In this tutorial I will describe the configuration of an interesting network scenario that I’m sure many of you will find helpful. This scenario is applicable in many real world situations, mainly in small to medium networks.
The network scenario is as follows:
We have three different internal LAN networks which host user computers and other I.T infrastructure (servers, network printers etc).
We want to separate the three internal LANs using an ASA firewall (either ASA5500 or the new ASA5500-X models will work fine). The three internal LANs will be connected on the same switch and separated in Layer2 level with three VLANs on the switch.
The ASA firewall will provide internet access to all internal LANs. Also, the ASA will act as DHCP server for each internal LAN, assigning the required IP addresses for each LAN subnet using a different DHCP scope for each one.
Also, we will use a single physical interface of the ASA to accommodate the three internal network security zones (“inside1”, “inside2”, “inside3”).
Thus, we need to configure sub-interfaces on a physical interface of the ASA which will be connected to a trunk port of the internal switch. Each sub-interface of the ASA will act as the default gateway for its corresponding internal LAN subnet.
Regarding the switch configuration, we need to have one Dot1Q trunk port connected to the ASA and also we need to configure “access ports” belonging to the appropriate VLAN for the internal hosts.
Let’s see the network diagram of our topology below:
From our network diagram above:
- Interface GE1 of the ASA (“outside” zone with IP address 100.1.1.1) will be connected to the ISP.
- Interface GE0 of the ASA will be connected to a trunk port of the switch (port E0/0). This physical interface of the ASA will be split into three sub-interfaces with each one belonging to a different security zone and VLAN:
- Subinterface GE0.1: VLAN10 (IP address 10.1.1.254) – zone name “inside1”)
- Subinterface GE0.2: VLAN20 (IP address 10.2.2.254) – zone name “inside2”)
- Subinterface GE0.3: VLAN30 (IP address 10.3.3.254) – zone name “inside3”)
- Interfaces E0/1, E0/2, E0/3 of the switch will be configured as “access ports” belonging to VLANs 10, 20, 30 respectively.
- Hosts in VLAN10 will be assigned IP address from the ASA using a DHCP scope (10.1.1.0/24) enabled on “inside1” interface.
- Hosts in VLAN20 will be assigned IP address from the ASA using a DHCP scope (10.2.2.0/24) enabled on “inside2” interface.
- Hosts in VLAN30 will be assigned IP address from the ASA using a DHCP scope (10.3.3.0/24) enabled on “inside3” interface.
- All internal LANs will have internet access via the ASA using NAT overload (PAT) of the ASA outside interface.
NOTES:
- I have not configured communication between the three internal LANs (only internet access allowed).
- For ASA5505 you will need the security-plus license for the above scenario to work.
Let’s now see the configurations of both the ASA and internal SWITCH.
(Only the important commands are shown)
Cisco ASA Configuration:
! This is the physical interface which we’ll split into 3 sub-interfaces (connected to trunk port of switch)
interface GigabitEthernet0
no nameif
no security-level
no ip address
!
! This is sub- interface GE0.1 for vlan10
interface GigabitEthernet0.1
vlan 10
nameif inside1
security-level 100
ip address 10.1.1.254 255.255.255.0
! This is sub- interface GE0.2 for vlan20
interface GigabitEthernet0.2
vlan 20
nameif inside2
security-level 90
ip address 10.2.2.254 255.255.255.0
! This is sub- interface GE0.3 for vlan30
interface GigabitEthernet0.3
vlan 30
nameif inside3
security-level 80
ip address 10.3.3.254 255.255.255.0
! This is the WAN interface connected to ISP
interface GigabitEthernet1
nameif outside
security-level 0
ip address 100.1.1.1 255.255.255.0
!Configure network objects for the three internal LANs
object network inside1_LAN
subnet 10.1.1.0 255.255.255.0
object network inside2_LAN
subnet 10.2.2.0 255.255.255.0
object network inside3_LAN
subnet 10.3.3.0 255.255.255.0
!This ACL is useful to allow ICMP traffic for testing purposes
access-list OUT extended permit icmp any any
access-group OUT in interface outside
! Configure NAT overload for the three internal LANs using the outside interface. This allows internet access.
object network inside1_LAN
nat (inside1,outside) dynamic interface
object network inside2_LAN
nat (inside2,outside) dynamic interface
object network inside3_LAN
nat (inside3,outside) dynamic interface
access-group OUT in interface outside
route outside 0.0.0.0 0.0.0.0 100.1.1.2
! Create 3 different DHCP scopes to assign IP addresses to internal LANs
! DHCP scope for hosts in VLAN10 – “inside1”
dhcpd address 10.1.1.1-10.1.1.100 inside1
dhcpd enable inside1
! DHCP scope for hosts in VLAN20 – “inside2”
dhcpd address 10.2.2.1-10.2.2.100 inside2
dhcpd enable inside2
! DHCP scope for hosts in VLAN30 – “inside3”
dhcpd address 10.3.3.1-10.3.3.100 inside3
dhcpd enable inside3
! Assign DNS server for internal hosts
dhcpd dns 200.1.1.1
Cisco SWITCH Configuration:
! This is the trunk port connected to interface GE0 of ASA
interface Ethernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
duplex auto
! Access port for VLAN10
interface Ethernet0/1
switchport access vlan 10
switchport mode access
duplex auto
! Access port for VLAN20
interface Ethernet0/2
switchport access vlan 20
switchport mode access
duplex auto
! Access port for VLAN30
interface Ethernet0/3
switchport access vlan 30
switchport mode access
duplex auto
Related Posts
- Prevent Spoofing Attacks on Cisco ASA using RPF
- Configuring Connection Limits on Cisco ASA Firewalls – Protect from DoS
- Configuring AAA Authentication-Authorization-Accounting on Cisco ASA Firewall (TACACS+, RADIUS)
- Cisco ASA Firewall Management Interface Configuration (with Example)
- How to Configure Access Control Lists on a Cisco ASA 5500/5500-X Firewall (with Examples)