Keeping two LANs separate - different subnets or vlan?

Five_Star · 16 Jan 2009 at 14:02

I have a problem where I need to create two physically cabled and separate LANs and keep them separate so traffic cannot flow between the two. This is the easy part as the cables and hardware are all separate.

The problem is I can only access the internet (which both separate LANs must be able to do) using an ASA5505. I also have a basic understanding of how to use this device, mainly why I’m asking for help here.

If I plug each of the two LAN switches into the router, traffic from each LAN will be accessible from the other wont it? How can I stop this from happening?

Thanks

(The two LAN switches support vlans but are not currently being used)

growse · 16 Jan 2009 at 15:31

I would have thought that the ASA5505 could implement an ACL effectively firewalling the two networks from each other.

Five_Star · 16 Jan 2009 at 17:15

any idea how? The Cisco kit wasn't installed by me but its all i've got for Internet access

Seaniboy · 16 Jan 2009 at 18:53

Really hard to say mate without knowing you exact setup.

I have not had any exposure to the 5505's but do manage some 5510's.

In essence you’re going to have to create 2 vlans on the inside interface, then create 2 trunk ports on the 5510 switch ports which you plug your 2 switches in to. These switches will obviously have to be 802.1q compliant. From there just create your NAT and ACL rules.

wabbit347 · 16 Jan 2009 at 19:02

I neither manage, nor have had experience with ASAs, but I did find this that I thought might be of use.

http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5505/quick/guide/vlans.html

It looks like the ASA5505 can only support 3 VLANS (unless I've got the wrong product)

The description of the homeworker setup, where you have work connections, other home devices and then an external connection looks like it might suffice for your needs?

Good luck with setting it up.

Edit- having read a bit further, it looks like it only supports an inside and an outside VLAN. If you want more VLANs you have to upgrade your license. lame.

Seaniboy · 16 Jan 2009 at 19:07

The number of Vlan's you can have depends on the licence.

Another good guide that may help you out here - http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/general/int5505.pdf

Five_Star · 16 Jan 2009 at 20:12

Thanks for the quick replies, I'll have a read over the documentation this weekend and try some tests on Monday with our backup 5505. I'm happy we have a spare unit as its learning on the job for me with Cisco stuff so I really appreciate the help.

I'm not sure what level of license we have on the production ASA, so might need an alternate solution.
Could a second router be used to separate the second LAN from the first LAN and then onto the internet? or is that total rubbish?

Curiosityx · 16 Jan 2009 at 21:01

The 5505 base license allows you to support three vlans, one for the outside network, and two for the inside network the only problem being is that the two inside networks cant talk to each other, this behavior cant be changed unless you upgrade to the security plus license which will give you 20 vlans at which point you can trunk from the switch and apply the appropriate NAT/Security Levels/ACL's.

By the looks of what you want to achieve this would suite your purpose, create two seperate vlans on your switch, allocate each it's own unique subnet and configure three vlans on the ASA 5505, assign each of the internal vlans an IP Address inline with the chosen unique subnet for each vlan, set a dynamic NAT policy for outbound internet access and off you go.

In this scenario you dont have to match the vlans on the switch with those on the ASA.

Code:

The following example configures three VLAN interfaces for the Base license. The third home interface cannot forward traffic to the business interface.

hostname(config)# interface vlan 100
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address dhcp
hostname(config-if)# no shutdown

hostname(config-if)# interface vlan 200
hostname(config-if)# nameif business
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown

hostname(config-if)# interface vlan 300
hostname(config-if)# no forward interface vlan 200
hostname(config-if)# nameif home
hostname(config-if)# security-level 50
hostname(config-if)# ip address 10.2.1.1 255.255.255.0
hostname(config-if)# no shutdown

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/general/int5505.pdf

Five_Star · 17 Jan 2009 at 13:53

Thats awesome, I'll give it a spin next week at work

thank you