04-26-2010 10:02 AM - edited 03-11-2019 10:37 AM
Hello
I have a client who added more users on the network which made by DHCP scope full which is on Class C network. Current network as below
LAN -> L2 switches -> ASA 5510 -> ISP router. All workstations currently have GW pointed to ASA which is doing routing and firewalling
All workstations and servers are on VLAN1
So I see I have 2 options here
I prefer option2 as I have 12 site-site VPNs on ASA and dont want to take downtime to change the tunnel configs to change to Class B network
If I choose Option2,
Thanks for your time
04-26-2010 10:32 AM
Hello There
I think your option 2 is the best as well, and adding to that, I think eliminating the option of using a L3 on the network its also a good Idea. I think the only thing that you need to do is to create the vlan2 and put the interface over there, create the NAT rules and the access list depending on the sec level that you assign to that new interface.
That way all of the traffic would be watched by the firewall increasing the security.
Let me know if you have any doubts.
Cheers
Mike
05-03-2010 03:21 PM
Can you please verify this configuration when ASA is configured for DMZ interface and route between vlans
interface Ethernet0/1
description LAN1
vlan 1
nameif inside
security-level 100
ip address 10.0.5.2 255.255.255.0
!
interface Ethernet0/2
description LAN2
vlan 2
nameif DMZ2
security-level 90
ip address 10.0.6.2 255.255.255.0
interface Ethernet0/0
nameif outside
security-level 0
ip address 11.12.13.14 255.255.255.240
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
nat-control
Inside-Outside traffic
nat (inside) 1 10.0.5.0 255.255.255.0
global (outside) 1 interface
Outside-Inside traffic
access-list outside_in remark Permit outside access to inside networks
access-list outside_in extended permit tcp any host 11.12.13.14 eq www
access-list outside_in extended permit tcp any host 11.12.13.14 eq 81
access-list outside_in extended permit tcp any host 11.12.13.14 eq 82
access-list outside_in extended permit tcp any host 11.12.13.14 eq https
access-group outside_in in interface outside
static (inside,outside) tcp 11.12.13.14 www 10.0.5.12 www netmask 255.255.255.255
static (inside,outside) tcp 11.12.13.14 81 10.0.5.12 81 netmask 255.255.255.255
static (inside,outside) tcp 11.12.13.14 82 10.0.5.12 82 netmask 255.255.255.255
static (inside,outside) tcp 11.12.13.14 https 10.0.5.14 https netmask 255.255.255.255
DMZ2-Outside traffic
nat (DMZ2) 2 10.0.6.0 255.255.255.0
global (outside) 2 interface
Outside-DMZ2 traffic
No portforwarding needed as DMZ2 is all workstations
Inside-DMZ2 traffic
nat (inside) 0 access-list inside_nonat_outbound
access-list inside_nonat_outbound extended permit ip 10.0.5.0 255.255.255.0 10.0.6.0 255.255.255.0
DMZ2-Inside traffic
nat (DMZ2) 0 access-list inside_nonat_outbound
access-list inside_nonat_outbound extended permit ip 10.0.6.0 255.255.255.0 10.0.5.0 255.255.255.0
access-list DMZ2_Traffic extended permit ip any any
access-list DMZ2_Traffic extended permit tcp any any
access-group DMZ2_Traffic in interface DMZ2
Thank you
04-26-2010 10:59 AM
You say you have used all of your private class C address' but your network topology suggests that you have only used a small portion of the class C.
Can you please confirm that you have used all 65534 host address'?
Private Class C:
192.168.0.0 - 192.168.255.255
If you have not used all 65534 hosts then you have some new choices available to you.
1) change your subnet to include all hosts for your private class C.
2) add additional subnets, i believe this was your 2nd option.
If you have over 200 hosts in use then preparing for a medium size toplogy should be a top priority. I would also be mindful of IPv6 when making changes so that you will have little to no work to do when you introduce IPv6.
For a organization moving from a small to a medium size topology segmentation and control is generally the first hurdle to overcome.
Introduction to a Medium Size organization:
VLAN1 - native
VLAN2 - DMZ
VLAN3 - Servers
VLAN4 - WLAN
VLAN5 - Workstations
VLAN6 thru VLAN7- WAN
Don't forget to save yourself growth space so that DMZ1 and DMZ2 are not VLAN2 and VLAN17. The same goes for address' planning. I generally tell people to plan for the next level up. So plan for your intro to med to become a huge medium that requires the use of the entire 65k+ hosts. You may want to look at doing this in conjunction with converting/introducing Private Class B.
If you truly have exceeded the private class C then I would definitly recommend introducing a L3 device. If you have actually exhausted all of the class C subnets then you should look at introducing Class A, Class B, and Class C privates or purchasing a class B public address block.
For an environment of that size you should probabally have the following.
(vlans in no specific order or number)
VLAN1 - native
VLAN2 - DMZ
VLAN3 - Intermix1 (DMZ to Inside Zones)
VLAN4 - Windows Servers (inside1)
VLAN5 - Unix/Linux Servers (inside2)
VLAN6 - Intermix2 (inside to secure zones)
VLAN7 - Windows Secure (secure1)
VLAN8 - Unix/Linux Secure (secure2)
VLAN9 - WLAN
VLAN10 thru VLAN20 - Workstations (inside3)
VLAN21 thru VLAN30 - ISP (WAN)
With 65k+ hosts you generally see a minimum of 20VLANS. Also good to note that by "secure zones" i am refering to the data storage zones, but if your data storage is not a ip based solution, like ISCSI, then you may want to move the servers/devices that connect to the storage in the secure zone.
04-26-2010 01:17 PM
Sorry. I should have said Class C with /24 subnet and my option1 was about changing to a different subnet. Was in a bit hurry typing the original message twice as my page expired. Really, I will be flying if I am somewhere managing 65k hosts!
Anyway thank you for your guidelines. That is helpful. I guess I will just go with my second option that you also mentioned. I am working on the config now
05-04-2010 09:22 AM
Can you please verify this configuration when ASA is configured for DMZ interface and route between vlans
interface Ethernet0/1
description LAN1
vlan 1
nameif inside
security-level 100
ip address 10.0.5.2 255.255.255.0
!
interface Ethernet0/2
description LAN2
vlan 2
nameif DMZ2
security-level 90
ip address 10.0.6.2 255.255.255.0
interface Ethernet0/0
nameif outside
security-level 0
ip address 11.12.13.14 255.255.255.240
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
nat-control
Inside-Outside traffic
nat (inside) 1 10.0.5.0 255.255.255.0
global (outside) 1 interface
Outside-Inside traffic
access-list outside_in remark Permit outside access to inside networks
access-list outside_in extended permit tcp any host 11.12.13.14 eq www
access-list outside_in extended permit tcp any host 11.12.13.14 eq 81
access-list outside_in extended permit tcp any host 11.12.13.14 eq 82
access-list outside_in extended permit tcp any host 11.12.13.14 eq https
access-group outside_in in interface outside
static (inside,outside) tcp 11.12.13.14 www 10.0.5.12 www netmask 255.255.255.255
static (inside,outside) tcp 11.12.13.14 81 10.0.5.12 81 netmask 255.255.255.255
static (inside,outside) tcp 11.12.13.14 82 10.0.5.12 82 netmask 255.255.255.255
static (inside,outside) tcp 11.12.13.14 https 10.0.5.14 https netmask 255.255.255.255
DMZ2-Outside traffic
nat (DMZ2) 2 10.0.6.0 255.255.255.0
global (outside) 2 interface
Outside-DMZ2 traffic
No portforwarding needed as DMZ2 is all workstations
Inside-DMZ2 traffic
nat (inside) 0 access-list inside_nonat_outbound
access-list inside_nonat_outbound extended permit ip 10.0.5.0 255.255.255.0 10.0.6.0 255.255.255.0
DMZ2-Inside traffic
nat (DMZ2) 0 access-list inside_nonat_outbound
access-list inside_nonat_outbound extended permit ip 10.0.6.0 255.255.255.0 10.0.5.0 255.255.255.0
access-list DMZ2_Traffic extended permit ip any any
access-list DMZ2_Traffic extended permit tcp any any
access-group DMZ2_Traffic in interface DMZ2
Thank you
07-22-2010 10:07 AM
Can someone please verify this configuration in my previous post?
And also I have a DHCP server with 10.0.5.10 with gateway 10.0.5.2 currently providing DHCP IPs for hosts on 10.0.5.x network. I want to create another DHCP scope (10.0.6.x) on the same server to provide DHCP IPs for hosts on 10.0.6.x network. Hosts on 10.0.6.x has the gateway 10.0.6.2. As I do not have a layer 3 device, should I use DHCP relay configuration on ASA as below so the hosts on 10.0.6.x contact 10.0.5.10?
dhcprelay server 10.0.5.10 inside
dhcprelay enable DMZ2
dhcprelay setroute DMZ2
Thanks
Sarat
07-22-2010 10:41 AM
Hello,
The configuration looks correct. You are right in that you have to use DHCP
Relay to achieve what you are looking for. You can use the ASA as a DHCP
server as well if you like.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example091
86a008075fcfb.shtml
Hope this helps.
Regards,
NT
09-01-2010 07:10 AM
I came across another question when I put the design on paper. If I use the server to configure both pools and ASA as DHCP relay, how does the server know to assign 10.0.6.x IPs to certain group of hosts? I have 10 programs and wanted to put hosts on 4 programs in 10.0.6.x and hosts on 6 programs in 10.0.5.x
Thanks
Sarat
09-01-2010 03:10 PM
That is something you configure on the server. The server can have bindings on the mac that is requesting an ip and assign the ip addresses that you want.
That is something the the ASA is not involved with and the dhcp server should be configured to do it.
I hope it helps.
PK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide