Cisco Firewall VPN “Hair Pinning” Note: Cisco refer to this as a “Spoke to Spoke VPN”

KB ID 0000040

Problem

You have multiple sites protected by Cisco Firewalls, you establish a remote connection VPN to one of your sites, but cannot get to the others.

Solution

Normally your remote workers will establish a VPN, with a VPN client (though this principle will also work for remote users with a hardware firewall). In this example we will stick with a remote client using VPN Client software (either using an IPSEC version 3 (or above) VPN client, or the AnyConnect VPN Client).

In this example a remote VPN client (10.0.99.1) connects to the main site (10.0.0.0), this site has an existing site to site VPN to a remote site (10.0.3.0).

In normal operation, the client can talk to the “File Server” (10.0.0.1), on the main site, BUT it cannot contact the “Web Server” (10.0.3.1), on the secondary site, to do that we need to employ “VPN Hair Pinning.”

With a Hair Pinned VPN the original remote VPN will still work, but we can also send and receive traffic to the remote site, over the same VPN.

Prerequisites

1. All firewalls must be Cisco ASA or PIX 500 Version 7 or above (sorry no PIX 501’s or 506E’s).

2. The sites in question must already be connected by a site to site VPN.

Cisco ASA 5500 Site to Site VPN (From CLI)

3. There must be an existing working Remote VPN (Client to Gateway) VPN to the main Site.

Cisco ASA 5500 AnyConnect Setup From Command Line

Start On the Firewall at the MAIN SITE

Step 1: Add the Subnet of the Remote Site to the “Split Tunnel” for the remote VPN

Note: This obviously assumes you are using split tunneling, if not skip to step 2, if you don’t know then ask yourself this “when I connect with the VPN client from home, can I browse the Internet at the same time on my remote PC?” – if the answer is yes then you probably are using split tunneling).

To find out, issue the following command;

[box]

MainSite# show run group-policy
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
wins-server none
dns-server value 10.0.0.10 10.0.0.11
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value petenetlive.com
MainSite#

[/box]

That tells us that split tunneling is enabled, and it’s using an access list called “SPLIT-TUNNEL”. It’s almost like I set these things up neatly 🙂 Now you know what the access-list is called issue the following, command;

[box]

MainSite# show run access-list SPLIT-TUNNEL
access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0
MainSite#

[/box]

So now we can add the remote sites network to the existing SPLIT-TUNNEL ACL;

[box]

MainSite# configure terminal
MainSite(config)# access-list SPLIT-TUNNEL line 2 permit 10.0.3.0 255.255.255.0

[/box]

Step 2: Turn On Hair Pinning

Issue the following command;

[box]

MainSite(config)# same-security-traffic permit intra-interface

[/box]

Step 3: Add the “Remote VPN Network” to the EXISTING site to site VPN on the Main Site.

To do this you need to add the “Pool” used for remote VPN access, to the ACL that the site to site VPN is using for the VPN, issue the following command (if you have a lot of VPN’s look for the one that has the IP address of the ASA at the remote site, in the example below 123.123.123.123).

[box]

MainSite(config)# show run crypto map
crypto map outside_map 19 match address VPN-INTERESTING-TRAFFIC
crypto map outside_map 19 set pfs
crypto map outside_map 19 set peer 123.123.123.123
crypto map outside_map 19 set transform-set ESP-3DES-SHA

[/box]

This tells us the access-list that it’s using is called VPN-INTERESTING-TRAFFIC (Again I tend to give things descriptive names, yours may look more like, outside_1_cryptomap or something similar), let’s see what that’s doing, issue the following command;

[box]

MainSite(config)# show run access-list VPN-INTERESTING-TRAFIC
access-list VPN-INTERESTING-TRAFIC extended permit ip object OBJ-MainSite object OBJ-RemoteSite

[/box]

So to add our remote VPN Pool do the following:

[box]

MainSite(config)# object network OBJ-REMOTE-VPN_CLIENTS
MainSite(config-network-object)# subnet 10.0.99.0 255.255.255.0
MainSite(config-network-object)# exit
MainSite#(config) access-list VPN-INTERESTING-TRAFIC line 2 permit ip object 
OBJ-REMOTE-VPN_CLIENTS object OBJ-RemoteSite

[/box]

Step 4: Add a NAT Exemption on the Main Site ASA.

Note: If your ASA is running an OS of 8.3 or newer you will need to perform the following additional step, (if your ASA is older than 8.3 then NAT is handled differently and you can skip to Step 5). Confusion Notice: Cisco documentation is misleading on this matter, it says you don’t have to do a NAT exemption., and that’s true if you are not already performing NAT/PAT. However, most people are! So you will need to add the following NAT exeption!

Why? After version 8.3 the ASA changed the way it handles NAT, because of this, if the main site is running an OS NEWER than 8.3, you need to add a NAT exemption. This will apply to traffic going from the remote VPN pool to the remote sites subnet. We can reuse the OBJ-REMOTE-VPN-CLIENTS object, (we created above,) to do this. Also (above) we found out the subnet at the remote site is already defined in an abject called OBJ-RemoteSite, so I’ll reuse that also.

[box]

MainSite(config)# nat (outside,outside) source static OBJ-REMOTE-VPN_CLIENTS 
OBJ-REMOTE-VPN_CLIENTS destination static OBJ-RemoteSite OBJ-RemoteSite no-proxy-arp 
route-lookup

[/box]

That’s the config on the Main Site ASA Done – Don’t forget to save the config with a “write mem” command!

Step 5: Add a NAT Exemption on the Remote Site ASA

This is a NAT exemption on the existing site to site VPN, it’s basically saying don’t NAT any traffic from my network going to the remote VPN Subnet, how that’s done will differ depending on the age of the firewall e.g.

[box]

On a firewall Running Version 8.3 or Newer

RemoteSite# show run nat
nat (inside,outside) source static OBJ-RemoteSite OBJ-RemoteSite destination static 
OBJ-MainSite OBJ-MainSite
!
object network OBJ-ANY-INTERNAL
nat (inside,outside) dynamic interface

On a firewall earlier than version 8.3

RemoteSite# show run nat
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

[/box]

NEWER than 8.3: We need to create an object for the remote VPN clients, and add another NAT exemption for those clients.

OLDER than 8.3: For the uninitiated, on older firewalls NAT 0 means DONT NAT or ‘NAT exemption’, so this tells us the access-list doing the work is called inside_nat0_outbound, we just add the remote VPN subnet to that access list.

[box]

On a firewall Running Version 8.3 or Newer 

RemoteSite# configure terminal
RemoteSite(config)# nat (inside,outside) source static OBJ-RemoteSite OBJ-RemoteSite 
destination static OBJ-REMOTE-VPN_CLIENTS OBJ-REMOTE-VPN_CLIENTS
On a firewall earlier than version 8.3

RemoteSite# show run access-list inside_nat0_outbound
access-list inside_nat0_outbound extended permit ip 10.0.3.0 255.255.255.0 10.0.0.0 
255.255.255.0

Then to add the remote VPN Subnet

RemoteSite# configure terminal
RemoteSite(config)# access-list inside_nat0_outbound line 2 permit ip 10.0.3.0 
255.255.255.0 10.0.99.0 255.255.255.0

[/box]

Step 6: Add the Remote VPN Pool to the EXISTING Site to Site VPN Access List.

This is the exact mirror of what we did in step 3, so to locate the correct cryptomap, once again issue the following command;

[box]

RemoteSite(config)# show run crypto map
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 234.234.234.234
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000

[/box]

As before, if you have many VPN tunnels, locate the one whose IP address matches the IP at the main site (in this example 234.234.234.234). So we now know that this cryptomap access-list is called outside_1_cryptomap, to see what that’s doing issue the following command:

[box]

RemoteSite(config)# show run access-list outside_1_cryptomap
access-list outside_1_cryptomap extended permit ip 10.0.3.0 255.255.255.0 10.0.0.0 255.255.255.0

[/box]

So to add our Remote VPN pool simply issue the following command:

[box]

RemoteSite(config)# access-list outside_1_cryptomap line 2 permit ip 10.0.3.0 
255.255.255.0 10.0.99.0 255.255.255.0

[/box]

Job done, don’t forget to save the changes with a “Write mem” Command!

Testing Hair Pinning From the Client

Using the IPSEC VPN Client

When connected, if you open the VPN client software and select Statistics > Route Details > you should see the subnet of both the main site and the remote site listed as ‘Secured Routes’

Using the AnyConnect VPN Client

When connected, if you open the VPN client software and select > Details > Route Details. Then you should see both the main site, and the remote site subnets.

AnyConnect Version 3 and 4

AnyConnect Version 2

Related Articles, References, Credits, or External Links

Original article written 01/07/09 updated 22/05/12, updated 10/07/2019

Cisco ASA Redundant or Backup ISP Links with VPNs

KB ID 0000544

Problem

This method provides failover to a redundant ISP link should your primary network connection go down. IT IS NOT going to load balance the traffic across both interfaces. In this example I’ve also got a VPN to a remote site and some port forwarding to contend with as well.

Where we are at the start.

Where we want to be

 

Solution

Before you go any further the ASA that will have the backup ISP line, needs a Security Plus Licence or it’s not going to work.

Setup Backup ISP Links at the Main Site

1. Log into the firewall and setup the IP address on your backup interface.

[box]

PetesASA>
PetesASA> en
Password: *******
PetesASA#
PetesASA# configure terminal
PetesASA(config)# interface Ethernet0/3
PetesASA(config-if)# nameif backup
PetesASA(config-if)# security-level 0
PetesASA(config-if)# ip address 234.234.234.234 255.255.255.248
PetesASA(config-if)# no shutdown
PetesASA(config-if)# exit
PetesASA(config)#

[/box]

2. In a ‘Failed Over’ state your traffic needs to then be NATTED to the backup interface, then setup a new route for the outside interface, and finally one for the backup interface. Note: The new primary route will be “Tracked” based on an SLA we will configure in a minute.

[box]

Configure NAT for a firewall running an OS NEWER than 8.3

PetesASA(config)# object network obj_any-01
PetesASA(config-network-object)# subnet 0.0.0.0 0.0.0.0 
PetesASA(config-network-object)# nat (inside,backup) dynamic interface
Configure NAT for a firewall running an OS OLDER than 8.3

PetesASA(config)# global (backup) 1 interface
INFO: backup interface address added to PAT pool

Configure the Routes

PetesASA(config)# route outside 0.0.0.0 0.0.0.0 123.123.123.124 1 track 1
PetesASA(config)# route backup 0.0.0.0 0.0.0.0 234.234.234.235 2

[/box]

3. Now we are going to setup a new SLA that maintains connectivity to an IP address (In this case 4.2.2.2 via ICMP, then we are going to tie that SLA to “track 1”, )which you will remember is what keeps the default route on the Primary ISP), if that route fails, it swaps to the backup route.

[box]

PetesASA(config)# sla monitor 100
PetesASA(config-sla-monitor)# type echo protocol ipIcmpEcho 4.2.2.2 interface outside
PetesASA(config-sla-monitor-echo)# num-packets 3
PetesASA(config-sla-monitor-echo)# frequency 10
PetesASA(config-sla-monitor-echo)# sla monitor schedule 100 life forever start-time now
PetesASA(config)# track 1 rtr 100 reachability
PetesASA(config)#

[/box]

4. Any port forwarding getting done on the outside interface needs a mirror entry for the backup interface. and also will need matching ACL’s

[box]

PetesASA(config)# static (inside,backup) tcp interface www 10.0.0.5 www netmask 255.255.255.255
PetesASA(config)# static (inside,backup) tcp interface smtp 10.0.0.3 smtp netmask 255.255.255.255
PetesASA(config)# access-list backup permit tcp any interface backup eq www
PetesASA(config)# access-list backup permit tcp any interface backup eq smtp PetesASA(config)# access-group backup in interface backup

[/box]

5. Lets test it, issue a “show route” command, then disconnect your primary ISP then issue another “show route” command and it should have failed over like so;

[box]

PetesASA(config)# show route
 
 Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
 * - candidate default, U - per-user static route, o - ODR
 P - periodic downloaded static route
 
 Gateway of last resort is 123.123.123.124 to network 0.0.0.0
 
 C 234.234.234.0 255.255.255.248 is directly connected, backup
 C 123.123.123.0 255.255.255.240 is directly connected, outside
 C 10.0.0.0 255.255.255.0 is directly connected, inside
 S* 0.0.0.0 0.0.0.0 [1/0] via 123.123.123.124, outside
 PetesASA(config)#
 
 
Now Disconnect the Primary line
 
 PetesASA(config)# show route
 
 Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
 * - candidate default, U - per-user static route, o - ODR
 P - periodic downloaded static route
 
 Gateway of last resort is 234.234.234.235 to network 0.0.0.0
 
 C 234.234.234.0 255.255.255.248 is directly connected, backup
 C 10.0.0.0 255.255.255.0 is directly connected, inside
 S* 0.0.0.0 0.0.0.0 [254/0] via 234.234.234.235, backup
 PetesASA(config)#

[/box]

6. To enable this firewall to accept the existing VPN on its backup interface, you need to add the backup interface to that cryptomap (issue a show run crypto if your unsure). Then you need to enable ISAKMP on the backup Interface.

[box]

PetesASA(config)# crypto map outside_map interface backup
 PetesASA(config)# crypto isakmp enable backup

[/box]

7. Save the changes with a write mem command.

[box]

PetesASA(config)# wr mem
 Building configuration...
 Cryptochecksum: 91d190ba 2a3eb9c4 244d8c88 0da54e36
 
 10220 bytes copied in 3.740 secs (3406 bytes/sec)
 [OK]
 PetesASA(config)#

[/box]

Change the ASA at the Remote VPN Site

1. Connect to the firewall at the remote site, find the cryptomap that points to the main site (show run crypto). find the one that pointing to the IP at the main site, then add the new IP address as an alternate peer address.

[box]

RemoteSite(config)# crypto map outside_map 2 set peer 123.123.123.123 234.234.234.234

[/box]

2. Then create a tunnel group for the new backup address with the same shared secret as tunnel group to the primary IP.

[box]

RemoteSite(config)# tunnel-group 234.234.234.234 type ipsec-l2l
RemoteSite(config)# tunnel-group 234.234.234.234 ipsec-attributes
RemoteSite(config-tunnel-ipsec)# pre-shared-key 123456789

[/box]

3. Save the changes with a “write mem” command.

[box]

RemoteSite(config-tunnel-ipsec)#write mem
 Building configuration...
Cryptochecksum: 7a455ca7 3b637757 cd40aa82 7f3a22d8
 
7842 bytes copied in 1.530 secs (7842 bytes/sec)
[OK]
RemoteSite(config-tunnel-ipsec)#

[/box]

To test the VPN fails over, at the remote site issue a “show cry isa” command, then get someone at the primary site to disconnect the primary ISP, wait a few seconds and then re-issue a “show cry isa” command and it should have flipped over.

[box]

Failover-FWall# show cry isa
 
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
 
1 IKE Peer: 123.123.123.123
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
 
Now Disconnect the Primary line at the Main site
 
Failover-FWall# show cry isa
 
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
 
1 IKE Peer: 234.234.234.234
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE

[/box]

Related Articles, References, Credits, or External Links

Original article written 12/12/11

Cisco ASA 5505 Routing Between Two (Internal) VLANS

KB ID 0000869 

Problem

I had to set this up for a client this week, I’ve setup a DMZ on a 5505 before and I’ve setup other VLANs to do other jobs, e.g. visitor Internet access. But this client needed a secondary VLAN setting up for IP Phones. In addition I needed to route traffic between both the internal VLANs.

I did an internet search and tried to find some configs I could reverse engineer, the few I found were old (Pre version 8.3) ones and the little info I got were more people in forums asking why theirs did not work. So I built a firewall with 8.2 code, then worked out how to do it, then upgraded the firewall to version 9.1. Finally I picked out the relevant parts of the upgraded config.

Here’s the scenario I’m going to use for this example.

Solution

Before we start, yes I know the ASA is a firewall not a router! A better solution would be to have either a router behind the firewall or, (as is more common) a switch that is layer 3 capable, i.e it can route.

Your ASA MUST have a Security Plus licence to be able to do this. Check your license version.

The commands you use will be different if your firewall is running an operating system earlier than 8.3, check your ASA version and proceed to the correct set of commands.

For Firewalls running an Operating System OLDER than 8.3 go here

How to Setup VLAN Routing on an ASA 5505 (Version 8.3 and Newer)

1. Connect to the firewall, go to enable mode, then go to configure terminal mode.

[box]


User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)#

[/box]

2. As in the diagram (above) I have three VLANs, VLAN 0 is outside and will be connected to Ethernet 0/0. VLAN 1 is inside and will be connected to Ethernet 0/1. VLAN 112 is for my phones and will be connected to Ethernet 0/2. Here I setup the IP addresses, and add the VLANs to the physical interfaces.

Note: I don’t need to Add VLAN 1 to Ethernet 0/1, because all ports are in VLAN 1 by default.

[box]

Petes-ASA(config)# interface Ethernet0/0
Petes-ASA(config-if)# switchport access vlan 2
Petes-ASA(config-if)# interface Ethernet0/2
Petes-ASA(config-if)# switchport access vlan 112
Petes-ASA(config-if)# interface Vlan1
Petes-ASA(config-if)# nameif inside
Petes-ASA(config-if)# security-level 100
Petes-ASA(config-if)# ip address 192.168.12.254 255.255.255.0 
Petes-ASA(config-if)# interface Vlan2
Petes-ASA(config-if)# nameif outside
Petes-ASA(config-if)# security-level 0
Petes-ASA(config-if)# ip address 123.123.123.123 255.255.255.248 
Petes-ASA(config-if)# interface Vlan112
Petes-ASA(config-if)# nameif PHONE_VLAN_112
Petes-ASA(config-if)# security-level 100
Petes-ASA(config-if)# ip address 192.168.112.254 255.255.255.0

[/box]

3. To get traffic working to the internet you will need to specify a ‘route’ to your outside router.

[box]

Petes-ASA(config)# route outside 0.0.0.0 0.0.0.0 123.123.123.124

[/box]

4. Turn on ‘Hair Pinning’ (the ability to route traffic back out of the same interface it came in through) and allow traffic to pass between interfaces.

[box]

Petes-ASA(config)# same-security-traffic permit inter-interface
Petes-ASA(config)# same-security-traffic permit intra-interface

[/box]

5. Out of the box, if you have not configured any access-lists then you can skip this step, as traffic will flow from a more secure interface (the inside and the phone one) to a less secure interface (the outside one). Here I’m going to use an ACL and allow all traffic anyway.

[box]

 Petes-ASA(config)# access-list VLAN112_outbound extended permit ip 192.168.112.0 255.255.255.0 any 
Petes-ASA(config)# access-list outbound extended permit ip 192.168.12.0 255.255.255.0 any
Petes-ASA(config)# access-group outbound in interface inside
Petes-ASA(config)# access-group VLAN112_outbound in interface PHONE_VLAN_112 

[/box]

6. Now setup ‘dynamic’ NAT so that all traffic leaving both the inside VLAN and the Phone VLAN network get NATTED to the public IP address.

[box]

Petes-ASA(config)# object network obj_any
Petes-ASA(config-network-object)# subnet 0.0.0.0 0.0.0.0
Petes-ASA(config-network-object)# nat (inside,outside) dynamic interface
Petes-ASA(config-network-object)# object network obj_any-01
Petes-ASA(config-network-object)# subnet 0.0.0.0 0.0.0.0
Petes-ASA(config-network-object)# nat (PHONE_VLAN_112,outside) dynamic interface

[/box]

7. Now setup ‘static’ NAT so that traffic travelling between the inside VLAN and the phone VLAN does NOT get NATTED.

[box]

Petes-ASA(config)# object network obj-192.168.12.0
Petes-ASA(config-network-object)# subnet 192.168.12.0 255.255.255.0
Petes-ASA(config-network-object)# nat (inside,PHONE_VLAN_112) static 192.168.112.0
Petes-ASA(config-network-object)# object network obj-192.168.112.0
Petes-ASA(config-network-object)# subnet 192.168.112.0 255.255.255.0
Petes-ASA(config-network-object)# nat (PHONE_VLAN_112,inside) static 192.168.112.0

[/box]

8. Enable routing, and set the MTU for all three VLANs.

[box]

Petes-ASA(config)# router eigrp 500
Petes-ASA(config-router)# network 192.168.12.0 255.255.255.0
Petes-ASA(config-router)# network 192.168.112.0 255.255.255.0
Petes-ASA(config-router)# passive-interface outside
Petes-ASA(config-router)# exit
Petes-ASA(config)# mtu inside 1500
Petes-ASA(config)# mtu outside 1500
Petes-ASA(config)# mtu PHONE_VLAN_112 1500

[/box]

9. Save the changes, and give it a test.

[box]

Petes-ASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#

[/box]

 

Full Config for you to Copy and Paste;

[box]

interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 112
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.12.254 255.255.255.0 
!
interface Vlan2
nameif outside
security-level 0
ip address 123.123.123.123 255.255.255.248 
!
interface Vlan112
nameif PHONE_VLAN_112
security-level 100
ip address 192.168.112.254 255.255.255.0 
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
access-list VLAN112_outbound extended permit ip 192.168.112.0 255.255.255.0 any 
access-list outbound extended permit ip 192.168.12.0 255.255.255.0 any 
!
object network obj-192.168.12.0
subnet 192.168.12.0 255.255.255.0
nat (inside,PHONE_VLAN_112) static 192.168.112.0
object network obj-192.168.112.0
subnet 192.168.112.0 255.255.255.0
nat (PHONE_VLAN_112,inside) static 192.168.112.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
nat (PHONE_VLAN_112,outside) dynamic interface
!
mtu inside 1500
mtu outside 1500
mtu PHONE_VLAN_112 1500
!
access-group outbound in interface inside
access-group VLAN112_outbound in interface PHONE_VLAN_112
!
router eigrp 500
network 192.168.12.0 255.255.255.0
network 192.168.112.0 255.255.255.0
passive-interface outside
!
route outside 0.0.0.0 0.0.0.0 123.123.123.124

[/box]

 

How to Setup VLAN Routing on an ASA 5505 (Pre Version 8.3)

1. Connect to the firewall, go to enable mode, then go to configure terminal mode.

[box]


User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)#

[/box]

2. 2. As in the diagram (above) I have three VLANs, VLAN 0 is outside and will be connected to Ethernet 0/0. VLAN 1 is inside and will be connected to Ethernet 0/1. VLAN 112 is for my phones and will be connected to Ethernet 0/2. Here I setup the IP addresses, and add the VLANs to the physical interfaces.

Note: I don’t need to Add VLAN 1 to Ethernet 0/1 because all ports are in VLAN 1 by default.

[box]

Petes-ASA(config)# interface Ethernet0/0
Petes-ASA(config-if)# switchport access vlan 2
Petes-ASA(config-if)# interface Ethernet0/2
Petes-ASA(config-if)# switchport access vlan 112
Petes-ASA(config-if)# interface Vlan1
Petes-ASA(config-if)# nameif inside
Petes-ASA(config-if)# security-level 100
Petes-ASA(config-if)# ip address 192.168.12.254 255.255.255.0 
Petes-ASA(config-if)# interface Vlan2
Petes-ASA(config-if)# nameif outside
Petes-ASA(config-if)# security-level 0
Petes-ASA(config-if)# ip address 123.123.123.123 255.255.255.248 
Petes-ASA(config-if)# interface Vlan112
Petes-ASA(config-if)# nameif PHONE_VLAN_112
Petes-ASA(config-if)# security-level 100
Petes-ASA(config-if)# ip address 192.168.112.254 255.255.255.0

[/box]

3. To get traffic working to the internet you will need to specify a ‘route’ to your outside router.

[box]

Petes-ASA(config)# route outside 0.0.0.0 0.0.0.0 123.123.123.124

[/box]

4. Turn on ‘Hair Pinning’ (the ability to route traffic back out of the same interface it came in through). and allow traffic to pass between interfaces.

[box]

Petes-ASA(config)# same-security-traffic permit inter-interface
Petes-ASA(config)# same-security-traffic permit intra-interface

[/box]

5. Out of the box, if you have not configured any access-lists then you can skip this step, as traffic will flow from a more secure interface (the inside and the phone one) to a less secure interface (the outside one). Here I’m going to use an ACL and allow all traffic anyway.

[box]

Petes-ASA(config)# access-list VLAN112_outbound extended permit ip 192.168.112.0 255.255.255.0 any 
Petes-ASA(config)# access-list outbound extended permit ip 192.168.12.0 255.255.255.0 any
Petes-ASA(config)# access-group outbound in interface inside
Petes-ASA(config)# access-group VLAN112_outbound in interface PHONE_VLAN_112

[/box]

6. Enable NAT so that all traffic leaving both the inside VLAN and the Phone VLAN network get NATTED to the public IP address.

[box]

Petes-ASA(config)# global (outside) 1 interface
Petes-ASA(config)# nat (inside) 1 0.0.0.0 0.0.0.0
Petes-ASA(config)# nat (PHONE_VLAN_112) 1 0.0.0.0 0.0.0.0

[/box]

7. Now setup ‘static’ NAT so that traffic travelling between the inside VLAN and the phone VLAN does NOT get NATTED.

[box]

Petes-ASA(config)# static (inside,PHONE_VLAN_112) 192.168.112.0 192.168.12.0 netmask 255.255.255.0 
Petes-ASA(config)# static (PHONE_VLAN_112,inside) 192.168.112.0 192.168.112.0 netmask 255.255.255.0

[/box]

8. Enable routing, and set the MTU for all three VLANs.

[box]

Petes-ASA(config)# router eigrp 500
Petes-ASA(config-router)# network 192.168.12.0 255.255.255.0
Petes-ASA(config-router)# network 192.168.112.0 255.255.255.0
Petes-ASA(config-router)# passive-interface outside
Petes-ASA(config-router)# exit
Petes-ASA(config)# mtu inside 1500
Petes-ASA(config)# mtu outside 1500
Petes-ASA(config)# mtu PHONE_VLAN_112 1500

[/box]

9. Save the changes, and give it a test.

[box]

Petes-ASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#

[/box]

 

Full Config for you to Copy and Paste;

[box]

interface Vlan1
nameif inside
security-level 100
ip address 192.168.12.254 255.255.255.0 
!
interface Vlan2
nameif outside
security-level 0
ip address 123.123.123.123 255.255.255.248 
!
interface Vlan112
nameif PHONE_VLAN_112
security-level 100
ip address 192.168.112.254 255.255.255.0 
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 112
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
access-list VLAN112_outbound extended permit ip 192.168.112.0 255.255.255.0 any 
access-list outbound extended permit ip 192.168.12.0 255.255.255.0 any 
! 
mtu inside 1500
mtu outside 1500
mtu PHONE_VLAN_112 1500
!
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (PHONE_VLAN_112) 1 0.0.0.0 0.0.0.0
!
static (inside,PHONE_VLAN_112) 192.168.112.0 192.168.12.0 netmask 255.255.255.0 
static (PHONE_VLAN_112,inside) 192.168.112.0 192.168.112.0 netmask 255.255.255.0
!
access-group outbound in interface inside
access-group VLAN112_outbound in interface PHONE_VLAN_112
!
router eigrp 500
network 192.168.12.0 255.255.255.0
network 192.168.112.0 255.255.255.0
passive-interface outside
!
route outside 0.0.0.0 0.0.0.0 123.123.123.124 

[/box]

 

Related Articles, References, Credits, or External Links

NA