01-20-2012 07:00 AM - edited 03-07-2019 04:27 AM
i have configuration my network infrastructure with the asa5505 like on image. i want that my users from lan 10.13.10.0/24 can to access to my LAN 192.168.0.0/24. can i use just routing or i must to use site to site VPN. how can i do it? how configure my asa 5505.on my LAN1 there's DHCP. From LAN side of my asa5505 i must disable DHCP.In my LAN1 i have DNS,Domain Controller. The users from my LAN3 need to access to LAN1 because of authentication and access to resources and programs. i attached my picture with configuration.
Plz help me
Thnks
01-20-2012 07:19 AM
Hi,
if LAN3 interface is configured with a higher security level than LAN1 then you can initiate communication from LAN3 through the ASA to LAN 1 and the return traffic will pass through without any problem with one exception which is ICMP( like ping for example).
For this ICMP return traffic you can do 2 things:
-enable ICMP inspection in global config
- configure an ACL permitting this traffic and apply it inbound on the lower security level interface
Concerning NAT, as the default is now no nat-control it is not mandatory anymore for traffic to pass through.
Regards.
Alain
01-20-2012 07:29 AM
If you are running Firewall image version 8.25 or lower, the below config will do, what you want to do.
---------------------------------------------------------------------------------------------------------------------
access-list acl-ALLOW-NAT extended permit ip 10.13.10.0 255.255.255.0 any
global (outside) 1 interface
nat (inside) 1 access-list acl-ALLOW-NAT
route inside 10.13.10.0 255.255.255.0 10.13.74.1
--------------------------------------------------------------------------------------------------------------------
What is your firewall image version?
Thanks
Rizwan Rafeek
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide