Solved: You're on the right track.One

f_westerlund · ‎07-03-2014

Hi!

I’m asked to setup a multi company network. There will be approximately 4-8 small companies around 8-15 people in each company.

These companies will share some resources as printers and probably a nas. Furthermore they will have their own wlan ssid trunked from E0/7 to the AP.

Thinking about using asa5505 security plus license. AP will be this one AIR-SAP1602I-E-K9. As of now to allow more ports for users I will just hock up small simple switches to each Ethernet port on the ASA. When there are no more room I will buy a vlan capable switch.

Each company per vlan.

company1 Vlan10 192.168.10.0/24
company2 Vlan20 192.168.20.0/24
company3 Vlan30 192.168.30.0/24
company4 Vlan40 192.168.40.0/24

Shared Vlan100 192.168.100.0/24, printer ip 192.168.100.10

The companies should be separated from each other and only able to access the internet and the printer vlan. I got public ip in a 248 subnetmask giving me 6 addresses.

Company1 need to have 1 private ip. Also given ability to access their desktop PC from home. Other companies could share the same public IP.

Copmany2 will host a web server so it also needs a public ip accessible from outside.

Setting up Vlan and interfaces is no problem. The problems for me starts when creating NAT rules. Guess I will not use same-security-traffic permit inter-interface and use ACL.

How should you managed the traffic flow?

Br

Fredrik

Marvin Rhoads · ‎07-03-2014

You're on the right track.

One VLAN per company, each assigned to an interface, no same-security-traffic. Make them all security level 100. Make the printer VLAN 90.

Create a remote access VPN for company 1 with split tunnel and only give them route to their assigned network. Make the nat rule for them as nat(company1,outside) with dynamic translation to the outside interface. Make separate nat rules for the other companies as well with dynamic translation to one of your other public IPs. Make one specific port forwarding NAT rule for the company 2 webserver.

View solution in original post

Marvin Rhoads · ‎07-03-2014

You're on the right track.

One VLAN per company, each assigned to an interface, no same-security-traffic. Make them all security level 100. Make the printer VLAN 90.

Create a remote access VPN for company 1 with split tunnel and only give them route to their assigned network. Make the nat rule for them as nat(company1,outside) with dynamic translation to the outside interface. Make separate nat rules for the other companies as well with dynamic translation to one of your other public IPs. Make one specific port forwarding NAT rule for the company 2 webserver.

f_westerlund · ‎07-03-2014

Thanks,

Could you please assist me with cli syntax to do NAT company1 to the shared printer lan. i got all this goofed up ;)

nat (company1,shared) after-auto source static < got lost >

/Fredrik

Marvin Rhoads · ‎07-03-2014

Actually no NAT is required between the various company subnets and the shared printer subnet. They simply use the ASA interfaces assigned to them as their default gateway.

The ASA sees all the networks as connected and by default will allow connections to establish to a lower security level interface. NAT is not necessary and the addresses can remain in their "real" form.