Home / Configuration Tips / Cisco ASA as DHCP Server with Multiple Internal LANs

Cisco ASA as DHCP Server with Multiple Internal LANs

asa-3rd-editionThis article describes the configuration of an interesting network scenario that is applicable in many real world situations, mainly in small to medium networks.

We have three different internal LAN networks which host user computers and other IT infrastructure (servers, network printers etc). We want to separate the three internal LANs using an ASA firewall (either ASA5500 or the new ASA5500-X models will work fine). The three internal LANs will be connected using the same switch and separated at Layer2 level with three VLANs on the switch.

The ASA firewall will provide internet access to all internal LANs. Also, the ASA will act as DHCP server for each internal LAN, assigning the required IP addresses for each LAN subnet using a different DHCP scope for each one.

Also, we will use a single physical interface of the ASA to accommodate the three internal network security zones (“inside1”, “inside2”, “inside3”). Thus, we need to configure sub-interfaces on a physical interface of the ASA which will be connected to a trunk port of the internal switch. Each sub-interface of the ASA will act as the default gateway for its corresponding internal LAN subnet.

Do you work with Cisco ASA?
Get the Cisco ASA Firewall Fundamentals 3rd Edition by Harris Andrea

Regarding the switch configuration, we need to have one Dot1Q trunk port connected to the ASA and also we need to configure “access ports” belonging to the appropriate VLAN for the internal hosts. Let’s see the network diagram of our topology:

cisco asa multiple lans

From the network diagram above:

  • Interface GE1 of the ASA (“outside” zone with IP address 100.1.1.1) will be connected to the ISP.
  • Interface GE0 of the ASA will be connected to a trunk port of the switch (port E0/0). This physical interface of the ASA will be split into three sub-interfaces with each one belonging to a different security zone and VLAN:
    • Subinterface GE0.1: VLAN10 (IP address 10.1.1.254) – zone name “inside1”)
    • Subinterface GE0.2: VLAN20 (IP address 10.2.2.254) – zone name “inside2”)
    • Subinterface GE0.3: VLAN30 (IP address 10.3.3.254) – zone name “inside3”)
  • Interfaces E0/1, E0/2, E0/3 of the switch will be configured as “access ports” belonging to VLANs 10, 20, 30 respectively.
  • Hosts in VLAN10 will be assigned IP address from the ASA using a DHCP scope (10.1.1.0/24) enabled on “inside1” interface.
  • Hosts in VLAN20 will be assigned IP address from the ASA using a DHCP scope (10.2.2.0/24) enabled on “inside2” interface.
  • Hosts in VLAN30 will be assigned IP address from the ASA using a DHCP scope (10.3.3.0/24) enabled on “inside3” interface.
  • All internal LANs will have internet access via the ASA using NAT overload (PAT) of the ASA outside interface.

Please note the following:

  • there is no communication between the three internal LANs (only internet access allowed).
  • for ASA5505 you will need the security-plus licence for the above scenario to work.

 

Let’s now see the configurations of both the ASA and internal SWITCH (only the important commands are shown).

 

Cisco ASA as DHCP server – configuration

! This is the physical interface which we’ll split into 3 sub-interfaces (connected to trunk port of switch)
interface GigabitEthernet0
no nameif
no security-level
no ip address
!
! This is sub- interface GE0.1 for vlan10
interface GigabitEthernet0.1
vlan 10
nameif inside1
security-level 100
ip address 10.1.1.254 255.255.255.0
!
! This is sub- interface GE0.2 for vlan20
interface GigabitEthernet0.2
vlan 20
nameif inside2
security-level 90
ip address 10.2.2.254 255.255.255.0
!
! This is sub- interface GE0.3 for vlan30
interface GigabitEthernet0.3
vlan 30
nameif inside3
security-level 80
ip address 10.3.3.254 255.255.255.0
!
! This is the WAN interface connected to ISP
interface GigabitEthernet1
nameif outside
security-level 0
ip address 100.1.1.1 255.255.255.0
!
!Configure network objects for the three internal LANs
object network inside1_LAN
subnet 10.1.1.0 255.255.255.0
!
object network inside2_LAN
subnet 10.2.2.0 255.255.255.0
!
object network inside3_LAN
subnet 10.3.3.0 255.255.255.0
!
!This ACL is useful to allow ICMP traffic for testing purposes
access-list OUT extended permit icmp any any
!
! Configure NAT overload for the three internal LANs using the outside interface. This allows internet access.
object network inside1_LAN
nat (inside1,outside) dynamic interface
object network inside2_LAN
nat (inside2,outside) dynamic interface
object network inside3_LAN
nat (inside3,outside) dynamic interface
!
access-group OUT in interface outside
route outside 0.0.0.0 0.0.0.0 100.1.1.2
!
! Create 3 different DHCP scopes to assign IP addresses to internal LANs 
! DHCP scope for hosts in VLAN10 – “inside1”
dhcpd address 10.1.1.1-10.1.1.100 inside1
dhcpd enable inside1
!
! DHCP scope for hosts in VLAN20 – “inside2”
dhcpd address 10.2.2.1-10.2.2.100 inside2
dhcpd enable inside2
!
! DHCP scope for hosts in VLAN30 – “inside3”
dhcpd address 10.3.3.1-10.3.3.100 inside3
dhcpd enable inside3
!
! Assign DNS server for internal hosts
dhcpd dns 200.1.1.1

 

Cisco SWITCH – Configuration

 

! This is the trunk port connected to interface GE0 of ASA
interface Ethernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
duplex auto
!
! Access port for VLAN10
interface Ethernet0/1
switchport access vlan 10
switchport mode access
duplex auto
!
! Access port for VLAN20
interface Ethernet0/2
switchport access vlan 20
switchport mode access
duplex auto
!
! Access port for VLAN30
interface Ethernet0/3
switchport access vlan 30
switchport mode access
duplex auto
!

In this article we presented an easy configuration to support multiple LANs on the Cisco ASA used as DHCP server, ensuring the separation of traffic between LANs.

Learn more with the Cisco ASA Firewall Fundamentals 3rd Edition by Harris Andrea.

asa-3rd-edition

Cisco ASA as DHCP Server with Multiple Internal LANs
4.5 (90%)

About Harris Andrea

Harris Andrea is a Cisco Certified Professional with more than 18 years of experience working with Cisco network technologies. He is the author of two Cisco Books (“Cisco ASA Firewall Fundamentals” and “Cisco VPN Configuration Guide”) which have been embraced by thousands of Cisco professionals all over the world. You can find more Cisco configuration guides and tutorials on his blog here:
http://www.networkstraining.com

Check Also

DDOS RTBH Routing

How to configure Remotely Triggered Black Hole routing to protect from DDOS attacks

Article Contents1 What is a DDoS attack?2 Dealing with DDoS attacks3 Remotely Triggered Black Hole …

Leave a Reply

Your email address will not be published. Required fields are marked *