Access between 2 vlans

felipesch
felipesch used Ask the Experts™
on
From wireless interface (172.16.2.101) I can access the host on server farm (172.16.1.1). But I can't access on DMZ (192.168.1.1). Can we explain why?

My config:

: Saved
:
ASA Version 8.0(4)28 
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif serverfarm
 security-level 100
 ip address 172.16.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group brt
 ip address pppoe setroute 
!
interface Vlan12
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan22
 nameif wireless
 security-level 100
 ip address 172.16.2.1 255.255.255.0 
!
interface Vlan32
 nameif media
 security-level 90
 ip address 172.16.3.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 12
!
interface Ethernet0/3
 switchport access vlan 22
!
interface Ethernet0/4
 switchport access vlan 32
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone BRT -3
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list wireless_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 172.16.3.0 255.255.255.0 
access-list wireless_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0 
access-list wireless_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list serverfarm_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0 
access-list dmz_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.2.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu serverfarm 1500
mtu outside 1500
mtu dmz 1500
mtu wireless 1500
mtu media 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (serverfarm) 0 access-list serverfarm_nat0_outbound
nat (serverfarm) 1 172.16.1.0 255.255.255.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 1 192.168.1.0 255.255.255.0
nat (wireless) 0 access-list wireless_nat0_outbound
nat (wireless) 1 172.16.2.0 255.255.255.0
nat (media) 1 172.16.3.0 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.2.0 255.255.255.0 wireless
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group brt request dialout pppoe
vpdn group brt localname xx@localturbo
vpdn group brt ppp authentication pap
vpdn username xx@localturbo password ********* store-local
dhcpd auto_config outside
!
dhcpd auto_config outside interface serverfarm
!
dhcpd address 172.16.2.100-172.16.2.254 wireless
dhcpd auto_config outside interface wireless
dhcpd enable wireless
!
dhcpd address 172.16.3.100-172.16.3.254 media
dhcpd auto_config outside interface media
dhcpd enable media
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:f9a5456e18f13bb9fc08efc09be7c0f8
: end
no asdm history enable

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2012
Commented:
You need to change this line

access-list dmz_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.2.0 255.255.255.0

To this

access-list dmz_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial