Networks Training

You are here: Home / Cisco ASA Firewall Configuration / Cisco ASA as DHCP Server with Multiple Internal LANs (Configuration)

Cisco ASA as DHCP Server with Multiple Internal LANs (Configuration)

Written By

In this tutorial I will describe the configuration of an interesting network scenario that I’m sure many of you will find helpful. This scenario is applicable in many real world situations, mainly in small to medium networks.

The network scenario is as follows:

We have three different internal LAN networks which host user computers and other I.T infrastructure (servers, network printers etc).

We want to separate the three internal LANs using an ASA firewall (either ASA5500 or the new ASA5500-X models will work fine). The three internal LANs will be connected on the same switch and separated in Layer2 level with three VLANs on the switch.

The ASA firewall will provide internet access to all internal LANs. Also, the ASA will act as DHCP server for each internal LAN, assigning the required IP addresses for each LAN subnet using a different DHCP scope for each one.

Also, we will use a single physical interface of the ASA to accommodate the three internal network security zones (“inside1”, “inside2”, “inside3”).

Thus, we need to configure sub-interfaces on a physical interface of the ASA which will be connected to a trunk port of the internal switch. Each sub-interface of the ASA will act as the default gateway for its corresponding internal LAN subnet.

Regarding the switch configuration, we need to have one Dot1Q trunk port connected to the ASA and also we need to configure “access ports” belonging to the appropriate VLAN for the internal hosts.

Let’s see the network diagram of our topology below:

 

cisco asa dhcp multiple scopes

From our network diagram above:

  • Interface GE1 of the ASA (“outside” zone with IP address 100.1.1.1) will be connected to the ISP.
  • Interface GE0 of the ASA will be connected to a trunk port of the switch (port E0/0). This physical interface of the ASA will be split into three sub-interfaces with each one belonging to a different security zone and VLAN:
    • Subinterface GE0.1: VLAN10 (IP address 10.1.1.254) – zone name “inside1”)
    • Subinterface GE0.2: VLAN20 (IP address 10.2.2.254) – zone name “inside2”)
    • Subinterface GE0.3: VLAN30 (IP address 10.3.3.254) – zone name “inside3”)
  • Interfaces E0/1, E0/2, E0/3 of the switch will be configured as “access ports” belonging to VLANs 10, 20, 30 respectively.
  • Hosts in VLAN10 will be assigned IP address from the ASA using a DHCP scope (10.1.1.0/24) enabled on “inside1” interface.
  • Hosts in VLAN20 will be assigned IP address from the ASA using a DHCP scope (10.2.2.0/24) enabled on “inside2” interface.
  • Hosts in VLAN30 will be assigned IP address from the ASA using a DHCP scope (10.3.3.0/24) enabled on “inside3” interface.
  • All internal LANs will have internet access via the ASA using NAT overload (PAT) of the ASA outside interface.
MORE READING:  Cisco ASA 5505 Basic Configuration Tutorial Step by Step

NOTES:

  • I have not configured communication between the three internal LANs (only internet access allowed).
  • For ASA5505 you will need the security-plus license for the above scenario to work.

Let’s now see the configurations of both the ASA and internal SWITCH.

(Only the important commands are shown)

Cisco ASA Configuration:

! This is the physical interface which we’ll split into 3 sub-interfaces (connected to trunk port of switch)
interface GigabitEthernet0
no nameif
no security-level
no ip address
!
! This is sub- interface GE0.1 for vlan10
interface GigabitEthernet0.1
vlan 10
nameif inside1
security-level 100
ip address 10.1.1.254 255.255.255.0

! This is sub- interface GE0.2 for vlan20
interface GigabitEthernet0.2
vlan 20
nameif inside2
security-level 90
ip address 10.2.2.254 255.255.255.0

! This is sub- interface GE0.3 for vlan30
interface GigabitEthernet0.3
vlan 30
nameif inside3
security-level 80
ip address 10.3.3.254 255.255.255.0

! This is the WAN interface connected to ISP
interface GigabitEthernet1
nameif outside
security-level 0
ip address 100.1.1.1 255.255.255.0

!Configure network objects for the three internal LANs
object network inside1_LAN
subnet 10.1.1.0 255.255.255.0

MORE READING:  Cisco ASA Firewall in Transparent Layer2 Mode

object network inside2_LAN
subnet 10.2.2.0 255.255.255.0

object network inside3_LAN
subnet 10.3.3.0 255.255.255.0

!This ACL is useful to allow ICMP traffic for testing purposes
access-list OUT extended permit icmp any any
access-group OUT in interface outside

! Configure NAT overload for the three internal LANs using the outside interface. This allows internet access.
object network inside1_LAN
nat (inside1,outside) dynamic interface

object network inside2_LAN
nat (inside2,outside) dynamic interface

object network inside3_LAN
nat (inside3,outside) dynamic interface

access-group OUT in interface outside
route outside 0.0.0.0 0.0.0.0 100.1.1.2

! Create 3 different DHCP scopes to assign IP addresses to internal LANs

! DHCP scope for hosts in VLAN10 – “inside1”
dhcpd address 10.1.1.1-10.1.1.100 inside1
dhcpd enable inside1

! DHCP scope for hosts in VLAN20 – “inside2”
dhcpd address 10.2.2.1-10.2.2.100 inside2
dhcpd enable inside2

! DHCP scope for hosts in VLAN30 – “inside3”
dhcpd address 10.3.3.1-10.3.3.100 inside3
dhcpd enable inside3

! Assign DNS server for internal hosts
dhcpd dns 200.1.1.1

Cisco SWITCH Configuration:

! This is the trunk port connected to interface GE0 of ASA
interface Ethernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
duplex auto

! Access port for VLAN10
interface Ethernet0/1
switchport access vlan 10
switchport mode access
duplex auto

! Access port for VLAN20
interface Ethernet0/2
switchport access vlan 20
switchport mode access
duplex auto

! Access port for VLAN30
interface Ethernet0/3
switchport access vlan 30
switchport mode access
duplex auto

Related Posts

Filed Under: Cisco ASA Firewall Configuration

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  2. felixmwanje says

    Thanks for the knowledge you always share with us.
    I will give it more time and see how to go about the configurations.You know am not very good at router and switch configurations but am learning a lot from you since am new in the networking field.

    Please keep sharing with me so that i become an expert in networks
    Thanks and have a good week
    Felix

  3. Reddy says

    Nice article. Would it be possible to post an article on ‘ASA running behind another NAT device and how to port-forward services such as http/https running behind ASA firewall first from internet–> Inside IP address of NAT device which is also be Outside IP address for ASA and then forward it all the way to the webserver running behind ASA ? Use OSPF routing protocol between RFC 1918, and no NAT control on ASA and what if we use NAT control on ASA?

    Webserver(http)–inside(RFC 1918 addresses) –ASA—Outside(RFC 1918 addresses)—NAT/Router—Internet(Publice IP)—ISP

  5. Harris Andrea says

    Reddy,
    For the scenario you describe, the external NAT device must be able to forward everything to the outside interface of ASA. Then, configure the ASA to do port forwarding of the traffic to the inside network.

  6. Harris Andrea says

    Kevynjr, yes this can be configured on GNS3 (and also you can combine GNS3 and IOU to configure switches etc).

  8. Sam May says

    Hi Harris,

    I have done it this way on ASA 5505s and on the new ASA 5506-Xs a few times in the past couple of years and can confirm that the way you have documented is also the way I basically have too. The way you structure your way of configuring is very understandable and easy for all interested in such configurations to follow. Please keep up the good work.

    Kindest regards,
    Sam

  11. Quick Question says

    Do you know if it is possible to have different dns servers defined per dhcp scope? As well as assign different default gateways for each scope?

  12. Harris Andrea says

    Yes you can have different DNS servers per DHCP scope. For having different gateways for each scope, I haven’t tried that but my assumption is that it won’t work for each scope. If you add multiple DHCP scopes, yes you can assign different gateways as well.

    Harris

  15. cgskr says

    If i am using Layer 2 switch, how can i run the below command to make the port as trunk port
    switchport trunk encapsulation dot1q
    My understanding is this syntax is run on the router.

  17. Joel Mabasa says

    In order to share the internet, it needs to to do the PAT in each VLAN Subnet in ASA device.

  18. Harris Andrea says

    Joel,

    Yes what you say is already shown in the configuration above under the comment:

    “! Configure NAT overload for the three internal LANs using the outside interface. This allows internet access.”

  19. Joel Mabasa says

    Hi Harris,

    What should be the command for the communication between the three internal LANs?

    Joel

  20. Harris Andrea says

    On newer ASA versions you don’t need to create NAT rules between the internal LANs. You must create however Access Control Lists and apply them on the inside security zones to control the traffic between the internal VLANs.

  26. Manny says

    Hey Harris, thanks so much for your work and thorough explanation.

    I was wondering if you would mind explaining how to configure an IP address for the ASA itself so we can remotely access ASDM or even via SSH from one of the Trunked VLANs.

    This would be useful for management purposes as right now I have to do it via serial cable.

    Maybe I am missing a route in the Switch config or something as I can’t even ping any of the gateways for the VLANs from the Switch.

    Any help would be greatly appreciated :)

  27. Harris Andrea says

    Manny,
    The switch in this scenario is purely a Layer2 switch with no routing functionality. The switch just provides Layer2 connectivity for the 3 VLANs to reach the 3 subinterfaces of ASA.

    In your case, have you configured the Switch as Layer 3 device ? Can you share the configuration of the switch?

  28. Pablo Salfate says

    thanks a lot for sharing this tutorial, very very well done specially in the time you took explaining each of the steps, thanks again.

  30. Aleksandar Batinic says

    Hey, thanks for the explanation. Is there any chance to configure a communication between the 3 internal VLANs, because they all have the ASA as the default gateway.

    Greetings
    Aleks

  31. Harris Andrea says

    Aleks, yes of course. You will need to create Access Control Lists (ACL) and NAT rules (if needed) to allows access from the ASA between the internal VLANS.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

BLOGROLL

Tech21Century
Firewall.cx