Mulitple VRF network through ASA

sajism220 · ‎05-19-2008

We are going to setup ASA ,Currently I am using ASA 5510 for testing purpose,We have some 4 vrf running in the core,which needs to NATed and should be getting internet ,I am pasting the sample config file below.

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.x x.x.x.x

!

interface Ethernet0/1

no nameif

security-level 100

no ip address

!

interface Ethernet0/1.30

description ISG-Interface

vlan 30

nameif ISG

security-level 75

ip address x.x.x.x x.x.x.x

!

interface Ethernet0/1.30

description Internet-Interface

vlan 40

nameif internet

security-level 75

ip address x.x.x.x x.x.x.x

!

interface Ethernet0/1.31

description DMZ-Interface

vlan 20

nameif DMZ

security-level 50

ip address x.x.x.x x.x.x.x

!

interface Ethernet0/1.50

description ISG/BH-Management Interface

vlan 50

nameif mgmt

security-level 100

ip address x.x.x.x x.x.x.x

!

interface Ethernet0/1.x

description Wireless-Interface

vlan x(Wireless)

nameif WIFI

security-level 100

ip address x.x.x.x 255.255.255.0

!

interface Ethernet0/1.x

description Corporate Network-Interface

vlan x(Corp-network)

nameif Corp

security-level 100

ip address x.x.x.x 255.255.255.0

!

interface Ethernet0/1.x

description DHCP-Non-DHCP TAL Network-Interface

vlan x(Dhcp-Tal)

nameif DHCP-TAL

security-level 100

ip address x.x.x.x 255.255.255.0

nat-control

global (outside) 1 interface

nat (ISG ) 1 0.0.0.0 0.0.0.0

nat (WIFI ) 1 0.0.0.0 0.0.0.0

nat (DHCP-TAL) 1 0.0.0.0 0.0.0.0

nat (CORP )0 access-list nonat

!

access-group inside in interface prv-internet

!

route ISG x.x.x.x x.x.x.x

!

route WIFI x.x.x.x x.x.x.x

!

route CORP x.x.x.x x.x.x.x

!

route DHCP-TAL x.x.x.x x.x.x.x

!

access-list corp-nonat extended permit ip 1 x.x.x.x x.x.x.x // for corp network doesnt require any no nat

And so on ,we will add the other access list for all other interface also.

Will this secanrio works in real time,Any one who had experence on this kind of network pls share ,That will be gratefull.

Thankx

Saji k.s

andrew.prince · ‎05-19-2008

Looks OK to me - but just to be sure, instead of 0.0.0.0 0.0.0.0; I would replace with the actual IP subnet of the VRF.

I would also increase the security-level of the ISG interface as you will have to write an ACL for that interface to access the internet!

And of course the switch port that Ethernet 0/1 connects to must be a trunk port

HTH.

sajism220 · ‎05-21-2008

Hi andrew,

Thank you for the replay,

So I can create the ISG access list in ASA and map with nat interface,people who wants access the internet,eg:like private users with dhcp option 82 and without option 82.will this possible ?Coz all users who use this kind of option will come through ISG.

Can we create acceess list for corp-internet,coz this network will use public ip for there internet use,so we can just give NO NAT and do the same,am i ?

We also got wifi vrf,people who is accessing wifi,they should be able to get internet,thats needs to nated through ASA,Do we required access list for this ?

Expecting your reply.

Saji

andrew.prince · ‎05-21-2008

In answer to your questions:-

Yes

HTH.