I placed a network 10.71.180.128/25 (VLAN71) behind the inside interface of my ASA5505. I have a server on this network that i have to access from both the internet and from inside my network. I understand i can create a NAT rule to access the inside server from the internet, but have not been able to figure out how I can have computer (10.100.10.1) in other internal subnet 10.100.10.0/28 access server 10.71.180.140. I only have basic package on ASA5505.
If you have a 6513 that is performing IP routing, why are you not just routing between the 2 SVI interfaces in the 6513??
Do you have a specific requirement to put vlan 71 and vlan 100 behind a firewall to protect them from each other?
The way we structure our PCI compliance networks is to place them behind an ASA. VLAN71 is the network that needs to be isolated, but I have a server in VLAN that exchanges information with one of the server in VLAN71. Vender needs to come in from outside to mange the server in VLAN71
OK - firstly from the config you posted, the interface in VLAN100 E0/4 is shutdown, you need to open it.
Secondly I would change the VLAN100 security level from 100 to a lower number. As interfaces with the same level do not have to go thru an access-list. Currently this breaks your PCI compliance.
Thirdly just to make sure I would configure a NAT exemption between the 2 VLAN interfaces.
E 0/5 is now active, lowered security level to 0 on VLAN 100
But I don't really understand the NAT excemption rule. I want 10.100.10.1 to be able to access 10.71.180.136 (inside network) server.
OK - personally I would have the security level to 50 - then I know
My inside is 100 = totally trusted
My outside is 0 = totally un-trusted
My VLAN100 is 50 = can access the internet, but I need to write an acl for traffic originating in the VLAN100 to the inside.
You must look at your NAT - bu default all traffic passing from a lower interface to a higher and vice versa is natt'ed.
So I would have something likeP:-
global (outside) 1 interface
nat (inside) 1 w.w.w.w x.x.x.x
nat (VLAN100) 1 y.y.y.y z.z.z.z
The above will NAT all traffic to the internet using the outside IP address, then the nat exemption
access-list no-nat permit ip w.w.w.w x.x.x.x y.y.y.y z.z.z.z
access-list no-nat-permit ip y.y.y.y z.z.z.z w.w.w.w x.x.x.x
nat (inside) 0 access-list no-nat
nat (VLAN100) 0 access-list no-nat
The above tells the firewall not to nat when the source and destinatiobn match = everything else should be natt'ed.
w.w.w.w x.x.x.x = VLAN 71 IP subnet & mask
y.y.y.y z.z.z.z = VLAN100 IP subnet & mask
Then you need to allow access from server to server
access-list allow-server permit ip host 10.100.10.1 host 10.71.100.136
access-group allow-server in interface VLAN100
It would not allow me to enter
nat(VLAN100) 1 10.100.10.0 255.255.255.128
Currently there is no nameif for the interface. So I attempted to add on. here is the error I got.
ERROR: This license does not allow configuring more than 2 interfaces with
nameif and without a "no forward" command on this interface or on 1 interface(s)
with nameif already configured.
Do i need to upgrade the license first?
This error has occured due to a license limitation on ASA. You need to obtain the Security Plus license in order to configure more VLANs as in routed mode. Only three active VLANs can be configured with the Base license, and up to 20 active VLANs with the Security Plus license. You can create a third VLAN with the Base license, but this VLAN only has communication either to the outside or to the inside but not in both directions. If you need to have the communication in both directions, then you need to upgrade the license. Also, if you use the Base license, allow this interface to be the third VLAN and limit it from initiating contact to one other VLAN with the hostname(config-if)# no forward interface vlan number command. Thus the third VLAN can be configured.
for the "forward interface" command & explaination.
I think that you could just move the "outside" off VLAN 2 and into a specific interface - then you can have 2 vlans without having to upgrade!
Actually just thinking about it another possible solution would be:-
Move the inside interface into it's own interface. Then create a sub-interface and tag it with a vlan id.
On your switch either make the physical port conneecting to the ASA a trunk port or.......have it as a normal switch port in the inside VLAN, then if your switch supports it use the AUX vlan for your DMZ.
No VLAN 100 does not have to access outside interface, just talk to server on inside VLAN.
I have configured everything for nat exemption and added no forward command to outside interface. (vlan 2). I went ahead and confiured two test laptops on in vlan 71 (inside) 10.71.180.135 and one in VLAN 100, 10.100.10.114. To check connectivity I pinged from inside ip to VLAN 100 on the ASA CLI and I am good, but can't ping from 10.100.10.114 ip to computer on inside interface or ping inside interface.
Thanks for your help.
OK - firstly you have a config error:-
access-list allow-server extended permit ip host 10.100.10.114 host 10.71.100.135
access-list allow-server extended permit ip host 10.100.10.114 host 10.71.180.135
secondly have you configured the default gateway on the laptops to the correct ASA interface IP address ?
post the output of
"show access-list allow-server"
Config error corrected. Thanks for that. I can't change the default gateway for VLAN 100 because this is an existing network that has other servers on it. 10.100.100.1 provides services to the computers within that network and also needs to communicate with server within VLAN 71 (PCI network). The inside laptop is set up as DHCP and has the correct DFG.
Yes i can ping the 10.71.180.135 when i change the default gateway 10.100.10.114 to 10.100.10.120. If there another way to reach the inside network from VLAN 100 without changing default gateway?
I am confused - are you saying that you have a different DG in the VLAN100 subnet?
Then the solution will be to configure a static route in the server that points the 10.71.180.0/24 or 10.71.180.135 host in it's routing table pointing towards the ASA.