Need Internet access but Deny LAN (Intranet)

Answered Question
Jul 13th, 2010

Hi

We have LAN/WAN Infrastructure. We are using Cisco ASA 5510 .One of our branch office they have 30 computers in office room and 5 computers in lobby .All computers in LAN has same series IP (10.10.70.1/24)and they able to go internet and intranet (LAN) access also .Now our management wants to separate 5 Computer (which was in lobby). This(5 Computer) for public ,they only need internet no intranet(LAN). Does anyone have any suggestions, or ideas as to how I could do this? Please have a look attachment my branch ASA configuration.

Any help would be much appreciated.

Thanks in advance.

Aminul

Attachment: 
Correct Answer by bknoblau about 6 years 7 months ago

Hello,


Unfortunately, your DMZ interface can't use the same subnet as your inside interface.  To accomplish this 3 interface setup, you will have to use the 10.10.71.x subnet for the DMZ.  It is possible to set up another dhcp range (10.10.71.0) for the DMZ interface on the ASA using the commands that NT sent before (dhcpd address 10.10.71.2-10.10.71.31 dmz, dhcpd dns interface dmz, dhcpd enable dmz).


If these 5 PCs are connected to the same switch as the LAN, all you will need to do is create another VLAN on the switch and make the ports on the switch that these 5 PCs are connected to access-ports in that newly created VLAN.  Then add another access-port in the newly created vlan for the uplink connection to the port on the ASA that you designate the "DMZ". In the example below the uplink would be connected to Ethernet0/7 on the ASA.


interface Vlan3
no forward interface Vlan1
ip address 10.10.71.1 255.255.255.0
nameif dmz
security-level 50


interface Ethernet0/7
switchport access vlan 3


Finally, for all this to work make sure that "ip routing" is not enabled on your switch because otherwise the switch will route the traffic from the 5 PCs to the LAN, bypassing the firewall entirely.  In addition, make sure that you don't forget the "nat (dmz)" statement that NT suggested as this will allow users on the DMZ to pass through the firewall on the way to the internet.


Warm Regards,


BK

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Nagaraja Thanthry Tue, 07/13/2010 - 13:23

Hello,


You can configure the 5 PC's in the DMZ. Since you have ASA5505 with base

license, anyways, the DMZ devices will not be able to communicate with the

inside (They can only communicate with one another interface and we can

configure them to be communicating to internet).


On the ASA:


Interface VLAN3

IP address 10.10.71.1 255.255.255.0

Exit


dhcpd address 10.10.71.2-10.10.71.31 dmz

dhcpd dns interface dmz

dhcpd enable dmz


nat (dmz) 1 0.0.0.0 0.0.0.0


This will make sure that your DMZ devices will get an IP from the ASA in a

different range and will also be able to go out to internet. The implicit

deny between VLAN 3 and VLAN 1 will prevent these subnets from communicating

with each other.


Note: When you are configuring the DNS server, please make sure that it

points to an external DNS server.


Hope this helps.


Regards,


NT

aminulnt Wed, 07/14/2010 - 11:23

Hi NT

Thanks for your reply. I would like use same segment IP (10.10.70.0).Is there any way to use same series IP (10.10.70.0) for my 5 pc. Right now we are using ASA as dhcp for (10.10.70.0).Can I configure another dhcp(10.10.71.0) on ASA.This 5 pc are using same  switch in LAN.what will be configuration for my 5 pc and how they (5 pc) get ip from 10.10.71.0. Appreciate if you could let me know the feed back.

Regards,

Aminul

Correct Answer
bknoblau Wed, 07/14/2010 - 13:47

Hello,


Unfortunately, your DMZ interface can't use the same subnet as your inside interface.  To accomplish this 3 interface setup, you will have to use the 10.10.71.x subnet for the DMZ.  It is possible to set up another dhcp range (10.10.71.0) for the DMZ interface on the ASA using the commands that NT sent before (dhcpd address 10.10.71.2-10.10.71.31 dmz, dhcpd dns interface dmz, dhcpd enable dmz).


If these 5 PCs are connected to the same switch as the LAN, all you will need to do is create another VLAN on the switch and make the ports on the switch that these 5 PCs are connected to access-ports in that newly created VLAN.  Then add another access-port in the newly created vlan for the uplink connection to the port on the ASA that you designate the "DMZ". In the example below the uplink would be connected to Ethernet0/7 on the ASA.


interface Vlan3
no forward interface Vlan1
ip address 10.10.71.1 255.255.255.0
nameif dmz
security-level 50


interface Ethernet0/7
switchport access vlan 3


Finally, for all this to work make sure that "ip routing" is not enabled on your switch because otherwise the switch will route the traffic from the 5 PCs to the LAN, bypassing the firewall entirely.  In addition, make sure that you don't forget the "nat (dmz)" statement that NT suggested as this will allow users on the DMZ to pass through the firewall on the way to the internet.


Warm Regards,


BK

aminulnt Wed, 07/14/2010 - 14:19

Hi

I am really appreciating your support and valuable comments. As per your instruction I am going to implement. Thanks again for your tutoring.

Thanks

Aminul

Actions

This Discussion