Referenced:http://www.petenetlive.com/KB/Article/0000869

Problem

I had to set this up for a client this week, I’ve setup a DMZ on a 5505 before and I’ve setup other VLANs to do other jobs, e.g. visitor Internet access. But this client needed a secondary VLAN setting up for IP Phones. In addition I needed to route traffic between both the internal VLANs.

I did an internet search and tried to find some configs I could reverse engineer, the few I found were old (Pre version 8.3) ones and the little info I got were more people in forums asking why theirs did not work. So I built a firewall with 8.2 code, then worked out how to do it, then upgraded the firewall to version 9.1. Finally I picked out the relevant parts of the upgraded config.

Here's the scenario I'm going to use for this example.

Solution

Before we start, yes I know the ASA is a firewall not a router! A better solution would be to have either a router behind the firewall or, (as is more common) a switch that is layer 3 capable, i.e it can route.

Your ASA MUST have a Security Plus licence to be able to do this. Check your license version.

The commands you use will be different if your firewall is running an operating system earlier than 8.3, check your ASA version and proceed to the correct set of commands.

For Firewalls running an Operating System OLDER than 8.3 go here

How to Setup VLAN Routing on an ASA 5505 (Version 8.3 and Newer)

1. Connect to the firewall, go to enable mode, then go to configure terminal mode.

User Access Verification

Password: Type help or '?' for a list of available commands. Petes-ASA> enable Password: ******** Petes-ASA# configure terminal Petes-ASA(config)#

2. As in the diagram (above) I have three VLANsVLAN 0 is outside and will be connected to Ethernet 0/0. VLAN 1 is inside and will be connected to Ethernet 0/1. VLAN 112 is for my phones and will be connected to Ethernet 0/2. Here I setup the IP addresses, and add the VLANs to the physical interfaces.

Note: I don't need to Add VLAN 1 to Ethernet 0/1, because all ports are in VLAN 1 by default.

Petes-ASA(config)# interface Ethernet0/0 Petes-ASA(config-if)# switchport access vlan 2 Petes-ASA(config-if)# interface Ethernet0/2 Petes-ASA(config-if)# switchport access vlan 112 Petes-ASA(config-if)# interface Vlan1 Petes-ASA(config-if)# nameif inside Petes-ASA(config-if)# security-level 100 Petes-ASA(config-if)# ip address 192.168.12.254 255.255.255.0 Petes-ASA(config-if)# interface Vlan2 Petes-ASA(config-if)# nameif outside Petes-ASA(config-if)# security-level 0 Petes-ASA(config-if)# ip address 123.123.123.123 255.255.255.248 Petes-ASA(config-if)# interface Vlan112 Petes-ASA(config-if)# nameif PHONE_VLAN_112 Petes-ASA(config-if)# security-level 100 Petes-ASA(config-if)# ip address 192.168.112.254 255.255.255.0

3. To get traffic working to the internet you will need to specify a 'route' to your outside router.

Petes-ASA(config)# route outside 0.0.0.0 0.0.0.0 123.123.123.124

4. Turn on 'Hair Pinning' (the ability to route traffic back out of the same interface it came in through) and allow traffic to pass between interfaces.

Petes-ASA(config)# same-security-traffic permit inter-interface Petes-ASA(config)# same-security-traffic permit intra-interface

5. Out of the box, if you have not configured any access-lists then you can skip this step, as traffic will flow from a more secure interface (the inside and the phone one) to a less secure interface (the outside one). Here I'm going to use an ACL and allow all traffic anyway.

Petes-ASA(config)# access-list VLAN112_outbound extended permit ip 192.168.112.0 255.255.255.0 any Petes-ASA(config)# access-list outbound extended permit ip 192.168.12.0 255.255.255.0 any Petes-ASA(config)# access-group outbound in interface inside Petes-ASA(config)# access-group VLAN112_outbound in interface PHONE_VLAN_112

6. Now setup 'dynamic' NAT so that all traffic leaving both the inside VLAN and the Phone VLAN network get NATTEDto the public IP address.

Petes-ASA(config)# object network obj_any Petes-ASA(config-network-object)# subnet 0.0.0.0 0.0.0.0 Petes-ASA(config-network-object)# nat (inside,outside) dynamic interface Petes-ASA(config-network-object)# object network obj_any-01 Petes-ASA(config-network-object)# subnet 0.0.0.0 0.0.0.0 Petes-ASA(config-network-object)# nat (PHONE_VLAN_112,outside) dynamic interface

7. Now setup 'static' NAT so that traffic travelling between the inside VLAN and the phone VLAN does NOT getNATTED.

Petes-ASA(config)# object network obj-192.168.12.0 Petes-ASA(config-network-object)# subnet 192.168.12.0 255.255.255.0 Petes-ASA(config-network-object)# nat (inside,PHONE_VLAN_112) static 192.168.112.0 Petes-ASA(config-network-object)# object network obj-192.168.112.0 Petes-ASA(config-network-object)# subnet 192.168.112.0 255.255.255.0 Petes-ASA(config-network-object)# nat (PHONE_VLAN_112,inside) static 192.168.112.0

8. Enable routing, and set the MTU for all three VLANs.

Petes-ASA(config)# router eigrp 500 Petes-ASA(config-router)# network 192.168.12.0 255.255.255.0 Petes-ASA(config-router)# network 192.168.112.0 255.255.255.0 Petes-ASA(config-router)# passive-interface outside Petes-ASA(config-router)# exit Petes-ASA(config)# mtu inside 1500 Petes-ASA(config)# mtu outside 1500 Petes-ASA(config)# mtu PHONE_VLAN_112 1500 

9. Save the changes, and give it a test.

Petes-ASA(config)# write memory Building configuration... Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de [OK] Petes-ASA(config)#

Full Config for you to Copy and Paste;

interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 switchport access vlan 112 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.12.254 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 123.123.123.123 255.255.255.248 ! interface Vlan112 nameif PHONE_VLAN_112 security-level 100 ip address 192.168.112.254 255.255.255.0 ! same-security-traffic permit inter-interface same-security-traffic permit intra-interface ! access-list VLAN112_outbound extended permit ip 192.168.112.0 255.255.255.0 any access-list outbound extended permit ip 192.168.12.0 255.255.255.0 any ! object network obj-192.168.12.0 subnet 192.168.12.0 255.255.255.0 nat (inside,PHONE_VLAN_112) static 192.168.112.0 object network obj-192.168.112.0 subnet 192.168.112.0 255.255.255.0 nat (PHONE_VLAN_112,inside) static 192.168.112.0 object network obj_any subnet 0.0.0.0 0.0.0.0 nat (inside,outside) dynamic interface object network obj_any-01 subnet 0.0.0.0 0.0.0.0 nat (PHONE_VLAN_112,outside) dynamic interface ! mtu inside 1500 mtu outside 1500 mtu PHONE_VLAN_112 1500 ! access-group outbound in interface inside access-group VLAN112_outbound in interface PHONE_VLAN_112 ! router eigrp 500 network 192.168.12.0 255.255.255.0 network 192.168.112.0 255.255.255.0 passive-interface outside ! route outside 0.0.0.0 0.0.0.0 123.123.123.124

How to Setup VLAN Routing on an ASA 5505 (Pre Version 8.3)

1. Connect to the firewall, go to enable mode, then go to configure terminal mode.

User Access Verification

Password: Type help or '?' for a list of available commands. Petes-ASA> enable Password: ******** Petes-ASA# configure terminal Petes-ASA(config)#

2. 2. As in the diagram (above) I have three VLANs, VLAN 0 is outside and will be connected to Ethernet 0/0. VLAN 1 is inside and will be connected to Ethernet 0/1. VLAN 112 is for my phones and will be connected to Ethernet 0/2. Here I setup the IP addresses, and add the VLANs to the physical interfaces.

Note: I don't need to Add VLAN 1 to Ethernet 0/1 because all ports are in VLAN 1 by default.

Petes-ASA(config)# interface Ethernet0/0 Petes-ASA(config-if)# switchport access vlan 2 Petes-ASA(config-if)# interface Ethernet0/2 Petes-ASA(config-if)# switchport access vlan 112 Petes-ASA(config-if)# interface Vlan1 Petes-ASA(config-if)# nameif inside Petes-ASA(config-if)# security-level 100 Petes-ASA(config-if)# ip address 192.168.12.254 255.255.255.0 Petes-ASA(config-if)# interface Vlan2 Petes-ASA(config-if)# nameif outside Petes-ASA(config-if)# security-level 0 Petes-ASA(config-if)# ip address 123.123.123.123 255.255.255.248 Petes-ASA(config-if)# interface Vlan112 Petes-ASA(config-if)# nameif PHONE_VLAN_112 Petes-ASA(config-if)# security-level 100 Petes-ASA(config-if)# ip address 192.168.112.254 255.255.255.0

3. To get traffic working to the internet you will need to specify a 'route' to your outside router.

Petes-ASA(config)# route outside 0.0.0.0 0.0.0.0 123.123.123.124

4. Turn on 'Hair Pinning' (the ability to route traffic back out of the same interface it came in through). and allow traffic to pass between interfaces.

Petes-ASA(config)# same-security-traffic permit inter-interface Petes-ASA(config)# same-security-traffic permit intra-interface

5. Out of the box, if you have not configured any access-lists then you can skip this step, as traffic will flow from a more secure interface (the inside and the phone one) to a less secure interface (the outside one). Here I'm going to use an ACL and allow all traffic anyway.

Petes-ASA(config)# access-list VLAN112_outbound extended permit ip 192.168.112.0 255.255.255.0 any Petes-ASA(config)# access-list outbound extended permit ip 192.168.12.0 255.255.255.0 any Petes-ASA(config)# access-group outbound in interface inside Petes-ASA(config)# access-group VLAN112_outbound in interface PHONE_VLAN_112

6. Enable NAT so that all traffic leaving both the inside VLAN and the Phone VLAN network get NATTED to the publicIP address.

Petes-ASA(config)# global (outside) 1 interface Petes-ASA(config)# nat (inside) 1 0.0.0.0 0.0.0.0 Petes-ASA(config)# nat (PHONE_VLAN_112) 1 0.0.0.0 0.0.0.0

7. Now setup 'static' NAT so that traffic travelling between the inside VLAN and the phone VLAN does NOT getNATTED.

Petes-ASA(config)# static (inside,PHONE_VLAN_112) 192.168.112.0 192.168.12.0 netmask 255.255.255.0 Petes-ASA(config)# static (PHONE_VLAN_112,inside) 192.168.112.0 192.168.112.0 netmask 255.255.255.0

8. Enable routing, and set the MTU for all three VLANs.

Petes-ASA(config)# router eigrp 500 Petes-ASA(config-router)# network 192.168.12.0 255.255.255.0 Petes-ASA(config-router)# network 192.168.112.0 255.255.255.0 Petes-ASA(config-router)# passive-interface outside Petes-ASA(config-router)# exit Petes-ASA(config)# mtu inside 1500 Petes-ASA(config)# mtu outside 1500 Petes-ASA(config)# mtu PHONE_VLAN_112 1500

9. Save the changes, and give it a test.

Petes-ASA(config)# write memory Building configuration... Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de [OK] Petes-ASA(config)#

Full Config for you to Copy and Paste;

interface Vlan1 nameif inside security-level 100 ip address 192.168.12.254 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 123.123.123.123 255.255.255.248 ! interface Vlan112 nameif PHONE_VLAN_112 security-level 100 ip address 192.168.112.254 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 switchport access vlan 112 ! same-security-traffic permit inter-interface same-security-traffic permit intra-interface ! access-list VLAN112_outbound extended permit ip 192.168.112.0 255.255.255.0 any access-list outbound extended permit ip 192.168.12.0 255.255.255.0 any ! mtu inside 1500 mtu outside 1500 mtu PHONE_VLAN_112 1500 ! global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 nat (PHONE_VLAN_112) 1 0.0.0.0 0.0.0.0 ! static (inside,PHONE_VLAN_112) 192.168.112.0 192.168.12.0 netmask 255.255.255.0 static (PHONE_VLAN_112,inside) 192.168.112.0 192.168.112.0 netmask 255.255.255.0 ! access-group outbound in interface inside access-group VLAN112_outbound in interface PHONE_VLAN_112 ! router eigrp 500 network 192.168.12.0 255.255.255.0 network 192.168.112.0 255.255.255.0 passive-interface outside ! route outside 0.0.0.0 0.0.0.0 123.123.123.124

Cisco ASA 5505 Routing Between Two (Internal) VLANS的更多相关文章

  1. CISCO ASA 5505 经典配置案例

    nterface Vlan2 nameif outside  ----------------------------------------对端口命名外端口  security-level 0 -- ...

  2. Cisco ASA 5505配置详解(v8.3之前版本)

    在配ASA 5505时用到的命令 2009-11-22 22:49 nat-control命令 在6.3的时候只要是穿越防火墙都需要创建转换项,比如:nat:static等等,没有转换项是不能穿越防火 ...

  3. Cisco ASA intra-interface routing

    LAN1和LAN2的默认路由指向各自的ASA,各ASA中设置对方LAN的静态路由指向ROUTER,打开ASA的intra-interface traffic,关闭LAN1和LAN2地址互相访问的NAT ...

  4. Cisco ASA 配置案例---anyconnect拨通后所有流量从服务器端出去

    一.目的: 1.Cisco ASA之Lan端能正常上网. 2.anyconnect端所有流量从Cisco ASA的Outside出去. 3.anyconnect端能访问Cisco ASA的Inside ...

  5. Cisco ASA使用证书加密

    使用ASDM配置HTTPS证书加密anyconnect连接 一.在没有使用证书的情况下每次连接VPN都会出现如下提示 ASA Version: 8.4.(1) ASDM Version: 6.4.(7 ...

  6. Cisco ASA端口映射

    Cisco ASA 端口映射设置 1.使用ASDM进入到配置页面,点开NAT Rules,然后新增Network Object,NAT选项如下图所示设定. 下图设定外网IP映射到内网IP地址192.1 ...

  7. Cisco ASA 高级配置

    Cisco ASA 高级配置 一.防范IP分片攻击 1.Ip分片的原理: 2.Ip分片的安全问题: 3.防范Ip分片. 这三个问题在之前已经详细介绍过了,在此就不多介绍了.详细介绍请查看上一篇文章:I ...

  8. Cisco asa 5510升级IOS和ASDM

    asa asa(config)# dir                                                                                 ...

  9. cisco ASA ios升级或恢复

    cisco ASA ios升级或恢复 一.升级前准备工作 1.准备好所要升级的IOS文件及对应的ASDM文件 2.在一台电脑上架设好tftp,设置好目录,与防火墙进行连接(假设电脑IP为192.168 ...

随机推荐

  1. Servlet的尾(yi)巴---filter ( 过滤器 )的小应用

    该,该,该.......,继之前说到的 Filter 现在用这个来做一个小小的应用---------->  铛,铛,铛,铛.....  ->_->      <丑逼的留言板&g ...

  2. uva----11729 Commando war (突击战争)

    G Commando War Input: Standard Input Output: Standard Output “Waiting for orders we held in the wood ...

  3. 超实用的JavaScript代码段 --倒计时效果

    现今团购网.电商网.门户网等,常使用时间记录重要的时刻,如时间显示.倒计时差.限时抢购等,本文分析不同倒计时效果的计算思路及方法,掌握日期对象Date,获取时间的方法,计算时差的方法,实现不同的倒时计 ...

  4. HTTP脚本化——XMLHttpRequest对象的学习笔记

    一. HTTP 请求和响应 一个HTTP请求由4部分组成 HTTP请求方法(也叫动作Verb) 正在请求的URL 一个可选的请求头集合(可能包含身份验证信息等) 一个可选的请求主体 服务器返回的HTT ...

  5. C#入门篇6-8:字符串操作 深入研究字符串的内存驻留机制

    //字符串的内存驻留机制 public static void Test() { //当有多个字符串变量包含了同样的字符串实际值时, //CLR可能不会为它们重复地分配内存,而是让它们统统指向同一个字 ...

  6. sqlserver 2008 存储过程调用存储过程或方法

    函数:拆分字符串,并返回一个table CREATE FUNCTION [dbo].[f_splitSTR](@s varchar(max), --待分拆的字符串@split varchar(10) ...

  7. SqlServer2008快照隔离模式的业务应用

    场景: 有200个检测点,每个检测点每天采集5个数据,对表的读写都是随机的(即有可能同时读写),总共有5年的数据. 存储方案A: 日期 点号 类型 值 20120101 001 A 1.0 20120 ...

  8. Redis系列-存储篇string主要操作函数小结

    通过上两篇的介绍,我们的redis服务器基本跑起来.db都具有最基本的CRUD功能,我们沿着这个脉络,开始学习redis丰富的数据结构之旅,当然先从最简单且常用的string开始. 1.新增 a)se ...

  9. 在Win7下安装IIS

    由于工作上的需要,有朋友在问在windows7系统下如何来配置IIS,大部分用户平时都很少接触到这个功能,所以对于安装配置十分陌生也是在所难免的,下面就让小编与你分享下windows7系统下IIS详细 ...

  10. Apache Jmeter(1)

    Apache JMeter是Apache组织开发的基于Java的压力测试工具.用于对软件做压力测试,它最初被设计用于Web应用测试但后来扩展到其他测试领域. 它可以用于测试静态和动态资源例如静态文件. ...