This article describes the configuration of an interesting network scenario that is applicable in many real world situations, mainly in small to medium networks.
We have three different internal LAN networks which host user computers and other IT infrastructure (servers, network printers etc). We want to separate the three internal LANs using an ASA firewall (either ASA5500 or the new ASA5500-X models will work fine). The three internal LANs will be connected using the same switch and separated at Layer2 level with three VLANs on the switch.
The ASA firewall will provide internet access to all internal LANs. Also, the ASA will act as DHCP server for each internal LAN, assigning the required IP addresses for each LAN subnet using a different DHCP scope for each one.
Also, we will use a single physical interface of the ASA to accommodate the three internal network security zones (“inside1”, “inside2”, “inside3”). Thus, we need to configure sub-interfaces on a physical interface of the ASA which will be connected to a trunk port of the internal switch. Each sub-interface of the ASA will act as the default gateway for its corresponding internal LAN subnet.
[box type=”download” align=”aligncenter” class=”” width=””]
Do you work with Cisco ASA?
Get the Cisco ASA Firewall Fundamentals 3rd Edition by Harris Andrea
[/box]
Regarding the switch configuration, we need to have one Dot1Q trunk port connected to the ASA and also we need to configure “access ports” belonging to the appropriate VLAN for the internal hosts. Let’s see the network diagram of our topology:
From the network diagram above:
- Interface GE1 of the ASA (“outside” zone with IP address 100.1.1.1) will be connected to the ISP.
- Interface GE0 of the ASA will be connected to a trunk port of the switch (port E0/0). This physical interface of the ASA will be split into three sub-interfaces with each one belonging to a different security zone and VLAN:
- Subinterface GE0.1: VLAN10 (IP address 10.1.1.254) – zone name “inside1”)
- Subinterface GE0.2: VLAN20 (IP address 10.2.2.254) – zone name “inside2”)
- Subinterface GE0.3: VLAN30 (IP address 10.3.3.254) – zone name “inside3”)
- Interfaces E0/1, E0/2, E0/3 of the switch will be configured as “access ports” belonging to VLANs 10, 20, 30 respectively.
- Hosts in VLAN10 will be assigned IP address from the ASA using a DHCP scope (10.1.1.0/24) enabled on “inside1” interface.
- Hosts in VLAN20 will be assigned IP address from the ASA using a DHCP scope (10.2.2.0/24) enabled on “inside2” interface.
- Hosts in VLAN30 will be assigned IP address from the ASA using a DHCP scope (10.3.3.0/24) enabled on “inside3” interface.
- All internal LANs will have internet access via the ASA using NAT overload (PAT) of the ASA outside interface.
Please note the following:
- there is no communication between the three internal LANs (only internet access allowed).
- for ASA5505 you will need the security-plus licence for the above scenario to work.
Let’s now see the configurations of both the ASA and internal SWITCH (only the important commands are shown).
Cisco ASA as DHCP server – configuration
! This is the physical interface which we’ll split into 3 sub-interfaces (connected to trunk port of switch) interface GigabitEthernet0 no nameif no security-level no ip address ! ! This is sub- interface GE0.1 for vlan10 interface GigabitEthernet0.1 vlan 10 nameif inside1 security-level 100 ip address 10.1.1.254 255.255.255.0 ! ! This is sub- interface GE0.2 for vlan20 interface GigabitEthernet0.2 vlan 20 nameif inside2 security-level 90 ip address 10.2.2.254 255.255.255.0 ! ! This is sub- interface GE0.3 for vlan30 interface GigabitEthernet0.3 vlan 30 nameif inside3 security-level 80 ip address 10.3.3.254 255.255.255.0 ! ! This is the WAN interface connected to ISP interface GigabitEthernet1 nameif outside security-level 0 ip address 100.1.1.1 255.255.255.0 ! !Configure network objects for the three internal LANs object network inside1_LAN subnet 10.1.1.0 255.255.255.0 ! object network inside2_LAN subnet 10.2.2.0 255.255.255.0 ! object network inside3_LAN subnet 10.3.3.0 255.255.255.0 ! !This ACL is useful to allow ICMP traffic for testing purposes access-list OUT extended permit icmp any any ! ! Configure NAT overload for the three internal LANs using the outside interface. This allows internet access. object network inside1_LAN nat (inside1,outside) dynamic interface object network inside2_LAN nat (inside2,outside) dynamic interface object network inside3_LAN nat (inside3,outside) dynamic interface ! access-group OUT in interface outside route outside 0.0.0.0 0.0.0.0 100.1.1.2 ! ! Create 3 different DHCP scopes to assign IP addresses to internal LANs ! DHCP scope for hosts in VLAN10 – “inside1” dhcpd address 10.1.1.1-10.1.1.100 inside1 dhcpd enable inside1 ! ! DHCP scope for hosts in VLAN20 – “inside2” dhcpd address 10.2.2.1-10.2.2.100 inside2 dhcpd enable inside2 ! ! DHCP scope for hosts in VLAN30 – “inside3” dhcpd address 10.3.3.1-10.3.3.100 inside3 dhcpd enable inside3 ! ! Assign DNS server for internal hosts dhcpd dns 200.1.1.1
Cisco SWITCH – Configuration
! This is the trunk port connected to interface GE0 of ASA interface Ethernet0/0 switchport trunk encapsulation dot1q switchport mode trunk duplex auto ! ! Access port for VLAN10 interface Ethernet0/1 switchport access vlan 10 switchport mode access duplex auto ! ! Access port for VLAN20 interface Ethernet0/2 switchport access vlan 20 switchport mode access duplex auto ! ! Access port for VLAN30 interface Ethernet0/3 switchport access vlan 30 switchport mode access duplex auto !
In this article we presented an easy configuration to support multiple LANs on the Cisco ASA used as DHCP server, ensuring the separation of traffic between LANs.
Learn more with the Cisco ASA Firewall Fundamentals 3rd Edition by Harris Andrea.
