cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1168
Views
0
Helpful
11
Replies

ASA5510 dual separate LANs

jwaskewics
Level 1
Level 1

Hello all,

I have a customer with a 5510 that recently sub-leased their office.  I would like to give the sub-tenant their own "portion" of our bonded T1's, yet keep ALL network traffic separate.  I understand the the WAN traffic will comingle and this is ok.

We currently have inbound rules setup for the main tenant that allow certain external IPs to translate to internal servers, e.g. Citrix, Exchange, etc.  We also have some "deny's" setup for IPs at myspace, facebook, etc.

The sub-tenant will only need one single NAT'd external IP, which we have available.

We need to also LIMIT the bandwidth for the sub-tenant at 3 MBPS.

Ethernet 0/2 and 0/3 are available.

The firewall rules for the subtenant will be simple and will allow all traffic that originates inside to go out then come back in, but will deny all traffic originating from outside trying to get in.

Can this be done on the ASA?  Can it be done "relatively" easily?

Please advise and post any samples or Cisco "walk throughs" for this.  Please advise on potential pitfalls as well.

Thank you.

John

11 Replies 11

Jitendriya Athavale
Cisco Employee
Cisco Employee

hi

this will be relatively simple, all you need is nat rules to send out the traffic and some QOS to limit the bandwidth utilization to 3 mbps,

this limiting can be done either on asa or on the upstream but i guess we can do it on asa and finish it off

i do not have any specific doc to give you an eg, but if you provide me the current config and the new networks that you intened to add i can help you out with this (you can mask public ip's if you wish to)

Jathaval,

Thank you, much appreciated.  Sorry it took so long for my reply.

We need to allow a maximum of 3 mbps up and down for the NEW lan at 192.168.0.0 using ethernet 0/2, and push all that traffic through a dedicated external IP address called x.x.x.70.   i.e. all 192.168.0.0 users will send/receive Internet traffic on x.x.x.70 WAN IP.

Thank you, John

PS Pleasead vise if there is anything else glarring that should be changed...thanks.

ASA Version 8.0(4)
!
hostname ciscoasa
domain-name xxxxxxxxxxxx.com
enable password xxxxxxxxxxx encrypted
passwd xxx encrypted
names
name xxx X-Serve01 description X-Serve01
name xxxxxxxxxxxxxx X-Serve01-Outside description X-Serve01-Outside
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address xxxxxx.68 255.255.255.248
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address "NOT 192.168.0.0" 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address xxxx 255.255.255.0
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
name-server xxxx
name-server 64.60.0.17
name-server 64.60.0.18
domain-name xxxxxxxxxxxxxxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
port-object eq 993
port-object eq https
port-object eq smtp
port-object eq 465
port-object eq 2552
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 172.16.1.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 x.x.x.x 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 .... 255.255.255.0
access-list Outside_cryptomap_20 extended permit ip 192.168.1.0 255.255.255.0 .... 255.255.255.0
access-list outside extended permit tcp any host x.x.x.x eq citrix-ica
access-list outside extended permit tcp any host x.x.x.x eq 3389
access-list outside extended permit tcp any host x.x.x.x eq 1604
access-list outside extended permit tcp any host x.x.x.x eq www inactive
access-list outside extended permit tcp any host x.x.x.x eq https
access-list outside extended permit icmp any any
access-list outside remark Open to Exchange, smtp-ssl on 465
access-list outside extended permit tcp any host x.x.x.x object-group DM_INLINE_TCP_1 log
access-list outside extended permit tcp any eq 2598 host x.x.x.x eq 2598
access-list outside extended permit tcp any host X-Serve01-Outside eq ssh
access-list outside remark VNC access from Second Son to XServe
access-list outside extended permit tcp x.x.x.x 255.255.255.252 host X-Serve01-Outside eq 5900
access-list Outside_cryptomap_dyn_20 extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Split_Tunnel_List remark MD Lan behind the ASA
access-list Split_Tunnel_List standard permit 192.168.0.0 255.255.0.0
access-list myspaceblock remark myspace.com
access-list myspaceblock extended deny ip 192.168.0.0 255.255.0.0 216.178.32.0 255.255.240.0
access-list myspaceblock remark facebook.com
access-list myspaceblock extended deny ip 192.168.0.0 255.255.0.0 69.63.176.0 255.255.240.0
access-list myspaceblock extended deny ip 192.168.26.0 255.255.255.0 216.178.32.0 255.255.240.0 inactive
access-list myspaceblock remark myspace.com
access-list myspaceblock extended deny ip 192.168.0.0 255.255.0.0 63.135.80.0 255.255.240.0
access-list myspaceblock extended deny ip 192.168.6.0 255.255.255.0 63.135.80.0 255.255.240.0 inactive
access-list myspaceblock extended deny ip 192.168.26.0 255.255.255.0 63.135.80.0 255.255.240.0 inactive
access-list myspaceblock extended permit ip any any
pager lines 24
logging enable
logging console emergencies
logging monitor emergencies
logging buffered errors
logging asdm errors
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool mydpool 172.16.1.1-172.16.1.126 mask 255.255.255.128
ip verify reverse-path interface Outside
ip verify reverse-path interface Inside
no failover
failover timeout -1
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 0.0.0.0 0.0.0.0
nat (management) 10 0.0.0.0 0.0.0.0
static (Inside,Outside) x.x.x.x 192.168.1.19 netmask 255.255.255.255
static (Inside,Outside) x.x.x.x 192.168.1.10 netmask 255.255.255.255
static (Inside,Inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (Inside,Inside) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
static (Inside,Inside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
static (Inside,Inside) 192.168.26.0 192.168.26.0 netmask 255.255.255.0
static (Inside,Inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (Inside,Inside) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
static (Inside,Outside) X-Serve01-Outside X-Serve01 netmask 255.255.255.255
access-group outside in interface Outside
access-group myspaceblock in interface Inside
route Outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route Inside 192.168.3.0 255.255.255.0 192.168.1.3 1
route Inside 192.168.4.0 255.255.255.0 192.168.1.3 1
route Inside 192.168.6.0 255.255.255.0 192.168.1.3 1
route Inside 192.168.26.0 255.255.255.0 192.168.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.0.0 255.255.0.0 Inside
http 176.16.1.0 255.255.255.0 Inside
http x.x.x.x 255.255.255.248 Outside
snmp-server host Inside 192.168.1.210 community public version 2c
snmp-server location SC
snmp-server contact LIT
snmp-server community xxxxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp Inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
client-update type WinNT url http://www.google.com rev-nums 5.06
telnet 176.16.1.0 255.255.255.0 Inside
telnet 192.168.0.0 255.255.0.0 Inside
telnet timeout 5
ssh x.x.x.x 255.255.255.248 Outside
ssh 176.16.1.0 255.255.255.0 Inside
ssh 192.168.0.0 255.255.0.0 Inside
ssh timeout 60
console timeout 0
management-access Inside
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 172.16.1.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 192.168.0.0 255.255.0.0
threat-detection scanning-threat shun duration 3600
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 128.59.59.177 source Outside prefer
group-policy mdremote internal
group-policy mdremote attributes
wins-server value x.x.x.x
dns-server value x.x.x.x
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value xxxxxxxxxxxxxx.com
client-firewall none
username xxxxxxxxx password xxxxxxxxxxxxx encrypted privilege 15
username admin attributes
vpn-group-policy xxxxxemote
username xxxxxx password xxxxxxxxx encrypted privilege 15
username xxx attributes
service-type nas-prompt
username xxx password xxx encrypted privilege 15
username xxx password xxx encrypted privilege 15
username xxx attributes
vpn-group-policy mdremote
username xxx password  encrypted
username xxx attributes
vpn-group-policy mdremote
username xxx password xxxx encrypted
username xxx attributes
vpn-group-policy mdremote
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group mdremote type remote-access
tunnel-group mdremote general-attributes
address-pool mdpool2
authorization-server-group LOCAL
default-group-policy xxx
authorization-required
tunnel-group mdremote ipsec-attributes
pre-shared-key *
!
class-map MAC-SSH-Outside-class
description Limit to 512K
match port tcp eq ssh
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
policy-map SSH-Outside-policy
description Limit MAC SSH Outside-policy
class MAC-SSH-Outside-class
  police input 512000 2048
  police output 512000 2048
  set connection timeout dcd 0:15:00 5
!
service-policy global_policy global
service-policy SSH-Outside-policy interface Outside
prompt hostname context
Cryptochecksum:3a77734e98758f89e18a5c0278880c7c
: end
asdm image disk0:/asdm-623.bin
no asdm history enable

jathaval,

Any update on the config?  Thank you agin for your help on this.

John

Here it is

interface Ethernet0/2

nameif inside2

security-level

ip address

nat (inside2) 20 192.168.0.0 255.255.0.0

global (Outside) 20 xx.xx.xx.70

access-list police-acl permit ip 192.168.0.0 255.255.0.0 any

class-map tcp-traffic-class

match access-list police-acl

policy-map police-pm

class tcp-traffic-class

  police output 3000000

  police output 3000000

service-policy police-pm interface outside

I hope it helps.

PK

I think PK meant to say

policy-map police-pm

class tcp-traffic-class

  police input 3000000 ----------->input

  police output 3000000

-KS

Thank you.

Please mark it as resolved, if it is, so that other can benefit from it in the future.

Rgs,

PK

Pkampana,

Ok, will do, thanks again.

I applied the config today and got this error:

ERROR: Policy map SSH-Outside-policy is already configured as a service policy

We do limit SSH traffic bandwidth for Macintosh backups from outside to inside.

What do I need to do with this?

Can we apply the policy to the inside2 interface instead to cap the bandwidth?

Please advise.

Here are the relavent pieces from the sho run:

...

class-map MAC-SSH-Outside-class
description Limit to 512K
match port tcp eq ssh
...

policy-map SSH-Outside-policy
description Limit MAC SSH Outside-policy
class MAC-SSH-Outside-class
  police input 512000 2048
  police output 512000 2048
...

PS We are limited to one policy per interface.

Thank you,

John

Message was edited by: jwaskewics

Yes, only one policy can be applied per interface and one globally.

Each policy can have multiple classes that police differently.

PK

PK,

Ok, thanks.

So, how can I modify the existing policy to have another class to police this traffic on this inside2 interface?

Or, what would you suggest.

FYI, I tried to add a new class via ASDM into the existing policy for the outside interface to police traffic on inside2, but I could not see how to only specify the inside2 traffic to policce as it appears to be effect the entire outside interface.

Please advise and thank you.

John

Any updates on this guys?

Thanks.

John

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: