cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1154
Views
0
Helpful
7
Replies

Setup ASA 5510 for two different networks

zdoty
Level 1
Level 1

We currently have 2 ASA 5510's with the base license at two different locations.  There is a VPN set up between the two to allow internal traffic through.  They both have a default route for internet.  The network right now is 10.16.171.0\25 at locationa a.  Location b network is 10.16.171.128\25

We had a new phone system installed and they are wanting it on a different network.  So the end goal is to get a differnet network setup going across the same or different VPN and also allowing the different network to get online.  Phone network at location a is 192.168.200.0\24 and location b is 192.168.201.0\24.

So is it possible to just configure another interface on the back of the ASA.  For instance port 7 as 192.168.200.1.  Configure all the phones and phone system for the default gateway of 192.168.200.1.  That would have all phone traffic go to port 7 on ASA.  Then enter a route for all 192 traffic to go across the proper VPN tunnel.  And the internet traffic from the 192 networks would already be taken care of with the default route already in place.

Also if that is not possible, could we upgrade our license to something that would allow this to happen.

Any help is greatly appreciated.

Thanks,

7 Replies 7

zdoty
Level 1
Level 1

I did a little research and found that you cannot put routes into the ASA.  But can you accomplish what I'm trying to do through Access Control Lists? 

Please help.

Thanks,

thomas.g.fan
Level 1
Level 1

My understanding is yes you can use port 7 as 192.168.200.1. Below are additional changes you may need to configure:

1. Change VPN access-list (add new subnets to the list) so that traffic from or to those two new subnets are permitted to enter VPN tunnel.

2. Change NAT access-list (add new subnets to the list) so that those two new subnets are able to access Internet, thoght it's not suggested for phone network to access Internet but as you mentioned it in your post then you can add then to the list if you like.

Do you know if this will work with the base license on the ASA?  I have another guy telling me that you have to upgrade to the Security Plus.  I was thinking you would be able to do it with the base license.  Do you know what the answer is?

Hi,

For the Base license on the ASA 5510, the maximum  number of interfaces was increased from 3 plus a management interface to  unlimited interfaces from 7.2(2). so it could be possible if you have a version > 7.2((2).

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Thanks for the reply.  Wouldn't it be possible with a 5505 also with the base license? 

Hi,

No  I don't think so.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

With a 5505 base license you essentially get a inside VLAN and a restricted DMZ. Based on my expierence with them the restricted DMZ means that you can send traffic into the DMZ from the inside but not vice versa. So to run two internal subnets on a base license does not seem possible, thats the whole point of there licensing model. Want to do something cool, give us more money. Also with a full up ASA license you can definetly do routes. I worked at a place where we essentially deployed a ASA5505 as are our router and firewall. Then the sending the traffic over the tunnel is matter of setting up nat excemptions and editing your crypto map to send it threw the tunnel.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: