03-01-2012 04:48 AM - edited 03-04-2019 03:29 PM
Hi,
I asked many questions about this topic but, I haven't gotten the answers I need to move forward. With the 5505 I want to connect two sets of users to the Internet but, I want to keep the two sets of users seperate. I need to upgrade the license to 50 users from the basic license - which I'm going to do. Will I be able to create one VLAN (INSIDE) and allow them to go to the Internet through the OUTSIDE (VLAN) interface and at the same time allow another VLAN (DMZ), to go to the Internet through the OUTSIDE interface? Then assign these VLANs, INSIDE and DMZ to the switchports that 1260 autonomous APs connect to? And then, create two SSIDs, one on each AP?
I've attached a diagram.
Thanks, Pat
03-01-2012 05:16 AM
If you're wanting to assign different subnets to the users who connect via wireless, you're going to need a security license for the ASA which almost doubles the cost of a 5505. On the security image, you can create multiple vlans and map subnets to those. The original request of single vlan, dmz, and outside can be done with the base license. If you're planning on putting wireless users in vlan 1 along with your wired users, then yes, you can do what you want with a standard base license.
03-01-2012 09:43 AM
What I want to do is put employees on one VLAN, wired and wireless. Then make another VLAN or use the DMZ VLAN, that would be just wireless and put visitors or Vendors on that VLAN.
Thanks, Pat
03-02-2012 04:46 AM
Someone posted this in a different discussion but, I need some clarity.
"If you already have two VLAN interfaces configured with a nameif command, be sure to enter the no forward interface command before the nameif command on the third interface; the security appliance does not allow three fully functioning VLAN interfaces with the Base license on the ASA 5505 adaptive security appliance."
Does this mean I can create 3 VLANs but, the DMZ VLAN will only be able to communicate with the OUTSIDE VLAN?
As you said earlier, without the Security license I can't create different subnets but if the Inside will not be able to communicat with the DMZ, I should be fine. I want to keep the two seperate. I just need to make sure the Inside and the DMZ will be able to go to the Internet.
Thanks, Pat
03-02-2012 05:00 AM
Hi
Yes that is correct
if you have 3 vlans
Inside
Outside
Dmz1
You can not have contact with all three interfaces.
so you will have to choose
Either Inside,Outside and Inside DMZ can speak to eachother but then DMZ and outside can not speak to eachother
Or Outside, Inside and Outside DMZ can speak then DMZ and Inside can not speak to eachother
Or DMZ, and Outside DMZ and Inside can speak then Inside and outside can not speak to eachother
I do not know why cisco have choosen this and i truly think it is deceptive to state that you have a dmz if you can not speak to both outside and inside.
I have had customers who bought the 5505 and thought they could use a DMZ, but it is not since it can not speak to the inside. They where not happy when i had to explain that that was not possible. I do understand that it is a "definition thing" ie what defines a dmz. But alas this is one thing that I am sorry to say that I think cisco have handled in a poor manor. Cisco would have lost nothing to let the dmz be a true dmz that can be used for both inside and outside use.
Good luck
HTH
03-02-2012 05:22 AM
Thanks for the response Hobbe,
Sorry but, I'm still a little confused.
So, I can have an OUTSIDE interface an INSIDE interface and a DMZ interface.
Can I have the INSIDE speak with the OUTSIDE and the DMZ speak with the OUTSIDE at the same time? (I'm not concerned about the DMZ speaking to the INSIDE.
If this is possible, will I be able to configure DHCP to hand out addreses for the DMZ and INSIDE even though they will be in the same subnet?
And, will I be able to change the security of the DMZ to 100 - like the INSIDE?
Thanks, Pat.
03-02-2012 07:16 AM
Can I have the INSIDE speak with the OUTSIDE and the DMZ speak with the OUTSIDE at the same time? (I'm not concerned about the DMZ speaking to the INSIDE.
This is correct. Like hobbe said, you can't have a fully routable dmz though (dmz -> outside and dmz -> inside).
I don't know if you can set up the same security level on the DMZ as the inside interface, but there's really no reason to. The security levels in Pix/ASAs are able to talk from higher to lower with no restriction, but not the other way around. Your inside would be protected from the outside interface (0 -> 100) and your dmz interface would be protected from your outside (0 -> 50). Your inside would be protected from both your dmz (50 -> 100) In order for the lower levels to speak to upper levels, you'll need acls on those interfaces to allow the traffic in.
As far as assigning different subnets, that shouldn't be a problem.
You'd assign a different dhcp pool to your nameif:
dhcpd address 192.168.1.100 - 192.168.1.150 inside
dhcpd address 192.168.2.100 - 192.168.2.150 dmz
I don't think you're going to be able to use the same subnet on both interfaces though; I've never tried that.
John
03-02-2012 07:23 AM
Thanks Jon
I would rather them be different subnets but, I thought I needed the security image to create different subnets? If not, that is good news!
The INSIDE is protected with 100 and the DMZ is protected with 50. Is the DMZ somehow less protected for the OUTSIDE and how?
Thanks, Pat.
03-02-2012 08:36 AM
Hi Patrick
Thanx for the rating.
The 100 and 50 and 0 is a totally different thing than we have discussed before.
They have to do with how the firewall handles traffic.
you can se it like this
100 is the highest number
0 is the lowest number
to go from an interface with a high number to a lower number you will do a nat
to go from an interface with a lower number to a higher number you will do a static.
to go from an interface to an interface with a number equal to eachother was in the beginning not possible you simply could not get traffic from the interfaces, but that has changed and is now possible.
so the numbers are not a number on how secure something is, it is just a way to handle traffic through the firewall.
if you open a static from internet to the dmz or the inside interface they are both as insecure or as secure.
there is no difference in the commands.
the same if you want to open traffic from the inside to the outside or from the dmz to the outside.
Same commands.
however the difference comes when you want to open something from the dmz to the inside.
That would reqire you to do the same configuration as you would from the outside.
but from the inside towards the dmz you would use the same configuration as you would towards the outside,
so all in all it is just a way to handle traffic, if the dmz is 50 or 99 or 1 there is no difference from a security standpoint in how it is handled towards the other two interfaces (outside and inside)
Good luck
HTH
03-02-2012 09:21 AM
The DMZ is not 'less protected', but it's your middle man between the inside and outside zones. So, in theory, it would be:
0 - less protected
50 - more protected
100 - highest protection
As for what Hobbe said, there isn't a difference if you set your security level on the outside to 10, dmz to 20, and inside to 30, the ASA uses the least number as the less protected and the highest number as the most protected. It's just common practice to have the inside zone as 100 and outside as 0.
As far as different subnets, I think you can assign a different subnet to a dmz, but you can't create more than 3 vlans. Here's a link for that.
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html#wp1051819
You set up the security level under your vlan interface: int vlan 50 / security-level 50 / ip address x.x.x.x x.x.x.x
That would then be associated to your dhcpd pool. From the link above I copied this:
With the Base license, the third VLAN can only be configured to initiate traffic to one other VLAN.
The DMZ vlan would then only be able to talk to the outside vlan (I believe vlan 2 by default) meaning internet access only and nothing to the inside.
The link above will tell you everything you need to know about the base license. Thanks for the ratings!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide