NETWORKS TRAINING

ABOUT MY BOOKS SUGGESTED TRAINING

You are here: Home / Cisco ASA Firewall

Configuration / Cisco ASA as DHCP Server with
Multiple Internal LANs (Configuration)

Cisco ASA as DHCP Server

with Multiple Internal
LANs (Configuration)
Written By Harris Andrea
In this tutorial I will describe the
configuration of an interesting network
scenario that I’m sure many of you will find
helpful. This scenario is applicable in many
real world situations, mainly in small to
medium networks.

The network scenario is as follows:

We have three different internal LAN

networks which host user computers and
other I.T infrastructure (servers, network
printers etc).

We want to separate the three internal

LANs using an ASA firewall (either
ASA5500 or the new ASA5500-X models
will work fine). The three internal LANs will
be connected on the same switch and
separated in Layer2 level with three VLANs
on the switch.

The ASA firewall will provide internet access

to all internal LANs. Also, the ASA will act
as DHCP server for each internal LAN,
assigning the required IP addresses for
each LAN subnet using a different DHCP
scope for each one.

Also, we will use a single physical interface

of the ASA to accommodate the three
internal network security zones (“inside1”,
“inside2”, “inside3”).

Thus, we need to configure sub-interfaces

on a physical interface of the ASA which will
be connected to a trunk port of the internal
switch. Each sub-interface of the ASA will
act as the default gateway for its
corresponding internal LAN subnet.

Regarding the switch configuration, we

need to have one Dot1Q trunk port
connected to the ASA and also we need to
configure “access ports” belonging to the
appropriate VLAN for the internal hosts.

···

Let’s see the network diagram of our

topology below:

···

From our network diagram above:

Cisco ASA Configuration for ASDM Management …

Interface GE1 of the ASA (“outside”

zone with IP address 100.1.1.1) will be
connected to the ISP.
Interface GE0 of the ASA will be
connected to a trunk port of the switch
(port E0/0). This physical interface of
the ASA will be split into three sub-
interfaces with each one belonging to a
different security zone and VLAN:
Subinterface GE0.1: VLAN10 (IP
address 10.1.1.254) – zone name
“inside1”)
Subinterface GE0.2: VLAN20 (IP
address 10.2.2.254) – zone name
“inside2”)
Subinterface GE0.3: VLAN30 (IP
address 10.3.3.254) – zone name
“inside3”)

···

Interfaces E0/1, E0/2, E0/3 of the

switch will be configured as “access
ports” belonging to VLANs 10, 20, 30
respectively.
Hosts in VLAN10 will be assigned IP
address from the ASA using a DHCP
scope (10.1.1.0/24) enabled on
“inside1” interface.
Hosts in VLAN20 will be assigned IP
address from the ASA using a DHCP
scope (10.2.2.0/24) enabled on
“inside2” interface.
Hosts in VLAN30 will be assigned IP
address from the ASA using a DHCP
scope (10.3.3.0/24) enabled on
“inside3” interface.
All internal LANs will have internet
access via the ASA using NAT
overload (PAT) of the ASA outside
interface.

MORE READING: Cisco

Router with Cisco ASA for
Internet Access

···

NOTES:

I have not configured communication

between the three internal LANs (only
internet access allowed).
For ASA5505 you will need the
security-plus license for the above
scenario to work.

Let’s now see the configurations of both the

ASA and internal SWITCH.

(Only the important commands are

shown)

Cisco ASA Configuration:

! This is the physical interface which
we’ll split into 3 sub-interfaces
(connected to trunk port of switch)
interface GigabitEthernet0
no nameif
no security-level
no ip address
!
! This is sub- interface GE0.1 for vlan10
interface GigabitEthernet0.1
vlan 10
nameif inside1
security-level 100
ip address 10.1.1.254 255.255.255.0

···

! This is sub- interface GE0.2 for vlan20

interface GigabitEthernet0.2
vlan 20
nameif inside2
security-level 90
ip address 10.2.2.254 255.255.255.0

! This is sub- interface GE0.3 for vlan30

interface GigabitEthernet0.3
vlan 30
nameif inside3
security-level 80
ip address 10.3.3.254 255.255.255.0

! This is the WAN interface connected to

ISP
interface GigabitEthernet1
nameif outside
security-level 0
ip address 100.1.1.1 255.255.255.0

···

!Configure network objects for the three

internal LANs
object network inside1_LAN
subnet 10.1.1.0 255.255.255.0

MORE READING: Series of

Steps to Forward a packet in
a Cisco ASA Firewall

object network inside2_LAN

subnet 10.2.2.0 255.255.255.0

object network inside3_LAN

subnet 10.3.3.0 255.255.255.0

!This ACL is useful to allow ICMP traffic

for testing purposes
access-list OUT extended permit icmp any
any
access-group OUT in interface outside

! Configure NAT overload for the three

internal LANs using the outside
interface. This allows internet access.
object network inside1_LAN
nat (inside1,outside) dynamic interface

object network inside2_LAN

nat (inside2,outside) dynamic interface

···

object network inside3_LAN

nat (inside3,outside) dynamic interface

access-group OUT in interface outside

route outside 0.0.0.0 0.0.0.0 100.1.1.2

! Create 3 different DHCP scopes to

assign IP addresses to internal LANs

! DHCP scope for hosts in VLAN10 –

“inside1”
dhcpd address 10.1.1.1-10.1.1.100 inside1
dhcpd enable inside1

! DHCP scope for hosts in VLAN20 –

“inside2”
dhcpd address 10.2.2.1-10.2.2.100 inside2
dhcpd enable inside2

! DHCP scope for hosts in VLAN30 –

“inside3”
dhcpd address 10.3.3.1-10.3.3.100 inside3
dhcpd enable inside3

! Assign DNS server for internal hosts

dhcpd dns 200.1.1.1

Cisco SWITCH Configuration:

! This is the trunk port connected to
interface GE0 of ASA
interface Ethernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
duplex auto

···

! Access port for VLAN10

interface Ethernet0/1
switchport access vlan 10
switchport mode access
duplex auto

! Access port for VLAN20

interface Ethernet0/2
switchport access vlan 20
switchport mode access
duplex auto

! Access port for VLAN30

interface Ethernet0/3
switchport access vlan 30
switchport mode access
duplex auto

Related Posts
Prevent Spoofing Attacks on Cisco
ASA using RPF
Configuring Connection Limits on
Cisco ASA Firewalls – Protect from
DoS
Configuring AAA Authentication-
Authorization-Accounting on Cisco
ASA Firewall (TACACS+, RADIUS)
Cisco ASA Firewall Management
Interface Configuration (with Example)
How to Configure Access Control Lists
on a Cisco ASA 5500/5500-X Firewall
(with Examples)

···

Filed Under: Cisco ASA Firewall Configuration

Download Free Cisco

Commands Cheat Sheets
Enter your Email below to Download our Free
Cisco Commands Cheat Sheets for Routers,
Switches and ASA Firewalls.

Email

Please enter your email address

We use Elastic Email as our marketing

automation service. By submitting this form,
you agree that the information you provide will
be transferred to Elastic Email for processing
in accordance with their Terms of Use and Privacy
Policy. Also, you allow me to send you
informational and marketing emails from time-
to-time.

Je ne suis pas un robot

reCAPTCHA
Con3dentialité - Conditions

SUBSCRIBE

About Harris Andrea

Harris Andrea is an Engineer
with more than two decades of
professional experience in the fields of TCP/IP
Networks, Information Security and I.T. Over
the years he has acquired several professional
certifications such as CCNA, CCNP, CEH,
ECSA etc.
He is a self-published author of two books
("Cisco ASA Firewall Fundamentals" and
"Cisco VPN Configuration Guide") which are
available at Amazon and on this website as
well.

Comments

Friend says
April 4, 2016 at 8:43 am

useful explanation….will help a

lot….thanks

felixmwanje says
April 4, 2016 at 10:32 am

Thanks for the knowledge you

always share with us.
I will give it more time and see how
to go about the configurations.You
know am not very good at router
and switch configurations but am
learning a lot from you since am
new in the networking field.

Please keep sharing with me so

that i become an expert in networks
Thanks and have a good week
Felix

Reddy says
April 4, 2016 at 11:18 am

Nice article. Would it be possible to

post an article on ‘ASA running
behind another NAT device and
how to port-forward services such
as http/https running behind ASA
firewall first from internet–> Inside
IP address of NAT device which is
also be Outside IP address for ASA
and then forward it all the way to
the webserver running behind ASA
? Use OSPF routing protocol
between RFC 1918, and no NAT
control on ASA and what if we use
NAT control on ASA?

Webserver(http)–inside(RFC 1918
addresses) –ASA—Outside(RFC
1918 addresses)—NAT/Router—
Internet(Publice IP)—ISP

Kevynjr says
April 4, 2016 at 11:20 am

Hi Andrea,

Can this be configured on gns3?

Thanks

Kevynjr

Harris Andrea says

April 4, 2016 at 3:19 pm

Reddy,
For the scenario you describe, the
external NAT device must be able
to forward everything to the outside
interface of ASA. Then, configure
the ASA to do port forwarding of the
traffic to the inside network.

Harris Andrea says

April 4, 2016 at 3:21 pm

Kevynjr, yes this can be configured

on GNS3 (and also you can
combine GNS3 and IOU to
configure switches etc).