Solved: Re: Firewall on a stick

sarath92 · ‎09-02-2019

i All,

I was configuring a set up in packet tracer similar to router on a stick. Only difference is that we got a Cisco ASA firewall in between router and the switch as below:

The port from switch to firewall has been made trunk from the switch end. I have given two sub-interfaces in router to facilitate two V-LANs. Now my doubt is how should I configure the firewall ports. I am not able to create a sub interface in firewall. Also I don't know how to create a trunk port in firewall. Please help me out with the commands if any. Forgive me for being a Noob :)

Seb Rupik · ‎09-04-2019

Ahh! I remember this insane limitation on the ASA5005 Base license!! Essentially you have to nominate one VLAN which is not allowed to initiate communication with the other two....not what we want.

So, lets move the routing of the two INSIDE subnets onto switch0 and configure the ASA with just two interfaces:

! switch0
!
vlan 3,10,20
!
int vlan3
  desc FW-TRANSIT
  ip address 172.3.10.1 255.255.255.252
  no shut
!
int vlan 10
  desc INSIDE-10
  ip address 172.10.10.254 255.255.255.0
  no shut
!
int vlan 20
  desc INSIDE-20
  ip address 172.20.10.254 255.255.255.0
  no shut
!
int gi1/0/1
  desc TO_ASA
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport trunk allowed vlan 3
  no shut
!
ip routing
ip default-gateway 172.3.10.2 
!

! ASA
!
int vlan 2
  ip address 172.0.10.100 255.255.255.0
  nameif OUTSIDE
  security-level 0
  no shut
!
int vlan 3
  ip address 172.3.10.2 255.255.255.252
  nameif INSIDE
  security-level 100
  no shut
!
int eth0/0
  switchport trunk encapsulation dot1q 
  switchport mode trunk
  switchport trunk allowed vlan 3
!
int eth0/1
  switchport mode access
  switchport access vlan 2
  no shut
!
object network VLAN10
  subnet 172.10.10.0 255.255.255.0
  nat (INSIDE,OUTSIDE) dynamic interface
object network VLAN20
  subnet 172.20.10.0 255.255.255.0
 nat (INSIDE,OUTSIDE) dynamic interface
!
route OUTISDE 0.0.0.0 0.0.0.0 172.0.10.99 1
!

Connect:

Switch0|Gi1/0/1 <---> eth0/0|ASA|eth0/1 <---> Gi0/1|Router

If you didn't want to use Auto NAT config as part of a network object you could use the following Manual NAT config:

!
object network VLAN10
  subnet 172.10.10.0 255.255.255.0
object network VLAN20
  subnet 172.20.10.0 255.255.255.0
!
nat (INSIDE,OUTSIDE) source dynamic VLAN10 interface
nat (INSIDE,OUTSIDE) source dynamic VLAN20 interface
!

cheers,

Seb.

View solution in original post

Seb Rupik · ‎09-02-2019

Hi there,

The ASA5505 does not support routed interfaces, but instead uses SVIs for routing.

Your ASA interface config will look like:

!
int vlan 2
  ip address 172.0.10.100 255.255.255.0
  nameif OUTSIDE
  security-level 0
  no shut
!
int vlan 10
  ip address 172.10.10.254 255.255.255.0
  nameif INSIDE-10
  security-level 100
  no shut
!
int vlan 20
  ip address 172.20.10.254 255.255.255.0
  nameif INSIDE-20
  security-level 100
  no shut
!
int eth0/0
  switchport trunk encapsulation dot1q 
  switchport mode trunk
  switchport trunk allowed vlan 10,20
!
int eth0/1
  switchport mode access
  switchport access vlan 2
  no shut
!
object network VLAN10
  subnet 172.10.10.0 255.255.255.0
  nat (INSIDE-10,OUTSIDE) dynamic interface
object network VLAN10
  subnet 172.20.10.0 255.255.255.0
  nat (INSIDE-20,OUTSIDE) dynamic interface
!
route OUTISDE 0.0.0.0 0.0.0.0 172.0.10.99 1
!

On the router, configure a normal routed interface and connect it to ASA eth0/1 :

!
no int gi0/1.1
no int gi0/1.2
!
int gi0/1
  ip address 172.0.10.99 255.255.255.0
  no shut
!
ip route 172.10.10.0 0.0.0.255 172.0.10.100
ip route 172.20.10.0 0.0.0.255 172.0.10.100
!

cheers,

Seb.

sarath92 · ‎09-04-2019

Hi Seb,

Thanks for your answer

I am getting below error when trying to configure more than one nameif interface:

ERROR: This license does not allow configuring more than 2 interfaces with nameif and without a "no forward" command on this interface or on 1 interface(s) with nameif already configured.

Does packet tracer does not support this?

Also is there a method to enable NAT using only IP address rather than network object?

Seb Rupik · ‎09-04-2019

Ahh! I remember this insane limitation on the ASA5005 Base license!! Essentially you have to nominate one VLAN which is not allowed to initiate communication with the other two....not what we want.

So, lets move the routing of the two INSIDE subnets onto switch0 and configure the ASA with just two interfaces:

! switch0
!
vlan 3,10,20
!
int vlan3
  desc FW-TRANSIT
  ip address 172.3.10.1 255.255.255.252
  no shut
!
int vlan 10
  desc INSIDE-10
  ip address 172.10.10.254 255.255.255.0
  no shut
!
int vlan 20
  desc INSIDE-20
  ip address 172.20.10.254 255.255.255.0
  no shut
!
int gi1/0/1
  desc TO_ASA
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport trunk allowed vlan 3
  no shut
!
ip routing
ip default-gateway 172.3.10.2 
!

! ASA
!
int vlan 2
  ip address 172.0.10.100 255.255.255.0
  nameif OUTSIDE
  security-level 0
  no shut
!
int vlan 3
  ip address 172.3.10.2 255.255.255.252
  nameif INSIDE
  security-level 100
  no shut
!
int eth0/0
  switchport trunk encapsulation dot1q 
  switchport mode trunk
  switchport trunk allowed vlan 3
!
int eth0/1
  switchport mode access
  switchport access vlan 2
  no shut
!
object network VLAN10
  subnet 172.10.10.0 255.255.255.0
  nat (INSIDE,OUTSIDE) dynamic interface
object network VLAN20
  subnet 172.20.10.0 255.255.255.0
 nat (INSIDE,OUTSIDE) dynamic interface
!
route OUTISDE 0.0.0.0 0.0.0.0 172.0.10.99 1
!

Connect:

Switch0|Gi1/0/1 <---> eth0/0|ASA|eth0/1 <---> Gi0/1|Router

If you didn't want to use Auto NAT config as part of a network object you could use the following Manual NAT config:

!
object network VLAN10
  subnet 172.10.10.0 255.255.255.0
object network VLAN20
  subnet 172.20.10.0 255.255.255.0
!
nat (INSIDE,OUTSIDE) source dynamic VLAN10 interface
nat (INSIDE,OUTSIDE) source dynamic VLAN20 interface
!

cheers,

Seb.

sarath92 · ‎09-25-2019

Yes ! It worked. Thank you