I have an ASA 5505 with a base license currently running in my office. It serves as the firewall and router for my guest wireless network that has a dedicated internet connection that does not touch the corporate lan. Currently there is an Inside interface for the wireless clients and an outside interface for the internet. The inside interface has a security level of 100 and the outside has a security level of 0. I am running NAT so that the inside clients can get to the outside internet.
Currently when i want to manage the device i have to physically plug into in on console in the server room which is inconvinient. What i would like to do is have a third vlan for managment that will be connected to my Corporate LAN. I do not want the Inside network tobe able to talk to or see the management network. The inside network should only be able to get to the outside network. The management vlan at the very least should allow me to manage the device as long as i am on that vlan on the corporate network. It might be useful (for troubleshooting and mananagement of my network) for the management interface to also be able to travers the NAT and get to the internet.
Yes you should be able to do this. In fact with the Base license the third vlan you create can only talk to one other vlan so this restriction may work in your favour. That said, if you assign the same security level to the management interface then the inside and management interfaces will not be allowed to communicate anyway as long as you do not have this command in your config - "same-security-traffic permit inter-interface.
And you could always use acls as a further safeguard.
So the steps would be -
1) run a new connection from ASA back to your corporate LAN switch. I'm assuming the current inside connection does not connect directly to your core switch. If it does you could make that link a trunk link but it might be better to have physical separation. Depends on how easy it is to run a separate connection or whether the existing one is already connected to the right switch.
2) allocate port on switch into existing vlan or create new one
3) allocate port on ASA into that vlan
4) create vlan interface on ASA for that vlan and assign IP
5) if you want internet access you need to tell your ASA which other vlan you want your management interface to be able to communicate with (because you have the Base license) This would be the outside interface vlan.
6) If you want to connect to the management vlan from a remote subnet internally add routes to the ASA pointing to the next hop IP which would be an IP on your core switch (assuming it is doing inter vlan routing) from the same subnet.
7) add NAT rules for internet access for the management vlan
8) as i say the management and inside vlans should not be able to communicate with each other due to the license but you can also use the same security level and/or use acls on the interfaces to restrict traffic between the vlans.
Attached is a link to configuring the vlan setup and how to tell the ASA which other vlan your management vlan can communicate with -
You mention that you have a Base License ASA. This means that you can only configure 3 Vlans of which 1 Vlan is a restricted DMZ. What this means is that when you configure the 3rd Vlan you will have to limit any connectivity towards one of the other two existing Vlans.
Considering the above you could perhaps do this
Create the new Vlan interface with the command "interface Vlanxx"
Exit the new interfaces configuration mode and go under your existing "inside" Vlan interface
Enter the command "no forward interface vlanxx"
Go back under the new interface Vlanxx configuration mode and configure the "nameif" , "security-level" and "ip address" configurations to it.
Configure any management related configurations and NAT configurations you might need
The Base License ASA5505 is a bit tricky to change if you had existing configuration with 3 Vlan interfaces. Moving the "no forward interface Vlanxx" command is a totally different thing. It would involved removing complete interface configurations and creating them again.
But to my understanding you should be fine following the above instructions if you currently only have 2 Vlan interfaces configured.
Since you would now have the "no forward interface Vlanxx" configured under the "inside" Vlan interface it would mean that they could NOT connect towards the new Vlanxx (connected to your Corporate LAN) in any way. You would not need any additional configurations and no other command could allow the traffic to flow in that direction. You would however be able to connect towards the "inside" Vlan from your new Vlanxx if you wished and provided that the other configurations allowed it.
For any more specific help would really need to know more about the current network setup and the ASA configurations and software level.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...