I am just about to buy ASA 5505. I need outside interface with Public interface that can NAT to two internal (priv)( networks.
Can I have two inside interfaces, like192.168.1.0 and 10.2.0.0 that can talk to each other??
Can I do it without vlans? Reason why, I would need to reconfog my current switches.
On cisco web they saying that:
"With the Base license, the third VLAN can only be configured to initiate traffic to one other VLAN" - but I need two inside netwroks be able talk to each other.
Please help. TIA to all.
With the base license on the ASA 5505 you would have restricted license on the box, whihc means you can only initiate traffic from Inside 1 to outside n from Inside1 to Inside 2 but not vice versa. If you would complete inter-vlan routing then you would need the security plus license for it. You can chcek your license by using the command:
This would tell you whether it is base or security plus.
Hope that helps.
Thanks for reply Varun.
I ordered Security Plus today.
I need to have tunnels to both inside interfaces, and also internal traffic 192.168.1.0 to 10.2.0.0 and vice - versa.
Do you know if I can have more than 1 IPSEC VPN tunnel?
Yes you can definitely do that, here's a license guide for ASA 5505:
Hope that helps,
Last two questions:
1. Do I need to create vlan on my switchto make it working or is there a way to make vlans transparent, so switch can stay how it is?
2. Can I you ASDM as web gui for that? if yes, where I can downloaded or does software come with the hardware?
On ASA 5505, you definitely need to create Vlan instead of physical interfaces, since there is a switch module in the ASA 5505, here is a sample config on how to configure it:
switchport access vlan 60
ip address 192.168.226.1 255.255.255.0
Yes you can definitely use the GUI for it, here's the guide:
and here's the download link:
Hope this helps,
I thought for Outside interface security should be 0, and for inside interfaces security level 100?
But if I will configure ASA with vlans, do I need to reconfigure my current switch to handle traffic or inter-vlan traffic will be done on ASA level?
that completely depends upon your topology and the configuration, if you have a trunk configured on the switch then the ASA interface would also be a trunk port and the configuration would be the same as the switch. The inter-vlan routing can be done on the ASA itself with the help of nats, ACL n routes.
N plz ignore the security-level, thats a mistake, Outside is indeed 0, by default
Switch does not have any vlan configured. Watchguard x1000 which I am replacing had 1 WAN and 2 LAN interfaces (192.168.x.x and 10.2.0.x) Basically watchguard did all routing hence no vlans needed.
So having switch without vlans configured, what's the best fo ASA configuration so traffic goes both ways between both LANs?
If you are using only 3 interfaces on the ASA then you can just connect those 3 to the watchgaurd or the switch, whatever device you have upstream and downstream on the ASA, just treat them as normal interfaces going into the other devices. It should'nt be an issue.
But I want to replace watchguard with ASA, becasue Watchguard went mental
So on ASA I will have WAN interface (pulic IP) and two LAN interfaces with diffrent ranges of IPs as metioned before.
So you are saying no vlan configuration is needed???