We have 4 ports on the ASA 5510. Port 0 is Outside, Port 1 is inside, Ports 2 and 3 are not in use.
1. If I configure ports 2 and 3 as Inside interfaces, using the same subnet as port 1 (192.168.100.0), do I connect ports 1, 2, and 3 using cross over cables? Is there a special configuration that I need to configure so that there is communication between the servers in these ports?
2. If I configure ports 2 and 3 as Inside interfaces, would you use the same subnet or different subnets from port 1?
3. What do people normally use ports 2 and 3?
Let me know if you want to see the current config or need additional information. Thanks.
1) The static NAT statement should be as follows:
static (Dmz,outside) 184.108.40.206 192.168.102.3 netmask 255.255.255.255
2) Split tunnel ACL used to be extended ACL in PIX version 6.3 and below, however, since PIX/ASA version 7.0 and above, you would need to use standard ACL to configure split tunnel. Here is the URL for your reference:
Hope that answers your questions.
1) To ping to 192.168.102.3 from 192.168.100.1, you would need to add the following line:
static (Inside,Dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
The following line is incorrect, so you might want to remove it:
static (Inside,Dmz) 220.127.116.11 192.168.102.3 netmask 255.255.255.255
2) To ping to 192.168.100.1 from 192.168.102.3, you would need to configure access-list on DMZ interface, because traffic from low security level to high security level is not permitted by default:
access-list dmz-acl permit icmp any any
access-group dmz-acl in interface Dmz
3) To ping 192.168.102.3 when connected via VPN Client, you would need to configure the following:
access-list dmz-nonat permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
nat (Dmz) 0 access-list dmz-nonat
I have also had a look at your split tunnel ACL, you are using extended ACL for majority of the split tunnel ACL, it needs to be standard ACL instead.
The following extended ACL:
access-list split-acl extended permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list split-acl extended permit ip 192.168.100.0 255.255.255.0 192.168.102.0 255.255.255.0
Needs to be changed to standard ACL:
access-list split-acl standard permit 192.168.100.0 255.255.255.0
access-list split-acl standard permit 192.168.102.0 255.255.255.0
The split tunnel ACL: "split-acl" is currently applied to vpn group "techsupport", so after the above changes, you should be able to ping 192.168.102.3 from "techsupport" vpn group.
Hope that helps.
Yes you can.
Inside: 192.168.100.0/24 (security level 100)
DMZ: 192.168.101.0/24 (security level 80)
On the configuration, you would have the following:
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
You need to add access-list on the dmz interface if you would like the dmz subnet to communicate to the inside subnets.
1) You can't configure port 2 and 3 to be in the same subnet as port 1 on ASA 5510. They are not switch port. All ports on ASA 5510 are routed ports, so you have to configure different subnets for each port.
2) If you are using port 2 and 3 as an interface, they need to be in different subnets from inside interface.
3) People normally uses the other spare ports for DMZ zone - where your server zone will be separated from outside and inside networks.
Hope that helps.