Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5520 Configuration for Internet Access from Different VLAN

PLEASE HELP ME FOR THE CONFIGURATION....REQUIRE YOUR EXPERT HELP

Hi All,

I'm new in ASA configuration, please help me out for my requirement in Campus LAN internet access from different VLAN ( Defalt VLAN 1, is down in all Cisco Switch for security reason, starting from Vlan 2 and so on near about 40 VLANS are there )

I have attached my Network Arch for your ready reference. The brief scionarion are as follows:-

1. In Core Switch 1 ( VTP Server ) all 40 VLANs are created, Core Switch 2 is in standy by ( VTP Mode Client )

2. ASA Outside interface connecetd with Internet Router's Fa0/1, I don't know what IP should I give in both of the Router & ASA interface.

3. Internet Router Fa0/0 ( 111.93.160.38/30 ) connected with ISP 3 MB Internet link, Gateway Next Hop 111.93.160.37/30

4. ISP has given me 6 more Public IP for my Web Server in DMZ Lan, out of 6 I need atleast 4 ip for those server, maximum 2 I can use for any other purpose like if required in ASA & Router Interface or Nat pooling etc. The segment is 111.93.161.16/29

5. ISP provided me the Public DNS as 121.242.190.210 & 181

6. Core1 connected to Firewall with a /30 IP, Core switch side 20.20.20.2/30 and ASA inside interface 20.20.20.1/30

7. The DMZ switch is L2 Cisco switch 2960 with no IP address, ASA Outside interface 192.20.20.1/24

8. All the DMZ server IP in 192.20.20.0/24 segment

9. All VLANs are Routed through Inter VLAN routing in L3 Switch ( IP Routing )....no dynamic routing used.

10. The Inside ( 172.16.34.0, 172.16.100.0, 172.20.40.0 ) LAN and DMZ ( 192.20.20.0 ) are configured and working fine with required NAT, Access Rule, Routing etc....

11. The current ASA configuration is also attached for your ready ref.

12. The Core switch VLAN segments like as below:----

   

    Interface VLAN 1 is DOWN

    172.18.18.0/24, 172.16.10.0/24 - 45.0/24, 172.20.20.0/24, 176.20.30.0/24, 176.20.20.0/24, 176.20.40.0/24, 172.16.100.0/24

My Requirements:- Please help me with your kind expert advice to configure the following scinario.

1st which is required immediate....

# I need to configure my ASA, Router & L3 in such a way that Internet should be accessed from End user PC, that means from end user PC only the public DNS can be resolved without any Proxy.

2nd which is required later.....

# I will install a Proxy server also Local DNS with in next 30 days, so that user have to use internet thriugh Proxy & URL filtering will be activated, at the same time DNS request will come to Local DNS and then it will get resolved by Public DNS

3rd which is also require ASAP

# The DMZ server can also reach Internet as well from Internet user can get into DMZ server.

Everyone's tags (6)
3 REPLIES
New Member

Re: ASA 5520 Configuration for Internet Access from Different VL

What a surprise...!!!!! Not a single answer....May be I asked very critical or so simple.......or may the information I put here...are too long to any one read the entire....Ami I right...????

Any way...I have solved the problem as per my 1st requirement MOSTLY.........

# From Campuls LAN any VLAN I can ping my Public DNS, but internet still not working as may be its is not getting the http request from Public DNS...any one can help in this regards......??

Cisco Employee

Re: ASA 5520 Configuration for Internet Access from Different VL

I guess it is all of it Added to that it is Thanks Giving Weekend (major holiday like Diwali in India) here in the U.S. So, the responses may be delayed.

let me read your (long) post and try to answer.

-KS

Cisco Employee

Re: ASA 5520 Configuration for Internet Access from Different VL

This is initial ASA5510 config. Pls. refer this link: http://ezinearticles.com/?Basic-Configuration-Tutorial-For-the-Cisco-ASA-5510-Firewall&id=1888320

You may not need the dhcpd config. You can skip that part in the above link.

Also, read Shyam's reponse in this thread: https://supportforums.cisco.com/message/859236#859236

You mentioned you need this done ASAP, you may want to open a TAC case if you run into issues while configuring or the configuration does not work as expected.

If you need to see samples on Cisco.com here is the link: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_examples.html

We have samples for many scenarios.

-KS

3880
Views
0
Helpful
3
Replies