We have LAN/WAN Infrastructure. We are using Cisco ASA 5510 .One of our branch office they have 30 computers in office room and 5 computers in lobby .All computers in LAN has same series IP (10.10.70.1/24)and they able to go internet and intranet (LAN) access also .Now our management wants to separate 5 Computer (which was in lobby). This(5 Computer) for public ,they only need internet no intranet(LAN). Does anyone have any suggestions, or ideas as to how I could do this? Please have a look attachment my branch ASA configuration.
Any help would be much appreciated.
Thanks in advance.
Unfortunately, your DMZ interface can't use the same subnet as your inside interface. To accomplish this 3 interface setup, you will have to use the 10.10.71.x subnet for the DMZ. It is possible to set up another dhcp range (10.10.71.0) for the DMZ interface on the ASA using the commands that NT sent before (dhcpd address 10.10.71.2-10.10.71.31 dmz, dhcpd dns interface dmz, dhcpd enable dmz).
If these 5 PCs are connected to the same switch as the LAN, all you will need to do is create another VLAN on the switch and make the ports on the switch that these 5 PCs are connected to access-ports in that newly created VLAN. Then add another access-port in the newly created vlan for the uplink connection to the port on the ASA that you designate the "DMZ". In the example below the uplink would be connected to Ethernet0/7 on the ASA.
no forward interface Vlan1
ip address 10.10.71.1 255.255.255.0
switchport access vlan 3
Finally, for all this to work make sure that "ip routing" is not enabled on your switch because otherwise the switch will route the traffic from the 5 PCs to the LAN, bypassing the firewall entirely. In addition, make sure that you don't forget the "nat (dmz)" statement that NT suggested as this will allow users on the DMZ to pass through the firewall on the way to the internet.