ASA 5505 Introduction

Unanswered Question
Apr 5th, 2010
User Badges:

linksys.jpg


Data VLAN 192.168.3.0
Voice VLAN 10.50.50.0
DHCP Server with both  ranges is 192.168.3.201
Gateway Linksys: 192.168.3.254


Switch  configuration: -


ip routing
no ip domain-lookup
!        
vlan  2-3
!
interface FastEthernet0/1
description *****Link to  2801*****
switchport trunk encapsulation dot1q
switchport trunk  native vlan 2
switchport mode trunk
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet0/2
description *****DHCP Server*****
switchport access vlan 2
switchport trunk native vlan 2
switchport voice vlan 3
spanning-tree portfast
!
interface FastEthernet0/33
description *****Martyn's IP Phone*****
switchport access vlan 2
switchport mode access
switchport voice vlan 3
shutdown
spanning-tree portfast
!
interface FastEthernet0/44
description *****AP*****
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 1-3
switchport mode trunk
spanning-tree portfast
!
interface  FastEthernet0/48
description *****LINKSYS*****
switchport trunk  encapsulation dot1q
switchport trunk native vlan 2
switchport  mode trunk
!
interface Vlan1
no ip address
!
interface  Vlan2
description *****Data*****
ip address 192.168.3.250  255.255.255.0
!
interface Vlan3
description *****Voice*****
ip address 10.50.50.250 255.255.255.0
ip helper-address  192.168.3.201


AP Configuration


dot11 vlan-name Data vlan 2
dot11 vlan-name  Voice vlan 3
!
dot11 ssid Data
   vlan 2
   authentication  open
   guest-mode
!        
dot11 ssid Voice
   vlan 3
    authentication open
!
power inline negotiation prestandard  source
!
bridge irb
!
!
interface Dot11Radio0
no ip  address
no ip route-cache
!
encryption vlan 3 key 1 size  128bit 7 E3BEDBF2515AF471C34CFBB0 transmit-key
encryption vlan 3  mode wep mandatory
!
encryption vlan 2 key 1 size 128bit 7  2E17A6E62FA4D039AD5B57BB transmit-key
encryption vlan 2 mode wep  mandatory
!
ssid Data
!
ssid Voice
!
station-role root
!
interface Dot11Radio0.2
encapsulation  dot1Q 2 native
ip helper-address 192.168.3.250
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no  bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.3
encapsulation dot1Q 3
ip helper-address 192.168.3.250
no ip  route-cache
bridge-group 3
bridge-group 3  subscriber-loop-control
bridge-group 3 block-unknown-source
no  bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabled
!
interface Dot11Radio1
no  ip address
no ip route-cache
shutdown
!
encryption vlan 3  key 1 size 128bit 7 E3BEDBF25198471C34CFBB0 transmit-key
encryption vlan 3 mode wep mandatory
!
encryption vlan 2 key 1  size 128bit 7 2E17A6E65A4D039AD5B57BB transmit-key
encryption  vlan 2 mode wep mandatory
!
ssid Data
!
ssid Voice
!
no dfs band block
channel dfs
station-role root
!
interface  Dot11Radio1.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no  bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3  block-unknown-source
no bridge-group 3 source-learning
no  bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabled
!
interface  FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.2
encapsulation dot1Q 2  native
no ip route-cache
bridge-group 1
no bridge-group 1  source-learning
bridge-group 1 spanning-disabled
!
interface  FastEthernet0.3
encapsulation dot1Q 3
ip helper-address  192.168.3.250
no ip route-cache
bridge-group 3
no  bridge-group 3 source-learning
bridge-group 3 spanning-disabled
!
interface  BVI1
ip address 192.168.3.244 255.255.255.0
ip helper-address  192.168.3.250
no ip route-cache


The above is working  well but I want to introduce an ASA and remove the Linksys, my ASA only  has 3 VLAN's with the key I have, so VLAN 1, 2 and 3


So my  question to the experts here is "how do I introduce it with my current  config?"


Thanks for your time


Martyn

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

You actually only have 2.5 VLANs with the 5505.  If you use the .5 vlan it has to restrict traffic flow to 1 of the vlans.



Also you can create additional vlans but you can not associate them with access-list or NATing.



You have a couple options.

1) You buy a 5510

2) you use the following setup



WAN = vlan 2 (default for asa5505 -- from memory)

LAN = vlan 1 (aslo default for asa5505 -- from memory)

VOIP = vlan 3 (you will create this)


When you create the VOIP vlan you will choose to restrict flow to VLAN 1 (LAN).  If you have a call manager then you will need to place the call manager server in vlan 3 with the VOIP.  When you need to access the call manager just plug into a vlan3 port or change a port to vlan 3 for a short period of time.



Cisco is currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

Federico Coto F... Fri, 04/09/2010 - 08:24
User Badges:
  • Green, 3000 points or more

If you have an ASA 5505 with base license, you have the INSIDE and OUTSIDE interfaces and a DMZ (with limited access to only another interface).

If you purchase a Security Plus license, then you will have 3 fully usable and routable interfaces on the 5505.


Federico.

Actions

This Discussion