3rd VLAN on ASA 5505 basic

I have a ASA 5505 with an outside and inside vlan. I am tyring to set up a 3rd vlan to use as a public internet vlan.

I have set up the interfaces as shown below. The public access point is plugged into ethernet 0/2.

When connect to the public access point, i can ping the AP and the ASA. However I cannot ping the inside VLAN (as I expect it to work) not the outside VLAN. I have a ACL that allows all traffic from the VLAN3 to lesser security level interfaces so it should be able to get to the outside VLAN.

When I run packet trace on the ASDM it says that it should be allowed.

Any ideas why this is not working?


interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.222.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address publicIP 255.255.255.0
!
interface Vlan3
 no forward interface Vlan1
 nameif publicwlan
 security-level 99
 ip address 192.168.220.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
 switchport trunk allowed vlan 1,3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7

Open in new window

LVL 12
ryan80Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikeKaneCommented:
The ASA 5505 basic allows for 3 vlans, however, the catch is that the 3rd vlan can only communicate with 1 other VLAN (inside or outside).  
Not both.  

Reference the cisco comparison chart for that info here:
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

quote "2 regular zones and 1 restricted zone that can only communicate with 1 other zone"
0
ryan80Author Commented:
I only want it to communicate with the outside vlan. I dont want it to communicate with the inside vlan.
0
ryan80Author Commented:
do i have the "no foward interface command" wrong?
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

sidetrackedCommented:
please post the complete configuration and blank out public IP and passwords  
0
MikeKaneCommented:
If you run a packet trace and it shows the packets leaving the ASA, do you see any return packets?  

May I assume you have the icmp allow statements:
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable  
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside

If the ASA is not generating any errors in its logging, then the problem may not be the ASA.    What are you pinging on the outside?   Does that outside device know to route to the ASA for the new subnet?  


0
Pro4iaCommented:
full config will help.
0
ryan80Author Commented:
Here is my config
: Saved
: Written by enable_15 at 13:24:23.722 EDT Fri Apr 16 2010
!
ASA Version 8.2(1) 
!
hostname companyfirewall
domain-name company.COM
enable password ***************** encrypted
passwd ***************** encrypted
names
name 192.168.201.0 alternate_vpn description alternate_vpn
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.222.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address **.***.**.18 255.255.255.0 
!
interface Vlan3
 no forward interface Vlan1
 nameif publicwlan
 security-level 99
 ip address 192.168.220.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
 switchport trunk allowed vlan 1,3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server- DefaultDNS
 domain-name company.COM
object- service DNS tcp
 port-object range domain domain
object- service DNS-both tcp-udp
 port-object range domain domain
object- service DNS-UDP udp
 port-object range domain domain
object- service RDP tcp
 port-object range 3389 3389
object- service RDP-udp udp
 port-object range 3389 3389
object- service UVNC tcp
 port-object range 5500 5500
object- service port_25 tcp
 port-object range smtp smtp
object- service 5722 tcp
 port-object range 5722 5722
object- service 5722-UDP udp
 port-object range 5722 5722
object- protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object- service Viewpoint tcp-udp
 description Sonicwall Viewpoint
 port-object eq 514
object- service UDP_5720_Kaseya udp
 port-object eq 5720
object- service Kaseya tcp
 port-object eq 5721
access-list 100 remark Kaseya agent port
access-list 100 extended permit tcp any host **.***.**.20 eq 5721 
access-list 100 remark Kaseya web interface
access-list 100 extended permit tcp any host **.***.**.20 eq www 
access-list 100 remark Connectwise web interface
access-list 100 extended permit tcp any host **.***.**.22 eq www 
access-list 100 remark OWA http
access-list 100 extended permit tcp any host **.***.**.21 eq www 
access-list 100 remark OWA https
access-list 100 extended permit tcp any host **.***.**.21 eq https 
access-list 100 remark IP-KVM http
access-list 100 extended permit tcp any host **.***.**.23 eq www 
access-list 100 remark IP-KVM https
access-list 100 extended permit tcp any host **.***.**.23 eq https 
access-list 100 remark IP-KVM video
access-list 100 extended permit tcp any host **.***.**.23 eq 8192 
access-list 100 remark IP-KVM video
access-list 100 extended permit tcp any host **.***.**.23 eq 3871 
access-list 100 remark IP-KVM keyboard and mouse
access-list 100 extended permit tcp any host **.***.**.23 eq 2068 
access-list 100 remark IP-KVM proxy
access-list 100 extended permit tcp any host **.***.**.23 eq 1078 
access-list 100 remark IP-KVM discovery tcp
access-list 100 extended permit tcp any host **.***.**.23 eq 3211 
access-list 100 remark IP-KVM discovery udp
access-list 100 extended permit udp any host **.***.**.23 eq 3211 
access-list 100 remark FTP server
access-list 100 extended permit tcp any host **.***.**.24 eq ftp 
access-list 100 remark DC01 DNS lookup
access-list 100 extended permit tcp any object- DNS host 192.168.222.20 object- DNS 
access-list 100 remark DC01 DNS lookup
access-list 100 extended permit udp any object- DNS-UDP host 192.168.222.20 object- DNS-UDP 
access-list 100 remark SMTP traffic to the mail server
access-list 100 extended permit tcp any host **.***.**.21 eq smtp 
access-list 100 remark ICMP traffic
access-list 100 extended permit icmp any any 
access-list 100 remark UltraVNC on FTP server
access-list 100 extended permit tcp any host **.***.**.24 object- UVNC 
access-list 100 remark Deny smtp traffic to NAT'ed machines
access-list 100 extended deny tcp host 68.167.116.142 any object- port_25 
access-list 100 extended permit ip any host **.***.**.19 
access-list 100 extended permit tcp host 205.232.23.250 host **.***.**.22 object- RDP 
access-list 100 extended permit ip host 64.115.108.82 host **.***.**.25 
access-list 100 extended permit tcp any host **.***.**.25 eq www 
access-list 100 extended permit tcp any host **.***.**.20 object- RDP 
access-list 100 extended permit ip any 192.168.220.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.101.100.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.222.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.222.0 255.255.255.0 alternate_vpn 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.222.0 255.255.255.0 alternate_vpn 255.255.255.128 
access-list in extended permit ip any host **.***.**.20 
access-list in extended permit ip host **.***.**.20 any 
access-list outside_cryptomap_1 extended permit ip 192.168.222.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list alternate2_splitTunnelAcl standard permit host 192.168.222.16 
access-list alternate2_splitTunnelAcl standard permit host 192.168.222.13 
pager lines 24
logging enable
logging timestamp
logging buffer-size 20480
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu publicwlan 1500
ip local pool alternate 192.168.201.1-192.168.201.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-621.bin
asdm location alternate_vpn 255.255.255.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp **.***.**.23 www 192.168.222.19 www netmask 255.255.255.255 
static (inside,outside) tcp **.***.**.23 https 192.168.222.19 https netmask 255.255.255.255 
static (inside,outside) tcp **.***.**.23 8192 192.168.222.19 8192 netmask 255.255.255.255 
static (inside,outside) tcp **.***.**.23 3871 192.168.222.19 3871 netmask 255.255.255.255 
static (inside,outside) tcp **.***.**.23 2068 192.168.222.19 2068 netmask 255.255.255.255 
static (inside,outside) tcp **.***.**.23 1078 192.168.222.19 1078 netmask 255.255.255.255 
static (inside,outside) tcp **.***.**.23 3211 192.168.222.19 3211 netmask 255.255.255.255 
static (inside,outside) udp **.***.**.23 3211 192.168.222.19 3211 netmask 255.255.255.255 
static (inside,outside) tcp **.***.**.24 ftp 192.168.222.16 ftp netmask 255.255.255.255 
static (inside,outside) tcp **.***.**.23 5500 192.168.222.25 5500 netmask 255.255.255.255 
static (inside,outside) tcp **.***.**.20 www 192.168.222.13 www netmask 255.255.255.255 
static (inside,outside) tcp **.***.**.20 5721 192.168.222.13 5721 netmask 255.255.255.255 
static (inside,outside) udp **.***.**.20 5721 192.168.222.13 5721 netmask 255.255.255.255 
static (inside,outside) tcp **.***.**.20 3389 192.168.222.13 3389 netmask 255.255.255.255 
static (inside,outside) **.***.**.22 192.168.222.21 netmask 255.255.255.255 
static (inside,outside) **.***.**.21 192.168.222.22 netmask 255.255.255.255 
static (inside,outside) **.***.**.19 192.168.222.106 netmask 255.255.255.255 
static (inside,outside) **.***.**.25 192.168.222.43 netmask 255.255.255.255 
static (inside,inside) **.***.**.26 192.168.222.42 netmask 255.255.255.255 
static (inside,outside) **.***.**.27 192.168.222.14 netmask 255.255.255.255 
access- 100 in interface outside
route outside 0.0.0.0 0.0.0.0 **.***.**.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http 192.168.222.0 255.255.255.0 inside
snmp-server host inside 192.168.222.42 community company
snmp-server host inside 192.168.222.43 community company
snmp-server location Basement
snmp-server contact Ryan
snmp-server community company
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps entity config-change fru-insert fru-remove
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer **.***.***.165 
crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
  2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
  2
 lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 192.168.222.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.222.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.220.2-192.168.220.100 publicwlan
dhcpd dns 4.2.2.1 interface publicwlan
dhcpd option 3 ip 192.168.220.1 interface publicwlan
dhcpd enable publicwlan
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 64.73.32.135 source outside
tftp-server inside 192.168.222.43 companyasa5505.cfg
webvpn
-policy DfltGrpPolicy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value in
-policy alternate2 internal
-policy alternate2 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value alternate2_splitTunnelAcl
username company password **************** encrypted privilege 15
username alternate password ******************* encrypted
username alternate2 password *******************encrypted privilege 0
username alternate2 attributes
 vpn--policy alternate2
tunnel- **.***.***.165 type ipsec-l2l
tunnel- **.***.***.165 ipsec-attributes
 pre-shared-key **********
tunnel- alternate2 type remote-access
tunnel- alternate2 general-attributes
 address-pool alternate
 default--policy alternate2
tunnel- alternate2 ipsec-attributes
 pre-shared-key alternate2
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:6a0b964a17712e7c41e6cf6f3c3bd4d1
: end

Open in new window

0
sidetrackedCommented:
u need to add nat for your publicwlan interface

nat (publicwlan) 1 0.0.0.0 0.0.0.0
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MikeKaneCommented:
Yep - Sidetracked is correct.  
0
ryan80Author Commented:
Thanks for the help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.