Solved

ASA 5505 DMZ to Internet access

Posted on 2011-09-15
27
1,078 Views
Last Modified: 2012-05-12
Good Morning!

We have a remote office that requested guest wireless. Normally not an issue, but they have a base license on the ASA 5505. I'll provide partial config shortly, but i have it all set to not forward traffic to the inside interface. So in theory, traffic should work b/w DMZ and internet. The ASA is handling DHCP and this forwards out fine to the people on the guest wireless. I just can't access anything on the web. Any help would be amazing! I'm sure I'm missing something small. Here is my partial config:

interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
[excluded]
!

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.14.10 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address *
!
interface Vlan3
 no forward interface Vlan1
 nameif GUEST
 security-level 50
 ip address 192.168.114.10 255.255.255.0
!

access-list guest extended permit ip any any
!
mtu GUEST 1500
!

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (GUEST) 1 192.168.114.0 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group guest in interface GUEST
!

dhcpd address 192.168.114.100-192.168.114.200 GUEST
dhcpd dns 8.8.8.8 interface GUEST
dhcpd enable GUEST

Open in new window

0
Comment
Question by:prlit
  • 13
  • 13
27 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36543746
Can't reach anything at all? Even when trying to ping an outside ip?
At a first glance the config seems ok.
0
 
LVL 1

Author Comment

by:prlit
ID: 36543964
Yeah it's weird.. I can't ping from the guest interface in the router to anything (google dns, espn etc). Do I need to define a route from the guest interface to the outside or should it just know? The only route in there currently is the outside route.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36544049
If you have the default route it should be ok.
Anything showing in the (adsm) logs?
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 36544486
You probably want to get rid of the guest ACL.  That's going to allow traffic into the inside, which you don't want.  Traffic going to the outside interface won't require an ACL.  But the NAT looks OK to me, so I can't explain why you can't ping anything on the outside.  
0
 
LVL 1

Author Comment

by:prlit
ID: 36545535
Here's what I have in the logs..

5      Sep 15 2011      12:46:47      111008                              User '****' executed the 'ping GUEST 8.8.8.8' command.
6      Sep 15 2011      12:46:37      110003      192.168.114.10      0      8.8.8.8      0      Routing failed to locate next hop for icmp from NP Identity Ifc:192.168.114.10/0 to GUEST:8.8.8.8/0
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36545577
Ok, perhaps I didn't get it right so let me ask again:
Do you have a line in your config like: route outside 0.0.0.0 0.0.0.0 x.x.x.x ?
0
 
LVL 1

Author Comment

by:prlit
ID: 36545616
Yeah, thats in there. I went into the ASDM, Packet Tracer, and it's getting dropped by implicit deny, even though any any IP is configured before it.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36545640
Ok, could you post a more elaborate config?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36545667
One more thing, just a thought, could you add:
Access- list guest extended permit icmp any any
Just for the fun of it.
0
 
LVL 1

Author Comment

by:prlit
ID: 36545696

: Saved
:
ASA Version 8.2(5) 
!
hostname hinsdale
domain-name *
enable password *
passwd *
names
*
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.14.10 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address * 
!
interface Vlan3
 no forward interface Vlan1
 nameif GUEST
 security-level 50
 ip address 192.168.114.10 255.255.255.0 
!
banner exec ***No unauthorized Logins***
banner login ***No unauthorized Logins***
banner motd ***No unauthorized Logins***
banner asdm ***No unauthorized Logins***
boot system disk0:/asa825-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name *
Object-group network *
*
access-list inside_nat0_outbound extended permit ip 192.168.14.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.14.0 255.255.255.0 192.168.253.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.14.0 255.255.255.0 10.30.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.14.0 255.255.255.0 host 10.30.11.200 
access-list inside_nat0_outbound extended permit ip 192.168.14.0 255.255.255.0 object-group SJHI 
access-list inside_nat0_outbound extended permit ip 192.168.14.0 255.255.255.0 host LabOrchard 
access-list inside_nat0_outbound extended permit ip 192.168.14.0 255.255.255.0 object-group SJHC 
access-list inside_nat0_outbound extended permit ip 192.168.14.0 255.255.255.0 object-group FCMG 
access-list outside_access_in extended permit ip 192.168.1.0 255.255.255.0 any 
access-list outside_access_in extended permit ip 192.168.253.0 255.255.255.0 any 
access-list outside_access_in extended permit ip host 10.30.11.200 any 
access-list outside_access_in extended permit ip 10.30.1.0 255.255.255.0 any 
access-list outside_access_in extended permit icmp any any 
access-list inside_access_in extended permit ip any any 
access-list outside_2_cryptomap extended permit ip 192.168.14.0 255.255.255.0 object-group SJHI 
access-list outside_3_cryptomap extended permit ip 192.168.14.0 255.255.255.0 object-group SJHC 
access-list outside_1_cryptomap extended permit ip 192.168.14.0 255.255.255.0 object-group FCMG 
access-list outside_1_cryptomap extended permit ip 192.168.14.0 255.255.255.0 192.168.253.0 255.255.255.0 
##Just added the bottom two to see if it'd change anything##
access-list GUEST_access_in extended permit ip any any 
access-list GUEST_access_in extended permit icmp any any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu GUEST 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit 192.168.14.0 255.255.255.0 inside
icmp permit any outside
icmp permit 192.168.1.0 255.255.255.0 outside
asdm image disk0:/asdm-643.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (GUEST) 1 192.168.114.0 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group GUEST_access_in in interface GUEST
route outside 0.0.0.0 0.0.0.0 72.90.79.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL 
aaa authentication http console LOCAL 
aaa authentication serial console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 inside
http * 255.255.255.255 outside
http 192.168.253.0 255.255.255.0 inside
http 192.168.14.0 255.255.255.0 inside
snmp-server host inside RDP poll community *****
snmp-server location Hinsdale
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer * 
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer * 
crypto map outside_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer * 
crypto map outside_map 3 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 192.168.14.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.253.0 255.255.255.0 inside
ssh * 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.14.200-192.168.14.254 inside
dhcpd dns DNS1 DNS interface inside
dhcpd enable inside
!
dhcpd address 192.168.114.100-192.168.114.200 GUEST
dhcpd dns 8.8.8.8 interface GUEST
dhcpd enable GUEST
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username * password ** encrypted privilege 15
tunnel-group * type ipsec-l2l
tunnel-group * ipsec-attributes
 pre-shared-key *****
tunnel-group * type ipsec-l2l
tunnel-group * ipsec-attributes
 pre-shared-key *****
tunnel-group * type ipsec-l2l
tunnel-group * ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily

: end
asdm image disk0:/asdm-643.bin
asdm location Barracuda 255.255.255.255 inside
asdm location Cassie 255.255.255.255 inside
no asdm history enable

Open in new window

0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36547809
User '****' executed the 'ping GUEST 8.8.8.8'
So you did that on the ASA? What if you try a ping/trace from a machine in the GUEST network, does it show the same in the logs then?
0
 
LVL 1

Author Comment

by:prlit
ID: 36563121
I'll try to get out to that office soon. I believe I was having issues even pinging the guest interface (192.168.114.10) even though DHCP was being provided accurately.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36565718
Ok, I'll be waiting.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:prlit
ID: 36568927
Looks like I won't be able to get over there until Thursday to actually make changes, but here's what I found out..

I was losing 80% of my packets from my laptop to guest interface. I was dropping 40 % of packets from guest interface to my laptop. When I plug my laptop directly into the ASA port 0/2, I can get out to the internet no problems (verified I recieved a 114.x address instead of the native vlan scheme). I think the problem is with my HP configuration. Here is what I have set up thus far.

 
HinsdaleSwitch# show config

IN-FLASH CONFIGURATION

; J4813A Configuration Editor; Created on release #F.01.08

time daylight-time-rule None
hostname "HinsdaleSwitch"
ip default-gateway 192.168.14.10
ip timep dhcp
snmp-server community "public" Unrestricted
vlan 1
   name "DEFAULT_VLAN"
   untagged 1-21,23-26 tagged 22
   ip address 192.168.14.9 255.255.255.0
   exit
vlan 3
   name "Guest"
   untagged 22 tagged 21
   exit
HinsdaleSwitch#

Open in new window


The current cabling setup is as follows:
ASA port 0/0 <---> internet gw
Port 0/1 <---> port 1 on hp, vlan1 traffic
port 0/2 <---> port 22,vlan3
HP port 21 <---> Cisco AP

I think I have the terminology confused on the HP switch. I'll include the AP config but I think that is solid.

 
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SouthAP
!
enable secret 5 $
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid FCMG
   vlan 1
   authentication open
   authentication key-management wpa version 2
   wpa-psk ascii 7 *
!
dot11 ssid FCMG_Guest1
   vlan 3
   authentication open
   guest-mode
!
!
!
username * password 7 *
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 1 mode ciphers aes-ccm tkip
 !
 ssid FCMG
 !
 ssid FCMG_Guest1
 !
 antenna gain 0
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.3
 encapsulation dot1Q 3
 no ip route-cache
 bridge-group 3
 bridge-group 3 subscriber-loop-control
 bridge-group 3 block-unknown-source
 no bridge-group 3 source-learning
 no bridge-group 3 unicast-flooding
 bridge-group 3 spanning-disabled
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 no keepalive
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.3
 encapsulation dot1Q 3
 no ip route-cache
 bridge-group 3
 no bridge-group 3 source-learning
 bridge-group 3 spanning-disabled
!
interface BVI1
 ip address 192.168.14.16 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.14.10
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local
!
end

Open in new window

0
 
LVL 1

Author Comment

by:prlit
ID: 36580541
I'm out of idea's for this.

I'm basically trying to do this http://www.dasblinkenlichten.com/?p=5 but instead of using a Catalyst, I'm using a **&^&& HP procurve 2524. Is it possible with this or no?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36580672
Think it might (not that much in to hp though).

I seem to be missing the trunk on the switch.
0
 
LVL 1

Author Comment

by:prlit
ID: 36580712
Once I tagg port 21 for vlan1 and vlan3, i lose all connectivity to the AP. If I leave it untagged in vlan1, and tagged vlan 3, I can ping it, receive DHCP from it, but not access anything.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36580881
So tagging multiple vlans on the hp is the same as setting up a trunk? Hmmmmm.
0
 
LVL 1

Author Comment

by:prlit
ID: 36580930
Yeah.. Their definition of a trunk is something completly different then what it is in the cisco world. Once you tag = trunk, untagged = access port.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36581160
It might be the issue there. Any change on getting your hands on a catalyst to test that?
0
 
LVL 1

Author Comment

by:prlit
ID: 36891695
Just going to force them to buy a catalyst, i hate hp! cheers.
0
 
LVL 1

Author Comment

by:prlit
ID: 36891766
I've requested that this question be closed as follows:

Accepted answer: 0 points for prlit's comment http:/Q_27310129.html#36891695

for the following reason:

Using a different solution. HP would not work.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36891767
Though I'm not (only :) here for the points and they are yours to give, I would like to ask this:
We figured out that HP isn't going to work in this setup. It's not the answer we were hoping for but it is an answer...........
0
 
LVL 1

Author Comment

by:prlit
ID: 36891894
If you want the points its No Big Deal.. I'm exactly where I was where I started. In theory it should work, in reality something is preventing it. I'm using a different, seperate solution since I've run out of hours to get it to work like this.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 36892107
No no, I'm not just after your points, more after the motivation of why you closed it like you did. Sometimes the answer to a question here is: there is no answer or, it's not going to work this way. Though that's not always helpfull, it might be the correct answer.
Anyway, as long as you appreciated the support (even when it didn't led to a solution), I'm cool.
Points can be earned elswhere (so many questions, so little time :)
0
 
LVL 1

Author Closing Comment

by:prlit
ID: 36924468
Points for time.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36927407
Well thank you very much :)
The thing is, I just told the moderators to leave this as is because I got you point as well (feeling a bit ashamed cause like I said, points are nice to have but not a necessity).
I could still ask them for a refund if you like. And if you don't: thanks again, much appreciated!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now