_access_in extended permit tcp host 66.162.93.196 host 72.**.**.55 eq ldap time-range All

access-list outside_access_in extended permit tcp host 216.136.51.62 host 72.**.**.55 eq ldap time-range All

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any source-quench

access-list outside_access_in extended permit icmp any any time-exceeded

access-list outside_access_in extended permit icmp any any unreachable

access-list outside_access_in extended permit tcp any host 72.**.**.53 eq www

access-list outside_access_in extended permit tcp any host 72.**.**.53 eq https

access-list outside_access_in extended permit tcp any host 72.**.**.53 eq 20999

access-list outside_access_in extended permit tcp any host 72.**.**.52 eq www

access-list outside_access_in extended permit tcp any host 72.**.**.52 eq https

access-list outside_access_in extended permit tcp any host 72.**.**.52 eq 8080

access-list outside_access_in extended permit tcp any host 72.**.**.58 eq www

access-list outside_access_in extended permit tcp any eq www host 72.**.**.62

access-list outside_access_in extended permit tcp any host 72.**.**.62 eq ssh

access-list outside_access_in extended permit tcp any host 72.**.**.62 eq www

access-list outside_access_in extended permit tcp any host 72.**.**.57 eq www

access-list outside_access_in extended permit tcp any host 72.**.**.57 eq 20999

access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_2

access-list inside_nat0_outbound extended permit ip MainSwitchGW 255.255.128.0 10.100.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip VLAN201 255.255.255.0 10.100.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip VLAN201 255.255.255.0 host Gateway

access-list inside_nat0_outbound extended permit ip VLAN201 255.255.255.0 object-group DM_INLINE_NETWORK_1

access-list management_nat0_outbound extended permit ip MainSwitchGW 255.255.128.0 72.**.**.48 255.255.255.240

access-list management_nat0_outbound extended permit ip MainSwitchGW 255.255.128.0 any

access-list management_nat0_outbound extended permit ip VLAN201 255.255.255.0 any

access-list management_nat0_outbound extended permit ip VLAN201 255.255.255.0 72.**.**.48 255.255.255.240

access-list management_nat0_outbound extended permit ip MainSwitchGW 255.255.128.0 host VLAN201

access-list management_nat0_outbound extended permit ip VLAN201 255.255.255.0 MainSwitchGW 255.255.128.0

pager lines 24

logging enable

logging asdm informational

logging from-address

logging recipient-address level warnings

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpnpool 10.100.1.1-10.100.1.254 mask 255.255.255.0

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 101 interface

global (inside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

nat (management) 0 access-list management_nat0_outbound

nat (management) 101 0.0.0.0 0.0.0.0

static (inside,outside) 72.**.**.51 10.2.1.3 netmask 255.255.255.255

static (inside,outside) 72.**.**.52 10.2.1.12 netmask 255.255.255.255

static (inside,outside) 72.**.**.53 10.2.1.13 netmask 255.255.255.255

static (inside,outside) 72.**.**.54 10.2.90.202 netmask 255.255.255.255

static (inside,outside) 72.**.**.55 10.2.1.21 netmask 255.255.255.255

static (inside,outside) 72.**.**.57 10.2.1.26 netmask 255.255.255.255

static (inside,outside) 72.**.**.58 10.2.1.5 netmask 255.255.255.255

static (inside,outside) 72.**.**.62 10.2.1.200 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 72.**.**.49 1

route inside MainSwitchGW 255.255.128.0 Gateway 1

route inside VLAN201 255.255.255.0 VLAN2GW 1

route inside VLAN202 255.255.255.0 Gateway 1

route inside VLAN203 255.255.255.0 Gateway 1

route inside VLAN252 255.255.255.0 Gateway 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

webvpn

url-list value Internal_Sites

aaa-server partnerauth protocol radius

max-failed-attempts 5

aaa-server partnerauth (inside) host 10.2.1.254

key *****

radius-common-pw *****

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http MainSwitchGW 255.255.0.0 inside

http 10.100.1.0 255.255.255.0 inside

snmp-server host inside 10.2.1.4 community ***** version 2c

snmp-server host inside 10.2.1.7 community ***** version 2c

snmp-server location Austin Office

snmp-server contact Joshua Waszczak

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection tcpmss 0

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint athandVPN

enrollment terminal

crl configure

crypto ca trustpoint @handVPN

keypair @handVPN

crl configure

crypto ca trustpoint @handVPN-1

crl configure

crypto ca trustpoint @handVPN-2

crl configure

crypto ca trustpoint ASDM_TrustPoint0

crl configure

crypto ca certificate chain @handVPN

certificate ca 0a5f114d035b179117d2efd4038c3f3b

30820658 30820540 a0030201 0202100a 5f114d03 5b179117 d2efd403 8c3f3b30

0d06092a 864886f7 0d010105 0500306c 310b3009 06035504 06130255 53311530

13060355 040a130c 44696769 43657274 20496e63 31193017 06035504 0b131077

77772e64 69676963 6572742e 636f6d31 2b302906 03550403 13224469 67694365

72742048 69676820 41737375 72616e63 65204556 20526f6f 74204341 301e170d

30383034 30323132 30303030 5a170d32 32303430 33303030 3030305a 3066310b

30090603 55040613 02555331 15301306 0355040a 130c4469 67694365 72742049

6e633119 30170603 55040b13 10777777 2e646967 69636572 742e636f 6d312530

23060355 0403131c 44696769 43657274 20486967 68204173 73757261 6e636520

43412d33 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a

02820101 00bf610a 29101f5e fe343751 08f81efb 22ed61be 0b0d704c 50632675

15b94188 97b6f0a0 15bb0860 e042e805 29108736 8a2865a8 ef310774 6d36972f

28466604 c72a7926 7a99d58e c36d4fa0 5eadbc3d 91c2597b 5e366cc0 53cf0008

323e1064 58101369 c70cee9c 425100f9 0544ee24 ce7a1fed 8c11bd12 a8f315f4

1c7a3169 011ba7e6 5dc09a6c 7e099ee7 52444a10 3a23e49b b603afa8 9cb45b9f

d44bad92 8cceb511 2aaa3718 8db4c2b8 d85c068c f8ff23bd 355ed47c 3e7e830e

91960598 c3b21fe3 c865eba9 7b5da02c ccfc3cd9 6dedccfa 4b438cc9 d4b8a561

1cb240b6 2812dfb9 f85ffed3 b2c9ef3d b41e4b7c 1c4c9936 9e3debec a7685e1d

df676e5e fb020301 0001a382 02fa3082 02f6300e 0603551d 0f0101ff 04040302

01863082 01c60603 551d2004 8201bd30 8201b930 8201b506 0b608648 0186fd6c

01030002 308201a4 303a0608 2b060105 05070201 162e6874 74703a2f 2f777777

2e646967 69636572 742e636f 6d2f7373 6c2d6370 732d7265 706f7369 746f7279

2e68746d 30820164 06082b06 01050507 02023082 01561e82 01520041 006e0079

00200075 00730065 0020006f 00660020 00740068 00690073 00200043 00650072

00740069 00660069 00630061 00740065 00200063 006f006e 00730074 00690074

00750074 00650073 00200061 00630063 00650070 00740061 006e0063 00650020

006f0066 00200074 00680065 00200044 00690067 00690043 00650072 00740020

00430050 002f0043 00500053 00200061 006e0064 00200074 00680065 00200052

0065006c 00790069 006e0067 00200050 00610072 00740079 00200041 00670072

00650065 006d0065 006e0074 00200077 00680069 00630068 0020006c 0069006d

00690074 0020006c 00690061 00620069 006c0069 00740079 00200061 006e0064

00200061 00720065 00200069 006e0063 006f0072 0070006f 00720061 00740065

00640020 00680065 00720065 0069006e 00200062 00790020 00720065 00660065

00720065 006e0063 0065002e 30120603 551d1301 01ff0408 30060101 ff020100

30340608 2b060105 05070101 04283026 30240608 2b060105 05073001 86186874

74703a2f 2f6f6373 702e6469 67696365 72742e63 6f6d3081 8f060355 1d1f0481

87308184 3040a03e a03c863a 68747470 3a2f2f63 726c332e 64696769 63657274

2e636f6d 2f446967 69436572 74486967 68417373 7572616e 63654556 526f6f74

43412e63 726c3040 a03ea03c 863a6874 74703a2f 2f63726c 342e6469 67696365

72742e63 6f6d2f44 69676943 65727448 69676841 73737572 616e6365 4556526f

6f744341 2e63726c 301f0603 551d2304 18301680 14b13ec3 6903f8bf 4701d498

261a0802 ef63642b c3301d06 03551d0e 04160414 50ea7389 db29fb10 8f9ee501

20d4de79 994883f7 300d0609 2a864886 f70d0101 05050003 82010100 1ee2a548

9e6cdb53 380fefa6 1a2aace2 0343ed9a bc3e8e75 1bf0fd2e 2259ac13 c061e2e7

fae999cd 87097554 28bf4660 dcbe512c 92f31b91 7c310870 e237b9c1 5ba8bda3

0b00fb1a 15fd03ad 586ac5c7 24994847 46311e92 efb45f4e 34c790bf 31c1f8b1

8486d09c 01aadf8a 5606ce3a e90eae97 745dd771 9a42745f de8d437c dee955ed

6900cb05 e07a6161 33d1194d f908eea0 39c52535 b72bc40f b2ddf1a5 b70e24c4

26288d79 77f52ff0 57ba7c07 d4e1fccd 5a30577e 861047dd 311fd7fc a2c2bf30

7c5d24aa e8f9ae5f 6a74c2ce 6bb346d8 21be29d4 8e5e15d6 424ae732 6fa4b16b

518358be 3f6dc7fb da0321cb 6a16194e 0af0ad84 ca5d94b3 5a76f761

quit

certificate 07cc66d971fd91a3990b74ed827a01b7

308206cb 308205b3 a0030201 02021007 cc66d971 fd91a399 0b74ed82 7a01b730

0d06092a 864886f7 0d010105 05003066 310b3009 06035504 06130255 53311530

13060355 040a130c 44696769 43657274 20496e63 31193017 06035504 0b131077

77772e64 69676963 6572742e 636f6d31 25302306 03550403 131c4469 67694365

72742048 69676820 41737375 72616e63 65204341 2d33301e 170d3132 30313236

30303030 30305a17 0d313430 33333131 32303030 305a306a 310b3009 06035504

06130255 53310e30 0c060355 04081305 54657861 73310f30 0d060355 04071306

41757374 696e3123 30210603 55040a0c 1a406861 6e642053 6f667477 61726520

436f7270 6f726174 696f6e31 15301306 03550403 130c6f77 612e6861 6e642e63

6f6d3082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282

010100b9 79cc735b d78e4627 067e060b e7203e81 971e509c e7f32e07 e0958bf4

93b8f6e5 21849ac1 21a3df6e dd95ec98 967c5d5b 9f668f02 8cd99474 5a8f5f55

cd7a6cd0 ec980a79 8c42188e 41d1c99a cc76798b b2496716 7b4cb324 b8b4bd87

a06808fc 0cd31018 a35f6f53 e675de03 fb213d44 ecf43656 1cff28b0 8d1ffff9

a149a1fb 2e03cb7b 0011f74c c20e2c3e d72a1ae3 5955ff96 eb279409 08ca7fbe

517ef241 cc41f9dd 428c3412 b322e89a 3aeab7a0 94933ab3 5843ee4a a66ad69d

551dafdf dfe22730 1dcfa3c0 0344a7e1 a10434e9 cb9022ad d89f2b94 f43bc79f

ab2eeceb 368e3ec9 015f7a37 ed15606a 46bbfca1 4b254b1b b564118b c43b5239

96aad502 03010001 a382036f 3082036b 301f0603 551d2304 18301680 1450ea73

89db29fb 108f9ee5 0120d4de 79994883 f7301d06 03551d0e 04160414 b615cd19

49b1f9f2 ee71cee7 b78b07a5 8d072789 30460603 551d1104 3f303d82 0c6f7761

2e68616e 642e636f 6d820c70 69782e68 616e642e 636f6d82 10737570 706f7274

2e68616e 642e636f 6d820d74 7261632e 68616e64 2e636f6d 300e0603 551d0f01

01ff0404 030205a0 301d0603 551d2504 16301406 082b0601 05050703 0106082b

06010505 07030230 5f060355 1d1f0458 30563029 a027a025 86236874 74703a2f

2f63726c 332e6469 67696365 72742e63 6f6d2f63 61332d67 332e6372 6c3029a0

27a02586 23687474 703a2f2f 63726c34 2e646967 69636572 742e636f 6d2f6361

332d6733 2e63726c 308201c4 0603551d 20048201 bb308201 b7308201 b3060960

86480186 fd6c0101 308201a4 303a0608 2b060105 05070201 162e6874 74703a2f

2f777777 2e646967 69636572 742e636f 6d2f7373 6c2d6370 732d7265 706f7369

746f7279 2e68746d 30820164 06082b06 01050507 02023082 01561e82 01520041

006e0079 00200075 00730065 0020006f 00660020 00740068 00690073 00200043

00650072 00740069 00660069 00630061 00740065 00200063 006f006e 00730074

00690074 00750074 00650073 00200061 00630063 00650070 00740061 006e0063

00650020 006f0066 00200074 00680065 00200044 00690067 00690043 00650072

00740020 00430050 002f0043 00500053 00200061 006e0064 00200074 00680065

00200052 0065006c 00790069 006e0067 00200050 00610072 00740079 00200041

00670072 00650065 006d0065 006e0074 00200077 00680069 00630068 0020006c

0069006d 00690074 0020006c 00690061 00620069 006c0069 00740079 00200061

006e0064 00200061 00720065 00200069 006e0063 006f0072 0070006f 00720061

00740065 00640020 00680065 00720065 0069006e 00200062 00790020 00720065

00660065 00720065 006e0063 0065002e 307b0608 2b060105 05070101 046f306d

30240608 2b060105 05073001 86186874 74703a2f 2f6f6373 702e6469 67696365

72742e63 6f6d3045 06082b06 01050507 30028639 68747470 3a2f2f63 61636572

74732e64 69676963 6572742e 636f6d2f 44696769 43657274 48696768 41737375

72616e63 6543412d 332e6372 74300c06 03551d13 0101ff04 02300030 0d06092a

864886f7 0d010105 05000382 01010002 c305780b a7640618 37b53065 3c29d1eb

5087f55f 78fa79fa dc34356d 007908a6 d27bc122 3122eefe bf9c6050 a1edc06b

275d2b0f 5698d13f ca9baa83 f073915a e09c2440 ba7be5cc 02e7aef1 9c88da49

5827dbcc a1d060b0 a59e5fea 57a0aadd 3abf2440 1a85c61a 0762c1b3 cf189926

36eb4557 0629cda9 67651962 3657ab36 c04eade0 02dfbdf1 45d1d2d6 5e85ddd3

f8803169 844ab3da bbf61698 adfc80f5 f57c305f 7b1a06b7 9fae3a77 1528ab8b

dc5c1df7 85b8f38e d0e8c1ae 84630975 b125d9a7 ab41f722 1ba786ab 980506f4

72469eab 5ccefb0b 482adee3 5f68b85d 9270b121 8bbff2a0 089bd445 fd5b452b

3af8e9f0 6b6e2683 601df0a3 98e229

quit

crypto ca certificate chain @handVPN-1

certificate ca 0727583d

3082044f 308203b8 a0030201 02020407 27583d30 0d06092a 864886f7 0d010105

05003075 310b3009 06035504 06130255 53311830 16060355 040a130f 47544520

436f7270 6f726174 696f6e31 27302506 0355040b 131e4754 45204379 62657254

72757374 20536f6c 7574696f 6e732c20 496e632e 31233021 06035504 03131a47

54452043 79626572 54727573 7420476c 6f62616c 20526f6f 74301e17 0d313030

31313331 39323033 325a170d 31353039 33303138 31393437 5a306c31 0b300906

03550406 13025553 31153013 06035504 0a130c44 69676943 65727420 496e6331

19301706 0355040b 13107777 772e6469 67696365 72742e63 6f6d312b 30290603

55040313 22446967 69436572 74204869 67682041 73737572 616e6365 20455620

526f6f74 20434130 82012230 0d06092a 864886f7 0d010101 05000382 010f0030

82010a02 82010100 c6cce573 e6fbd4bb e52d2d32 a6dfe581 3fc9cd25 49b6712a

c3d59434 67a20a1c b05f69a6 40b1c4b7 b28fd098 a4a94159 3ad3dc94 d63cdb74

38a44acc 4d2582f7 4aa55312 38eef349 6d71917e 63b6aba6 5fc3a484 f84f6251

bef8c5ec db3892e3 06e50891 0cc42841 55fbcb5a 89157e71 e835bf4d 72093dbe

3a38505b 77311b8d b3c72445 9aa7ac6d 00145a04 b7ba13eb 510a9841 41224e65

61878141 50a6795c 89de194a 57d52ee6 5d1c532c 7e98cd1a 0616a468 73d03404

135ca171 d35a7c55 db5e64e1 37873056 04e511b4 298012f1 793988a2 02117c27

66b788b7 78f2ca0a a838ab0a 64c2bf66 5d9584c1 a1251e87 5d1a500b 2012cc41

bb6e0b51 38b84bcb 02030100 01a38201 6f308201 6b301206 03551d13 0101ff04

08300601 01ff0201 01305306 03551d20 044c304a 30480609 2b060104 01b13e01

00303b30 3906082b 06010505 07020116 2d687474 703a2f2f 63796265 72747275

73742e6f 6d6e6972 6f6f742e 636f6d2f 7265706f 7369746f 72792e63 666d300e

0603551d 0f0101ff 04040302 01063081 89060355 1d230481 81307fa1 79a47730

75310b30 09060355 04061302 55533118 30160603 55040a13 0f475445 20436f72

706f7261 74696f6e 31273025 06035504 0b131e47 54452043 79626572 54727573

7420536f 6c757469 6f6e732c 20496e63 2e312330 21060355 0403131a 47544520

43796265 72547275 73742047 6c6f6261 6c20526f 6f748202 01a53045 0603551d

1f043e30 3c303aa0 38a03686 34687474 703a2f2f 7777772e 7075626c 69632d74

72757374 2e636f6d 2f636769 2d62696e 2f43524c 2f323031 382f6364 702e6372

6c301d06 03551d0e 04160414 b13ec369 03f8bf47 01d49826 1a0802ef 63642bc3

300d0609 2a864886 f70d0101 05050003 8181002e 7685d937 966daf89 f3067882

31c44607 1f65c98e b3c95478 e6d142df 752e1e55 eaf7fa9b 04c0757b d1793c05

ec79c452 dda603d7 a750993f 0559dac6 55f4869c 0d67a349 0495321d c787ec85

af646ed5 c55f09a7 407d16ba 490da2fd f6df5530 6cd778c6 b9cf5829 64164ca3

208147b1 44928416 1b6f4abc 21c60a3d ed33ca

quit

crypto ca certificate chain @handVPN-2

certificate ca 01a5

3082025a 308201c3 020201a5 300d0609 2a864886 f70d0101 04050030 75310b30

09060355 04061302 55533118 30160603 55040a13 0f475445 20436f72 706f7261

74696f6e 31273025 06035504 0b131e47 54452043 79626572 54727573 7420536f

6c757469 6f6e732c 20496e63 2e312330 21060355 0403131a 47544520 43796265

72547275 73742047 6c6f6261 6c20526f 6f74301e 170d3938 30383133 30303239

30305a17 0d313830 38313332 33353930 305a3075 310b3009 06035504 06130255

53311830 16060355 040a130f 47544520 436f7270 6f726174 696f6e31 27302506

0355040b 131e4754 45204379 62657254 72757374 20536f6c 7574696f 6e732c20

496e632e 31233021 06035504 03131a47 54452043 79626572 54727573 7420476c

6f62616c 20526f6f 7430819f 300d0609 2a864886 f70d0101 01050003 818d0030

81890281 8100950f a0b6f050 9ce87ac7 88cddd17 0e2eb094 d01b3d0e f694c08a

94c706c8 9097c8b8 641a7a7e 6c3c53e1 37287360 7fb29753 079f53f9 6d5894d2

af8d6d88 6780e6ed b295cf72 31caa51c 72ba5c02 e76442e7 f9a92cd6 3a0dac8d

42aa2401 39e69c3f 0185570d 588745f8 d385aa93 69268570 48803f12 15c779b4

1f052f3b 62990203 01000130 0d06092a 864886f7 0d010104 05000381 81006deb

1b09e95e d951db67 2261a42a 3c4877e3 a07ca6de 73a21403 853dfbab 0e30c583

16338113 089e7b34 4edf40c8 74d7b97d dcf47655 7d9b6354 18e9f0ea f35cb1d9

8b421eb9 c0954eba fad5e27c f56861bf 8eec0597 5f5bb0d7 a38534c4 24a70d0f

9593efcb 94d89e1f 9d5c856d c7aaae4f 1f22b5cd 95adbaa7 ccf9ab0b 7a7f

quit

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

client-update enable

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet MainSwitchGW 255.255.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 10.0.0.0 255.0.0.0 inside

ssh timeout 5

console timeout 0

management-access management

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

dhcprelay server 10.2.1.254 inside

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ssl trust-point @handVPN

ssl trust-point @handVPN outside

webvpn

enable outside

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

wins-server value 10.2.1.254

dns-server value 10.2.1.254

vpn-tunnel-protocol webvpn

ip-comp enable

group-lock value hand

ipsec-udp enable

split-tunnel-network-list value hand_splitTunnelAcl

default-domain value hand.local

intercept-dhcp 255.255.0.0 enable

address-pools value vpnpool

webvpn

svc ask enable default webvpn

group-policy hand internal

group-policy hand attributes

banner none

wins-server value 10.2.1.254

dns-server value 10.2.1.254

dhcp-network-scope none

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

password-storage disable

pfs disable

ipsec-udp enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value hand_splitTunnelAcl

default-domain value hand.local

split-dns none

intercept-dhcp 255.255.0.0 enable

address-pools value vpnpool

ipv6-address-pools none

username admin password .6XIEcJ30LogczOw encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

authentication-server-group partnerauth

authentication-server-group (inside) partnerauth

secondary-authentication-server-group partnerauth use-primary-username

authorization-server-group partnerauth

accounting-server-group partnerauth

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group partnerauth

authentication-server-group (inside) partnerauth

secondary-authentication-server-group partnerauth use-primary-username

secondary-authentication-server-group (inside) partnerauth use-primary-username

authorization-server-group partnerauth

authorization-server-group (inside) partnerauth

accounting-server-group partnerauth

default-group-policy hand

tunnel-group hand type remote-access

tunnel-group hand general-attributes

address-pool (inside) vpnpool

address-pool vpnpool

authentication-server-group partnerauth

authentication-server-group (inside) partnerauth

secondary-authentication-server-group (inside) partnerauth

authorization-server-group partnerauth

authorization-server-group (inside) partnerauth

accounting-server-group partnerauth

default-group-policy hand

tunnel-group hand webvpn-attributes

radius-reject-message

group-alias @hand_Access enable

tunnel-group hand ipsec-attributes

pre-shared-key *****

tunnel-group hand ppp-attributes

authentication ms-chap-v2

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect pptp

!

service-policy global_policy global

smtp-server 10.2.1.21

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:97fd952699e6702ea082c71376958c59

: end

mvsheik123 · ‎01-30-2012

Hello Carl,

Try disabling nat-control and set the inside interface security to 100. PCs able to ping ASA inside interface? Also, how the internal LAN/switches are connected?

Thx

MS

cdhoward2 · ‎01-30-2012

Oh, thank you so much for the replay!! Please forgive my Cisco ignorance, but i do not know how to disable nat-control. Is it possible to do so thorugh the GUI?

PC are able to ping ASA inside interface.

They are each connected to the main switch. Each switch is connected with two CAT-6 that are stacked I think is the term.

I

Internet

I

ASA 5510

I

HP Procurve 3800

II II II II

Switch Switch Switch DHCP/DNS Server

I I I

pc's pc's pc's

The note from the tech that configured the switches said:

"Need to review and make some changes to the Cisco ASA firewall in order for it to support the new switch configurations. Will have to add static routes pointing to the new subnetworks on LAN and probably make changes to any port-redirections that might reference our server IP addresses by their old class B sunets."

Thanks,

Carl

mvsheik123 · ‎01-30-2012

Hello,

Login to ASA and issue 'no nat-control' from config mode. Then, go to interface mode and change the inside interface security to 100. Both can be done via GUI. Log in to ASDM and check. As 'icmp' is allowed on the outside ACL, try to ping public IP (ex:4.2.2.1) and see if you get any reply.

Thx

MS

cdhoward2 · ‎01-30-2012

Ok, I did that and now I cannot ping the ASA or anythong outside.

cdhoward2 · ‎01-31-2012

Ok, so I got myself back to being able to ping the first switch in the chain and the second/main switch in the chain as well as the ASA but I still cannot get out or to the other VLAN's. I have tried adding static routes but I must be doing something incorrectly.

My DHCP/DNS/Domain Controler is on VLAN1 -Default 10.2.x.x/17 whish is hosting the scopes and is successfully assiging IP's to VLAN201 -DHCP 10.2.201.x/24. But from VLAN201 -DHCP 10.2.201.x/24 I cannot get past the ASA or to VLAN201 -DHCP 10.2.201.x/24. Also I cannot ping to VLAN201 from VLAN1.

This is how my Scopes are configured in the Windows Server 2008 DHCP:

1) Configure 3 new DHCP scopes on your DHCP server.

Original Scope VLAN1 10.2.0.0/17 10.2.0.254

a) scope for 10.2.201.x/24 to serve LAN employees and give them a gateway address of 10.2.201.254.

b) a scope for 10.2.202.x/24 to serve WLAN employees and give them a gateway address of 10.2.202.254.

c) a scope for 10.2.203.x/24 to serve WLAN Guests and give them a gateway address of 10.2.203.254.

How to I make the ASA allow the all but the Guest VLAN to talk?

mvsheik123 · ‎01-31-2012

Hi Carl,

Thanks for the update. I suggest you talk to the consultants with your network requirements. Iam not a 3COM expert but here one way to disign your network...

1. Make sure the Procurve 3800 support basic routing (so that it acts as core switch).

2. Create Vlans and Vlan interfaces (L3) with poper IP addresses on procurve.

You need to be able to define how many Vlans you need. I never have 'guest' vlan inside my network -considering guest vlan is for external users/guests. So based on that...

10.2.201.x/24 --> valn for LAN employees : on procurve 3800: Vlan201 interface IP will be 10.2.201.254 (gateway for PCs)

10.2.202.x/24 --> Vlan WLAN emplyees.

10.2.203.x/24 --> Can be your management Vlan for all network gear & use your server ILO as well(static IPs)

10.2.204.x/24 --> Server Vlan (servers static IPs)

For the network printers, based on your requirements and traffic, you can leave them in user Vlan or create seperate Vlan. I prefer to assign static IPs for printers.

3. On the Vlan interface on procurve for LAN & WLAN , make sure you have a command similar to 'ip helper-address : this is cisco command. 3COM may have different command syntax.

4. You can connect the servers directly to Procurve and change the Vlan on the ports to Server Vlan.

5. Connect the access switches (where PCs connected) to procurve using 'Trunk' links. Also, configure management vlan on access siwtch with IP from that subnet for management purpose. Gateway should be vlan interface.

6.Once you got the internal infrastructure up and running and then for ASA inside interface assign an IP from management IP (your network is small you can use the same IP to manage the ASA) with security level 100. Issue this IP as default gateway on procurve.

7. You can safely disable nat-control.

8. Now as far as guests --> place them in the ASA DMZ and allow internet access. ASA itself can act as DHCP server for guest access.

This may not be 100% perfect design but works for small networks. As far as the changes and configs, I suggest you work with a consultant.

Hth

MS

Configuring ASA5510 to allow VLAN's to internet and to each other.