WE have to deploy ASA5585 in between User vlans & server vlans. we have to find all the ports that needs to be opened on firewall. any tools to do same.
View 2 RepliesI can't seem to find any info on how to configure 2 DHCP server pools on a C3750, to use with 2 user vlans. The purpose is that users in vlan 1 should get an IP address from DHCP server1, and users in vlan 2 should get an IP address from DHCP server2. Both DHCP servers are configured in a stack of C3750 switches, which acts a a L2 switch.
View 2 Replies View RelatedHow to configure DHCP server if i have 2 vlans. I know how to configure rest of the network, just i don't know server.I use packet tracer and i attached file with my network. PC1 is on VLAN1 and PC2 is on VLAN2.I want ip addresses in vlan1 to be from 192.168.1.2 and in vlan2 from 192.168.2.2. I would like to do it just like in the designed network, without router.
View 5 Replies View RelatedI have several Cata 3500XL switches connected to one 1 HP L3 switch which is connected Sonicwall router. Vlan1 has subnet of 10.10.0.0/24 and Microsoft DCHP server lays inside VLAN1.
Now i want to add VLAN11 (192.168.10.0/24) as second data VLAN but DHCP requests should go to microsoft DCHP server.
This is what i did:
Configured VLAN11 IP on each cisco switch
IP default gateway with IP from other subnet (i guess this is bad since maybe it should be IP of VLAN11 on HP L3 switch?)
Trunk ports are configured to pass everything on cisco switches
On VLAN11 i configured IPhelper IP to be MS DHCP server on each Cisco switch
I haven't tested this yet but i have problem in process.I can't ping VLAN11 IPs between switches (i configured VLAN1 and VLAN11 with IP). When client plugs computer to a port that belongs to VLAN11 will i be sure that client will get IP from the 192.168 range or there is possiblity that he gets IP from the management VLAN range?
I need to create a firewalled segment that not only separates hosts from general population, but also from each other. The solitary confinement of firewalled segments.I know that I could create a bunch of sub-interfaces, one for each host or group that needs to be isolated, but I'd really rather not have to do that if possible. 1) It could become a management nightmare between ACLs and sub-interfaces and 2) it's a waste of IP addresses.s there any way that I can create a bunch of separate VLANs behind the firewall and have them all terminate at the firewall, using a single firewall IP address for the gateway?
VLAN 1 - hosts 1.1.1.5 and 1.1.1.6VLAN 2 - hosts 1.1.1.7
Firewall DMZ Interface - 1.1.1.1VLAN 3 - hosts 1.1.1.8 and 1.1.1.9
This way, the hosts are isolated and can't talk to each other unless they're on the same VLAN.I'm working with an ASA 5510 running 8.2.4(4).
communication between 2 vlans.i have 2 vlans
Vlan 100
ip add 1.1.1.1
!
!
!
Vlan 200
ip add 2.2.2.2
i want to make communication between 2 vlans on firewall 5520 ASA 8.2.
I am trying to connect 2 VMWARE servers directly to my 5515-X firewall. [code]ASDM will not let me assign the same VLAN to both Gi0/2 and Gi0/3. I dont want to connect my VMWARE servers to a switch first (that just adds one more component that can fail).
View 4 Replies View Related i am trying to get my ASA 5505 with 2 internal VLANs (voice and data) and external internet VLAN to run in router as a stick, and route between VLANS.
I cant get it working though:
[code]...
I have an ASA 5505 and I have the three regular vlans, outside, inside and dmz. The best would be only have outside and inside and skip dmz, but without explenation there is not possible to have more then two clients in whats now dmz because of a mac filter on third party device.
So as security is concerned dmz and inside is equal, one to one and there should be full access between them. I ran the wizard and said that the only way traffic not should be possible to flow is from dmz to outside.
In the NAT rules the onle rule is
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
But traffic from one way or the other dmz to inside, og inside to dmz it says in log
3Dec 06 201215:38:39305006172.17.6.1053portmap translation creation failed for udp src inside:192.168.6.102/49358 dst dmz:172.17.6.10/53 From documentation I have an image with network drawing from documentation. What do I have to do allow traffic btween inside and dmz, both ways.
I have a 5505 with Base license running ASA software v8.4(2) that has been working happily for a while with an inside and an outside VLAN.
The outside has a single statically configured public IP, and I have a number of static NAT rules to expose a few internal servers as well as Dynamic-NAT for all devices on inside to gain access to the Internet... the main bits of the config are below:
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
[code]....
I now have a requirement to add a "dmz" VLAN for guests to have access to the Internet using a dedicated wireless AP, but not to any of the inside resources. As the ASA has a base license I have configured "no forward interface" to the inside vlan, which suits the purpose fine
interface Vlan12
description Used only for guests access to the Internet - no access to the corporate resources
no forward interface Vlan1
nameif guests
security-level 20
ip address 192.168.2.1 255.255.255.0
My problem is that when I try to add NATing from the dmz to the outside I get a:
ERROR: Address a.b.c.d overlaps with outside interface address.
ERROR: NAT Policy is not downloaded
with either:
object network guests_subnet
subnet 192.168.2.0 255.255.255.0
nat (guests,outside) dynamic interface
[code]....
Having had a look at the ASA Configuration guides, all the examples I can see with several "internal" VLAN's being NAT'ed use one external IP per VLAN - is this a feature/restriction of the ASA software? Are there any workarounds? Or is the overlap in the error message really about the current NATing to the inside VLAN which is done on the "any" 0.0.0.0 subnet - would the following then work:
object network obj_any
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic a.b.c.d
object network guests_subnet
subnet 192.168.2.0 255.255.255.0
nat (guests,outside) dynamic a.b.c.d
I need to be able to create vlans in my ASA 5510.
I can'T find anywhere to do this.
I've tried the "routers command" I know, like vlan databse and it does'nt work
Is there a way to "enable" vlan on a ASA 5510 ?
so I look up ASA5505 licensing and for VLAN support see: 3 (no trunking support)/20 (with trunking support)*
I need 3 VLANs...inside, outside, and DMZ..but when it is creating the third (DMZ) it says I am only allowed to have 2 VLANs and can only create the third if its set to not forward traffic. ?
I need to configure two VLANs in my home network to separate a server 1 with VM from another part of network with server 2 and wifi clients. Is it possible to keep DHCP server and internet access on E2500 enabled for both vlans? If so, how should I configure ports tagging (variant shown on screen shoot below doesn't work).
View 5 Replies View RelatedHow to secure vlans on Catalyst 6500 by using Cisco ASA Firewalls?There are no free modules on Catalyst 6500 to install a FWSM module.What is the best configuration to secure vlans (~80 vlans) by using cisco ASA firewalls (context, hairpining...)?
View 1 Replies View RelatedI have 2 ASA 5505 firewalls and 1 cisco 3560 switch.
One ASA 5505 firewall and cisco 3560 switch located at SITE-A. Another ASA 5505 firewall located at SITE-B.
Below is the my connectivity:
Site-A IPSec VPN Site-B
cisco 3560 <----------------------------> ASA 5505<------------------------------------------------------------------------------------> ASA 5505
I planned to create 5 vlans in my cisco 3560 switch. these 5 vlans needs to have internet and needs to access Site-B.
I will write on dafault route to firewall in my cisco 3560 switch. Is ASA 5505 supports this scenario??? If it is then how to configure ASA 5505 firewall.
I've got an ASA 5505 with the Security Plus license that I'm trying to configure.
So far I have setup NATing on two VLANs, one called 16jda (VLAN 16 - 10.16.2.0/24) and one called 16jdc (VLAN 11 - 10.105.11.0/24).
From each subnet I am able to connect to the internet, but I need these subnets to also be able to talk to each other.
I have each VLAN interface at security level 100 and enabled "same-security-traffic permit inter-interface", and I have setup static NAT mappings between the two subnets, but they still can't communicate.
When I try to ping there is no reply and the only log message is: 6 Aug 21 2012 09:00:54 302020 10.16.2.10 23336 10.105.11.6 0 Built inbound ICMP connection for faddr 10.16.2.10/23336 gaddr 10.105.11.6/0 laddr 10.105.11.6/0
My ISP insists on using a /30 IP WAN block to connect to its equipment even though it is an ethernet handoff. They wil then route a /27 public IP block to my firewall. I would have liked to skip the WAN block and connect my PIX directly to the interface but now have to deal with two sets of IP blocks and routing between them but I still want to avoid having to use a router in between their equipment and my firewall.Is it possible to use one of the switch ports on the PIX and configure it as a separate VLAN to handle the WAN block and then route internally to another VLAN with the public block and still be able to use NAT, ACL and IPSec on the PIX?
View 4 Replies View RelatedWe have 2xASA5510. I have 2 Inside interfaces as INS_STAFF and INS_QUEST and two Outside interface OUT_STAFF and OUT_QUEST which is in sapareta ISP's. All interfaces is assinged to different vlans. now i want to nat INS_STAFF to OUT_STAFF and INS_QUEST to OUT_QUEST,because I'm having two default routes it gets impossible to do. Plus I want to make failover with my ASA's. I know that i can solve this problem with PBR on router.but I haven't it . make context's and separate each Inside and Outside alone?
View 1 Replies View RelatedI have ASA 5505 Firewall with security plus license, I configured two V LAN 1 and V LAN 5 as my inside V LAN for different sub net, i need to route the traffic between this two V LAN's through ASA. I configured
int vlan 1
nameif inside
Security level 100
Ip address 172.16.100.1 255.255.255.0
[Code] .........
The problem is i am not able to ping other sub net, for ex my PC is in V LAN 1 not able to ping 192.168.22.1 ... For troubleshoot i type debug icmp trace while pinging other subnet
ICMP echo request from 192.168.22.2 to 172.16.100.101 ID=512 seq=4608 len=32ICMP echo request from 192.168.22.2 to 172.16.100.101 ID=512 seq=4864 len=32ICMP echo request from 192.168.22.2 to 172.16.100.101 ID=512 seq=5120 len=32ICMP echo request from 192.168.22.2 to 172.16.100.101 ID=512 seq=5376 len=32
I turn off the firewall on my local machine.
ASA's G0/2 interface is connected to G0/1 interface of a 3560G switch in DMZ, below is the config and diagram
Switch Config
int g0/1
switchport mode trunk
switchport trunk encapsulation dot1q
int vlan 1
ip add 192.168.0.100 255.255.255.0
We are running out of IPs in 192.168.0.X network and planning on creating sub interfaces on the ASA and trunk it to the switch so that we can have multiple V LANs in DMZ. Tried the below config in LAB but that didn't work, can you have a look at it and let me know if I miss anything. No change on the switch config since G0/1 is already a trunk port.
ASA Config
interface GigabitEthernet0/2
description Trunk to DMZ networks
no nameif dmz
[code]...
If I change the V LAN on the switch from 1 to a different V LAN, say V LAN 50 for example, and configure the ASA accordingly its working fine.
A CISCO 3750-X stack with several VLANs and many ACLs applied to the virtual interfaces. Intervlan routing is on. Connected to this stack are VMware hosts and with about 500 VMs.We started using the ACLs to allow connectivity between VLANs to specific hosts and it has grown to thousands of lines. I personally do not think this is good for the switch and believe the switch was not intended to be used for that security feature.
- Does it make it sense to add an "internal firewall" between the CORE ROUTER AND THE 3750-X SWITCH STACK ?
- Do you recommend any other way?
- Any recommended CISCO resource/white paper to read about best practice
we have a cat6509 with FWSM. We pass to the FWSM several VLANs. AllL3 is assigned to the FWs.In the Cat6500 log we have received this message %SVCLC-5-FWTRUNK: Firewalled VLANs configured on trunks ,when we configure 2 vlans in a trunk to an ESX server (these 2 VLANs are alreadyassigned to the FWSM).Idea is to share an interface to a ESX server with several VLANs, some of them are assigned also to FWSM.
View 1 Replies View RelatedWe have a data center with servers set up for different projects, some servers from partner companies and several small LANs. The traffic between all those needs to be controlled and firewalled. The servers and LANs are divided into different subnets and VLANs. Physically, their traffic is aggregated on a couple of 4506 and then sent to a FreeBSD server, where the logical gateways are set up and traffic is filtered between them.The BSD server is dying and having it there is incorrect in the first place, so we are planning to replace it with two ASA (5520) in failover.The question that arises is how to correctly implement firewalling between VLANs. Originally we thought to set up the firewalls in transparent mode and logically terminate VLANs on a stack of 3750 switches behind them, but would that filter the traffic between the VLANs? Then we thought to perhaps terminate the VLANs on the ASAs, use routing mode, and do filtering there, as well. Or should we implement multiple contexts? We have about 20 VLANs and all of them differ in rules of what should go there. None of this can be concidered an "inside" - trusted - zone, nor "outside". Internet and external links are connected and filtered in a different place.
View 1 Replies View RelatedI've got a cisco asa 5520 and setting up the NAT for multiple DMZs on it.
I want to use PAT on the outside interface.
internally ive created subinterfaces for the VLANs and connected to a trunk port on a switch.
configure NAT for this scenario. I've got only 1 external public IP address.
I am buying ASA 5505 with security license. It says it can support 20 vlans does it support 20 vlans by allowing to create subinterfaces? As it has 8 physical ports only?
View 3 Replies View RelatedI have a ASA 5505 with the security plus license. I have 7 vlans, 2 are guest vlans for wireless and wired connections. I am allowing traffic from the guest vlans to any with the http & https protocols I have ACL's in place before the allow all rule that do not allowed traffic from the guest vlans to the other vlans. Is there any way to have all traffic from the guest vlans to always go to the outside interface for the http & https traffic in stead of trying to go to the other vlans first, I know I have the ACL's in place to prevent the traffic but if I would feel better if I had this in place as well.
View 5 Replies View RelatedI have to put an ACL Firewall in front of a public IP range.There's no routing so I want to do it with a transparent layer 2 Firewall. I found this document which descibes exactly that feature I need: [URL]
It seems to be a feature introduced in IOS 12.3.
My Questions:
1.) is it possible use this transparent firewall feature with the 3750 Switch instead of a "normal" IOS-Based router?
2.) I've seen there is no IOS 12.3 for the 3750 but rather 12.2 (currently installed) or 15.0.1. Is this Feature included in 15.0.1?
If the feature described above is not available, is there any other way to achieve my goal?
ASA 5505 vlans routing & access-list?
View 4 Replies View RelatedI am trying to provide internet access to public and private SSID's on Cisco AP541n using VLAN's connected directly to ASA5505. VLAN1 is inside interface (private) and VLAN12 is wlan interface (public SSID). The AP541n is plugged into switch port 0/7 on an ASA 5505.Port 0/7 is configured as trunk mode. I have internet access when connected to private SSID but no internet access when connected to public SSID. why I can't access internet on public SSID?
logging class ip history emergencies
mtu inside 1500
mtu outside 1500
[Code].....
I have an ASA 5505 with the security plus software and I'm trying to find out how to assign 2 public IPs to the outside interface and have each IP routed to a separate internal VLAN. For example, IP 1 = X.X.X.1 routed to 192.168.1.0 and IP 2 X.X.X.2 routed to 192.168.2.0. I was told this was possible and I've been trying to find configuration examples, but I can't seem to get anywhere and now I'm getting desperate because I'm scheduled to install it this weekend.
View 1 Replies View RelatedWe currently have a HP blade platform which has two Cisco CBS30X0 switches built into it running Version 12.2(55)SE. These are connected to two Cisco C2960 aggregation switches running Version 12.2(44)SE6. According to this article I need to upgrade these to 12.2(25)FX: url...
1.)This will according to that article only allow me to create edge ports on them, is this a hardware limitation or am I just not finding what firmware I need to upgrade them to, in order to allow the creation of community VLANs? We have these aggregation switches conncted directly to multiple types of firewalls which take care of each of our clients networks including internet access etc. We are wasting many VLANs and IP addresses with our current setup so I am hoping to move over to using private VLANs. The setup of the private VLANs looks simple enough.
2.)When the private VLAN's try to communicate, all info will be sent directly to the layer 3 device I gather, which will not need to know anything about the private VLANs?
We have a HP Procurve 5412zl switch as our default gateway for all our VLANs from there the traffic will be going to a Cisco ASA 5515 and then to a Cisco 3800 Router then to our ISP.
We have yet to purchase the ASA but my question is about my future configuration. I will have the router of last resort on the 5412zl setup to point to the ASA inside interface, how does that work with multiple VLANs? For instance the ASA inside interface would be 10.0.0.1 but traffic could come from another VLAN via the switch with a 192.168.1.x address. Would the ASA just pass it on to the router? Or would it conside this spoofing and drop the packet?
Lastely, if we have WCCP set for the ASA's inside interface, how would it handle the redirect for multiple VLANs ip addresses? Would I use GRE for the redirect to my web filter?
I have FWSM running version 3.2(23) , configured with interface vlans , all having the same security level , except outside interface vlan which has security level 0 , also same-security-traffic permit inter-interface and same-security-traffic permit intra-interface are configured, my problem is when establishing sessions (I tried TCP only using ssh and telnet , in addition of ping ) from one specific vlan (172.16.1.0/28) to other vlan (172.16.1.16/28) , I can not see the established sessions in "show xlate debug" output ! although I can see these sessions from capture ! the two subnets are separate , two different /28.
I can see the session established from the remaining interface vlans with same security level toward 172.16.1.16/28 , my question is what is the exception with vlan having this subnet172.16.1.0/28, how it can reach other vlan with subnnet 172.16.1.16/28 without showing anything in xlate table ? do you thing it is bug ?