Vlan3 to outside Asa 5505

Hi,
I'm trying to setup a guest network in our ASA by creating a separate vlan connected to a wireless access point. The thought is that the “guests” should be able to access internet (the outside interface) but not the default vlan1 (where our corporate network is located)

I’ve managed to get it working so far that I can send packets to external addresses when using the Packet Tracer functionality in the ASDM, but when connecting an external pc to the vlan, it won’t get access to anything outside the vlan.

I have noticed that sometimes when adding rules through the ASDM, it doesn’t work so this time I ssh’ed in to the ASA and entered the rules through the console instead but that didn’t solve the problem either.

I’m not very familiar with Cisco products or firewalls in general so I would be very happy for some assistance :-)

My Asa Settings:
 
Result of the command: "show run"

: Saved
:
ASA Version 7.2(1) 
!
hostname West
domain-name Xxx.xxx
enable password nvNvdhePuUkZsFOo encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.1.1 255.255.255.0 
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.xxx.x.130 255.255.255.240 
 ospf cost 10
!
interface Vlan12
 no forward interface Vlan1
 nameif inside2
 security-level 90
 ip address 192.168.100.1 255.255.255.0 
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/4
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/5
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/6
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/7
 switchport access vlan 12
 no nameif
 no security-level
 no ip address
!
passwd nvNvdhePuUkZsFOo encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name Xxx.xxx
same-security-traffic permit intra-interface
access-list 100 extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list 100 extended permit ip 10.0.1.0 255.255.255.0 192.168.10.0 255.255.255.0 
access-list 100 extended permit ip 192.168.37.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list nonat extended permit ip 10.0.1.0 255.255.255.0 192.168.37.0 255.255.255.0 
access-list nonat extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list nonat extended permit ip 10.0.1.0 255.255.255.0 192.168.10.0 255.255.255.0 
access-list splittunnel standard permit 10.0.1.0 255.255.255.0 
access-list splittunnel standard permit 10.0.0.0 255.255.255.0 
access-list splittunnel standard permit 192.168.37.0 255.255.255.0 
access-list 104 extended permit icmp any any echo-reply 
access-list 104 extended permit icmp any any time-exceeded 
access-list 104 extended permit icmp any any unreachable 
access-list inside_nonat_outbound extended permit ip 192.168.37.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list outside_access_in extended permit tcp any any eq 3306 
access-list outside_access_in extended permit tcp any any eq 2555 
access-list outside_access_in extended permit tcp any eq 9010 any eq 9010 
access-list inside2_access_in extended permit ip any any 
access-list inside2 extended permit icmp any any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu inside2 1500
ip local pool vpnpool 192.168.37.1-192.168.37.10
asdm image disk0:/asdm-521.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list inside_nonat_outbound
nat (inside2) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3306 10.0.1.2 3306 netmask 255.255.255.255 
static (inside,outside) tcp interface 2555 10.0.1.2 smtp netmask 255.255.255.255 
static (inside,outside) tcp interface 9010 10.0.1.105 9010 netmask 255.255.255.255 
access-group outside_access_in in interface outside
access-group inside2_access_in in interface inside2
route outside 0.0.0.0 0.0.0.0 xxx.xxx.x.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server vpnradius protocol radius
aaa-server vpnradius host 10.0.1.2
 key #R3@b/d@Ta!
group-policy vpnWest internal
group-policy vpnWest attributes
 wins-server value 10.0.1.2
 dns-server value 10.0.1.2
 vpn-idle-timeout 20
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splittunnel
 default-domain value westint.local
username vpnAccess1 password L5i6fI.Co3LFvQEl encrypted privilege 15
username vpnAccess1 attributes
 vpn-group-policy vpnWest
http server enable
http 10.0.1.0 255.255.255.0 inside
http 10.0.0.0 255.255.255.0 outside
http xxx.xx.250.64 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac 
crypto dynamic-map rtpdynmap 20 set transform-set myset
crypto map mymap 10 match address 100
crypto map mymap 10 set peer xxx.xx.250.64 
crypto map mymap 10 set transform-set myset
crypto map mymap 20 ipsec-isakmp dynamic rtpdynmap
crypto map mymap interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 20
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 20
tunnel-group vpnWest type ipsec-ra
tunnel-group vpnWest general-attributes
 address-pool vpnpool
 authentication-server-group vpnradius
 default-group-policy vpnWest
tunnel-group vpnWest ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 20
tunnel-group xxx.xx.250.64 type ipsec-l2l
tunnel-group xxx.xx.250.64 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 20
tunnel-group vpnExt type ipsec-ra
tunnel-group vpnExt general-attributes
 default-group-policy vpnWest
 authorization-required
telnet 10.0.1.1 255.255.255.255 inside
telnet timeout 5
ssh 10.0.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 1
console timeout 0
dhcpd address 192.168.100.100-192.168.100.199 inside2
dhcpd auto_config outside interface inside2
dhcpd enable inside2
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:71cf0c3b9e65837bf0e9eb495c1a3648
: end

Open in new window


Thanks in advance!
tnsonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Istvan KalmarHead of IT Security Division Commented:
Hi,

you have restricted license. so you not able to communicate the VLAN 1, you need to buy security bundle feature to communicate booth way!
0
Istvan KalmarHead of IT Security Division Commented:
0
tnsonAuthor Commented:
Ahh, so the outside is also considered as a Vlan then? I thought I could use the Outside interface + two Vlan with the base license.
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

Istvan KalmarHead of IT Security Division Commented:
This license the Vlan12 only able to communicate only one security zone outside or inside!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tnsonAuthor Commented:
I will look into upgrading the license or use another FW for the purpose.
0
tnsonAuthor Commented:
Just went through the documentation from Cisco again and of what I can understand the Basic license allows for Tree VLANs. With the basic licens, the third VLAN can only initiate traffic with one other VLAN...

My setup is as follows:
VLAN1 - Outer interface (internet connection)
VLAN2 - Office network - Can access internet through VLAN1
VLAN3 - Guest network - Can access itnernet through VLAN1

Shouldnt this work with my current license?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.