Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: VLAN segmenting using ASA 5510

VLAN segmenting using ASA 5510 7 years 1 week ago #32810

  • bowedup1
  • bowedup1's Avatar
  • Offline
  • New Member
  • Posts: 1
  • Karma: 0
I would like to use ASA 5510 device to control traffic between VLANs hosted on a Cisco 3560G layer 3 switch/router. I am attempting to achieve as near to real-world look/feel as possible to use as a traffic generator simulating internet on system attached to eth0/2. The interfaces are/should be setup as follows:

eth0/0 - outside (to hosting enclave...N/A for now)
eth0/1 - management (10.0.0.0 255.255.252.0)
eth0/2 - world (simulated www...fabricated routable addresses. Systems attached to this interface use BGP)
eth0/3 - PBX network (N/A for now)

Switch/router VLAN config:
management - VLAN12
world - VLAN 11
PBX - VLAN 13

I have past experience w/PIX series firewalls but has been AWHILE. I'm finding it a little more difficult to knock the rust off than I expected. My first inclination was to setup DOT1Q trunks switch to firewall with respect to the proper port/vlan assignment, but I thought I would run it by the pros first. Any help would be greatly appreciated. My configs are as follows:

ASA5510:
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.2.1.113 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.252.0
!
interface Ethernet0/2
nameif world
security-level 0
ip address 200.200.10.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit ip any any
access-list world_access_in extended permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu world 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (world) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (world) 0 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group world_access_in in interface world
!
router ospf 1
router-id 10.0.0.1
network 10.0.0.0 255.255.252.0 area 0
network 10.0.10.0 255.255.255.0 area 0
area 0
log-adj-changes detail
redistribute connected
default-information originate always metric 1
!
route outside 0.0.0.0 0.0.0.0 10.2.1.5 1
route world 0.0.0.0 0.0.0.0 200.200.200.1 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 world
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
console timeout 0
dhcpd ping_timeout 750
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 10.0.1.9 source inside
webvpn
username cisco password EbZvi/j/IsoT4NYR encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:54098798ca8e1907bd420927f554f807
: end

Catalyst 3560G:

Current configuration : 3605 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Master
!
enable secret 5 $1$rJoR$YDBAItU5Z734lBlgMTWbg/
enable password etvenable
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup
no ip dhcp conflict logging
!
!
!
!
dot1x credentials extension
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet0/1
switchport access vlan 11
switchport mode access
!
interface GigabitEthernet0/2
switchport access vlan 11
switchport mode access
!
interface GigabitEthernet0/3
switchport access vlan 12
switchport mode access
!
interface GigabitEthernet0/4
switchport access vlan 11
switchport mode access
!
interface GigabitEthernet0/5
switchport access vlan 12
switchport mode access
!
interface GigabitEthernet0/6
switchport access vlan 12
switchport mode access
!
interface GigabitEthernet0/7
switchport access vlan 12
switchport mode access
!
interface GigabitEthernet0/8
switchport access vlan 12
switchport mode access
!
interface GigabitEthernet0/9
switchport access vlan 12
switchport mode access
!
interface GigabitEthernet0/10
switchport access vlan 12
switchport mode access
!
interface GigabitEthernet0/11
switchport access vlan 12
switchport mode access
!
interface GigabitEthernet0/12
switchport access vlan 12
switchport mode access
!
interface GigabitEthernet0/13
switchport trunk encapsulation dot1q
switchport trunk native vlan 19
switchport mode trunk
!
interface GigabitEthernet0/14
switchport trunk encapsulation dot1q
switchport trunk native vlan 19
switchport mode trunk
!
interface GigabitEthernet0/15
switchport access vlan 12
switchport mode access
!
interface GigabitEthernet0/16
switchport access vlan 12
switchport mode access
!
interface GigabitEthernet0/17
switchport access vlan 12
switchport mode access
!
interface GigabitEthernet0/18
switchport access vlan 12
switchport mode access
!
interface GigabitEthernet0/19
switchport access vlan 12
switchport mode access
!
interface GigabitEthernet0/20
switchport access vlan 12
switchport mode access
!
interface GigabitEthernet0/21
switchport access vlan 12
switchport mode access
!
interface GigabitEthernet0/22
switchport access vlan 13
switchport mode access
!
interface GigabitEthernet0/23
switchport access vlan 13
switchport mode access
!
interface GigabitEthernet0/24
switchport access vlan 13
switchport mode access
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface Vlan1
no ip address
!
interface Vlan11
ip address 200.200.10.1 255.255.255.0
!
interface Vlan12
ip address 10.0.1.2 255.255.252.0
!
interface Vlan13
no ip address
!
interface Vlan19
ip address 10.0.10.1 255.255.255.0
!
router ospf 1
router-id 10.0.10.1
log-adjacency-changes
redistribute connected
network 10.0.0.0 0.0.3.255 area 0
network 10.0.10.0 0.0.0.255 area 0
!
router bgp 400
no synchronization
bgp log-neighbor-changes
neighbor 10.0.10.4 remote-as 400
neighbor 10.0.10.4 route-reflector-client
neighbor 10.0.10.7 remote-as 400
neighbor 10.0.10.7 route-reflector-client
neighbor 200.200.10.11 remote-as 300
neighbor 200.200.10.15 remote-as 100
neighbor 200.200.10.16 remote-as 200
auto-summary
!
no ip classless
ip http server
!
!
tftp-server 10.0.1.18
!
control-plane
!
!
line con 0
line vty 0 4
password etvvty
login
length 0
line vty 5 15
password etvvty
login
!
end
The administrator has disabled public write access.
Time to create page: 0.095 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup