Have a asa5505, not sure is its the right product.

Answered Question
Apr 23rd, 2012
User Badges:

Greetings,

I have a ASA5505(base model) that my sales rep said would do what I need, but after trying to set it up I think I either need upgrades or a different product.


Allow me to explain what I'm trying to do and then hopefully someone will be able to advise. (note: I'm not super experienced with cisco gear, and will most likely be using the config gui software to setup and manage the device unless forced to use the shell.)


I have a /28 IP range from my isp, of which I'm trying to use 7 IPs,  we'll say xxx.xxx.xxx.xx1 - .xx7


Behind the firewall is a Hyper-v server with multiple customer VMs on it. Each customer has a private NIC and a distinct subnet 192.168.1.x - 192.168.7.x


Each IP is connected to different internal network and needs to provide its own port forwarding rules as well as site-to-site vpn to that internal network. there will generally only be 1-2 devices on each internal network but they need to be segregated as they belong to different customers.


xxx.xxx.xxx.xx1  -->nat to --> 192.168.1.x with port forwarding and s2s vpn

xxx.xxx.xxx.xx2 -->nat to --> 192.168.2.x with port forwarding and s2s vpn

etc


The server is in the same rack as the firewall and is directly patched, so there is no trunking or switching concerns.


I get the feeling I'm either reinventing the wheel here or missing an obvious solution, but what I was trying to do was make 7 internal interfaces, (1 per switch port and assign each to be the gateway for its subnet, This looked great until I ran into a licence restriction, so here I am.


The above is my ideal situation, as each customer needs site to site vpn, and privacy. The cost is a factor, so I'm ok with paying for additional options on this unit, or buying another small product, but I'm not interested in spending 10k+ on some massive enterprise unit just to get 7 customers on 1 box.


Thank you for your time

Correct Answer by Marvin Rhoads about 4 years 11 months ago

You're welcome.


As long as it supports 802.1q trunking (the Netgear specs says it does), you should be fine. The switch is strictly acting as a Layer 2 device in the context of this discussion.


Let us know how it turns out and rate the discussion / mark the question as answered if it helps.

Correct Answer by Marvin Rhoads about 4 years 11 months ago

The 5505 is limited to 3 VLANs if you are assigning VLANs per physical interface (data sheet specification).


If you use a trunk, you can configure up to 20 VLANs. The Security Plus license (ASA5505-SEC-PL=) is necessary. "show version" will tell you whether you have the Base or Security Plus license.


Here are the instructions for setting up a trunk with the GUI.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Marvin Rhoads Mon, 04/23/2012 - 07:46
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

The 5505 is limited to 3 VLANs if you are assigning VLANs per physical interface (data sheet specification).


If you use a trunk, you can configure up to 20 VLANs. The Security Plus license (ASA5505-SEC-PL=) is necessary. "show version" will tell you whether you have the Base or Security Plus license.


Here are the instructions for setting up a trunk with the GUI.

mikeschietinger Mon, 04/23/2012 - 13:18
User Badges:

' fantastic news, just one follow up question. I would set up a trunk to pipe 13 vlans on 1 port to a managed switch that all my nics would connect to. Will a Layer 2 managed switch work for this? or do I need a layer 3 switch?


I have 1 of these kicking around and I'm hoping it'll work for at least the test lab.


http://www.cdw.com/shop/products/NETGEAR-ProSafe-GS716Tv2-switch-16-ports-managed-desktop/1993632.aspx


Thanks again for all your help.

Correct Answer
Marvin Rhoads Mon, 04/23/2012 - 17:48
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

You're welcome.


As long as it supports 802.1q trunking (the Netgear specs says it does), you should be fine. The switch is strictly acting as a Layer 2 device in the context of this discussion.


Let us know how it turns out and rate the discussion / mark the question as answered if it helps.

Actions

This Discussion

Related Content