cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1352
Views
13
Helpful
9
Replies

Routing design help on ASA

sarat1317
Level 1
Level 1

Hello

I have a client who added more users on the network which made by DHCP scope full which is on Class C network. Current network as below

LAN -> L2 switches -> ASA 5510 -> ISP router. All workstations currently have GW pointed to ASA which is doing routing and firewalling

All workstations and servers are on VLAN1

So I see I have 2 options here

  • Change to class B network
  • Create Layer 3 network and add another VLAN2 and move some departments to the new VLAN

I prefer option2 as I have 12 site-site VPNs on ASA and dont want to take downtime to change the tunnel configs to change to Class B network

If I choose Option2,

  • Is it good to install a layer3 switch, create VLANs and do routing through that switch and just use ASA for firewalling or
  • Is it good to configure a subinterface or use eth0/2 on ASA, create as DMZ interface (VLAN2), configure ACLs for intervlan routing on ASA so I can eliminate using layer3 switch on the network?
    • DMZ interface will only have workstations that will access the servers on VLAN1
    • I will create a DHCP scope for VLAN2 IP scheme on the server and configure VLAN2 workstations to have GW pointed to DMZ interface IP. I am hoping there will not be any issue for VLAN2 workstations to receive DHCP IPs from server on VLAN1

Thanks for your time

9 Replies 9

Maykol Rojas
Cisco Employee
Cisco Employee

Hello There

I think your option 2 is the best as well, and adding to that, I think eliminating the option of using a L3 on the network its also a good Idea. I think the only thing that you need to do is to create the vlan2 and put the interface over there, create the NAT rules and the access list depending on the sec level that you assign to that new interface.

That way all of  the traffic would be watched by the firewall increasing the security.

Let me know if you have any doubts.

Cheers

Mike

Mike

Can you please verify this configuration when ASA is configured for DMZ interface and route between vlans


interface Ethernet0/1
description LAN1
vlan 1
nameif inside
security-level 100
ip address 10.0.5.2 255.255.255.0
!


interface Ethernet0/2
description LAN2
vlan 2
nameif DMZ2
security-level 90
ip address 10.0.6.2 255.255.255.0

interface Ethernet0/0
nameif outside
security-level 0
ip address 11.12.13.14 255.255.255.240

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

nat-control

Inside-Outside traffic
nat (inside) 1 10.0.5.0 255.255.255.0
global (outside) 1 interface

Outside-Inside traffic
access-list outside_in remark Permit outside access to inside networks
access-list outside_in extended permit tcp any host 11.12.13.14 eq www
access-list outside_in extended permit tcp any host 11.12.13.14 eq 81
access-list outside_in extended permit tcp any host 11.12.13.14 eq 82
access-list outside_in extended permit tcp any host 11.12.13.14 eq https
access-group outside_in in interface outside

static (inside,outside) tcp 11.12.13.14 www 10.0.5.12 www netmask 255.255.255.255
static (inside,outside) tcp 11.12.13.14 81 10.0.5.12 81 netmask 255.255.255.255
static (inside,outside) tcp 11.12.13.14 82 10.0.5.12 82 netmask 255.255.255.255
static (inside,outside) tcp 11.12.13.14 https 10.0.5.14 https netmask 255.255.255.255

DMZ2-Outside traffic
nat (DMZ2) 2 10.0.6.0 255.255.255.0
global (outside) 2 interface

Outside-DMZ2 traffic
No portforwarding needed as DMZ2 is all workstations

Inside-DMZ2 traffic
nat (inside) 0 access-list inside_nonat_outbound
access-list inside_nonat_outbound extended permit ip 10.0.5.0 255.255.255.0 10.0.6.0 255.255.255.0

DMZ2-Inside traffic
nat (DMZ2) 0 access-list inside_nonat_outbound
access-list inside_nonat_outbound extended permit ip 10.0.6.0 255.255.255.0 10.0.5.0 255.255.255.0
access-list DMZ2_Traffic extended permit ip any any
access-list DMZ2_Traffic extended permit tcp any any
access-group DMZ2_Traffic in interface DMZ2

Thank you

rwagner
Level 1
Level 1

You say you have used all of your private class C address' but your network topology suggests that you have only used a small portion of the class C.

Can you please confirm that you have used all 65534 host address'?

Private Class C:

192.168.0.0 - 192.168.255.255

If you have not used all 65534 hosts then you have some new choices available to you.

1) change your subnet to include all hosts for your private class C.

2) add additional subnets, i believe this was your 2nd option.

If you have over 200 hosts in use then preparing for a medium size toplogy should be a top priority.  I would also be mindful of IPv6 when making changes so that you will have little to no work to do when you introduce IPv6.

For a organization moving from a small to a medium size topology segmentation and control is generally the first hurdle to overcome.

Introduction to a Medium Size organization:

VLAN1 - native

VLAN2 - DMZ

VLAN3 - Servers

VLAN4 - WLAN

VLAN5 - Workstations

VLAN6 thru VLAN7- WAN

Don't forget to save yourself growth space so that DMZ1 and DMZ2 are not VLAN2 and VLAN17.  The same goes for address' planning.  I generally tell people to plan for the next level up.  So plan for your intro to med to become a huge medium that requires the use of the entire 65k+ hosts.  You may want to look at doing this in conjunction with converting/introducing Private Class B.

If you truly have exceeded the private class C then I would definitly recommend introducing a L3 device.  If you have actually exhausted all of the class C subnets then you should look at introducing  Class A, Class B, and Class C privates or purchasing a class B public address block.

For an environment of that size you should probabally have the following.

(vlans in no specific order or number)

VLAN1 - native

VLAN2 - DMZ

VLAN3 - Intermix1 (DMZ to Inside Zones)

VLAN4 - Windows Servers (inside1)

VLAN5 - Unix/Linux Servers (inside2)

VLAN6 - Intermix2 (inside to secure zones)

VLAN7 - Windows Secure (secure1)

VLAN8 - Unix/Linux Secure (secure2)

VLAN9 - WLAN

VLAN10 thru VLAN20 - Workstations (inside3)

VLAN21 thru VLAN30 - ISP (WAN)

With 65k+ hosts you generally see a minimum of 20VLANS.  Also good to note that by "secure zones" i am refering to the data storage zones, but if your data storage is not a ip based solution, like ISCSI, then you may want to move the servers/devices that connect to the storage in the secure zone.

Sorry. I should have said Class C with /24 subnet and my option1 was about changing to a different subnet. Was in a bit hurry typing the original message twice as my page expired. Really, I will be flying if I am somewhere managing 65k hosts!

Anyway thank you for your guidelines. That is helpful. I guess I will just go with my second option that you also mentioned. I am working on the config now

Can you please verify this configuration when ASA is configured for DMZ interface and route between vlans


interface Ethernet0/1
description LAN1
vlan 1
nameif inside
security-level 100
ip address 10.0.5.2 255.255.255.0
!


interface Ethernet0/2
description LAN2
vlan 2
nameif DMZ2
security-level 90
ip address 10.0.6.2 255.255.255.0

interface Ethernet0/0
nameif outside
security-level 0
ip address 11.12.13.14 255.255.255.240

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

nat-control

Inside-Outside traffic
nat (inside) 1 10.0.5.0 255.255.255.0
global (outside) 1 interface

Outside-Inside traffic
access-list outside_in remark Permit outside access to inside networks
access-list outside_in extended permit tcp any host 11.12.13.14 eq www
access-list outside_in extended permit tcp any host 11.12.13.14 eq 81
access-list outside_in extended permit tcp any host 11.12.13.14 eq 82
access-list outside_in extended permit tcp any host 11.12.13.14 eq https
access-group outside_in in interface outside

static (inside,outside) tcp 11.12.13.14 www 10.0.5.12 www netmask 255.255.255.255
static (inside,outside) tcp 11.12.13.14 81 10.0.5.12 81 netmask 255.255.255.255
static (inside,outside) tcp 11.12.13.14 82 10.0.5.12 82 netmask 255.255.255.255
static (inside,outside) tcp 11.12.13.14 https 10.0.5.14 https netmask 255.255.255.255

DMZ2-Outside traffic
nat (DMZ2) 2 10.0.6.0 255.255.255.0
global (outside) 2 interface

Outside-DMZ2 traffic
No portforwarding needed as DMZ2 is all workstations

Inside-DMZ2 traffic
nat (inside) 0 access-list inside_nonat_outbound
access-list inside_nonat_outbound extended permit ip 10.0.5.0 255.255.255.0 10.0.6.0 255.255.255.0

DMZ2-Inside traffic
nat (DMZ2) 0 access-list inside_nonat_outbound
access-list inside_nonat_outbound extended permit ip 10.0.6.0 255.255.255.0 10.0.5.0 255.255.255.0
access-list DMZ2_Traffic extended permit ip any any
access-list DMZ2_Traffic extended permit tcp any any
access-group DMZ2_Traffic in interface DMZ2

Thank you

Can someone please verify this configuration in my previous post?

And also I have a DHCP server with 10.0.5.10 with gateway 10.0.5.2 currently providing DHCP IPs for hosts on 10.0.5.x network. I want to create another DHCP scope (10.0.6.x) on the same server to provide DHCP IPs for hosts on 10.0.6.x network. Hosts on 10.0.6.x has the gateway 10.0.6.2. As I do not have a layer 3 device, should I use DHCP relay configuration on ASA as below so the hosts on 10.0.6.x contact 10.0.5.10?

dhcprelay server 10.0.5.10 inside

dhcprelay enable DMZ2
dhcprelay setroute DMZ2

Thanks

Sarat

Hello,

The configuration looks correct. You are right in that you have to use DHCP

Relay to achieve what you are looking for. You can use the ASA as a DHCP

server as well if you like.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example091

86a008075fcfb.shtml

Hope this helps.

Regards,

NT

I came across another question when I put the design on paper. If I use the server to configure both pools and ASA as DHCP relay, how does the server know to assign 10.0.6.x IPs to certain group of hosts? I have 10 programs and wanted to put hosts on 4 programs in 10.0.6.x and hosts on 6 programs in 10.0.5.x

Thanks

Sarat

That is something you configure on the server. The server can have bindings on the mac that is requesting an ip and assign the ip addresses that you want.

That is something the the ASA is not involved with and the dhcp server should be configured to do it.

I hope it helps.

PK

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: