05-19-2008 02:21 AM - edited 03-11-2019 05:46 AM
We are going to setup ASA ,Currently I am using ASA 5510 for testing purpose,We have some 4 vrf running in the core,which needs to NATed and should be getting internet ,I am pasting the sample config file below.
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x x.x.x.x
!
interface Ethernet0/1
no nameif
security-level 100
no ip address
!
interface Ethernet0/1.30
description ISG-Interface
vlan 30
nameif ISG
security-level 75
ip address x.x.x.x x.x.x.x
!
interface Ethernet0/1.30
description Internet-Interface
vlan 40
nameif internet
security-level 75
ip address x.x.x.x x.x.x.x
!
interface Ethernet0/1.31
description DMZ-Interface
vlan 20
nameif DMZ
security-level 50
ip address x.x.x.x x.x.x.x
!
interface Ethernet0/1.50
description ISG/BH-Management Interface
vlan 50
nameif mgmt
security-level 100
ip address x.x.x.x x.x.x.x
!
interface Ethernet0/1.x
description Wireless-Interface
vlan x(Wireless)
nameif WIFI
security-level 100
ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/1.x
description Corporate Network-Interface
vlan x(Corp-network)
nameif Corp
security-level 100
ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/1.x
description DHCP-Non-DHCP TAL Network-Interface
vlan x(Dhcp-Tal)
nameif DHCP-TAL
security-level 100
ip address x.x.x.x 255.255.255.0
nat-control
global (outside) 1 interface
nat (ISG ) 1 0.0.0.0 0.0.0.0
nat (WIFI ) 1 0.0.0.0 0.0.0.0
nat (DHCP-TAL) 1 0.0.0.0 0.0.0.0
nat (CORP )0 access-list nonat
!
access-group inside in interface prv-internet
!
route ISG x.x.x.x x.x.x.x
route ISG x.x.x.x x.x.x.x
!
route WIFI x.x.x.x x.x.x.x
route WIFI x.x.x.x x.x.x.x
route WIFI x.x.x.x x.x.x.x
!
route CORP x.x.x.x x.x.x.x
route CORP x.x.x.x x.x.x.x
route CORP x.x.x.x x.x.x.x
route CORP x.x.x.x x.x.x.x
!
route DHCP-TAL x.x.x.x x.x.x.x
route DHCP-TAL x.x.x.x x.x.x.x
!
access-list corp-nonat extended permit ip 1 x.x.x.x x.x.x.x // for corp network doesnt require any no nat
And so on ,we will add the other access list for all other interface also.
Will this secanrio works in real time,Any one who had experence on this kind of network pls share ,That will be gratefull.
Thankx
Saji k.s
05-19-2008 07:28 AM
Looks OK to me - but just to be sure, instead of 0.0.0.0 0.0.0.0; I would replace with the actual IP subnet of the VRF.
I would also increase the security-level of the ISG interface as you will have to write an ACL for that interface to access the internet!
And of course the switch port that Ethernet 0/1 connects to must be a trunk port
HTH.
05-21-2008 12:35 AM
Hi andrew,
Thank you for the replay,
So I can create the ISG access list in ASA and map with nat interface,people who wants access the internet,eg:like private users with dhcp option 82 and without option 82.will this possible ?Coz all users who use this kind of option will come through ISG.
Can we create acceess list for corp-internet,coz this network will use public ip for there internet use,so we can just give NO NAT and do the same,am i ?
We also got wifi vrf,people who is accessing wifi,they should be able to get internet,thats needs to nated through ASA,Do we required access list for this ?
Expecting your reply.
Saji
05-21-2008 01:04 AM
In answer to your questions:-
Yes
Yes
Yes
HTH.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide