BayStateIT
asked on
Cisco ASA 9.1 NAT issue
I have a website hosted internally (inside). I have configured public access (Cogent) to the internal website. This is working fine without any issues.
I have a guest Wi-Fi subnet ((WAP) configured on another ASA interface. My challenge is allowing the users on the guest Wi-Fi to browse to the internal website using the website's external url. There is no issue browsing to the internet in general whilst on the guest Wi-Fi.
Please help. Result of packet trace is below. Also, the relevant firewall config.
FW# packet-tracer input WAP tcp 192.168.99.154 12345 31.88.88.58 443
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 31.88.88.58 255.255.255.255 identity
Result:
input-interface: WAP
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
Here is the ASA config
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.254 255.255.255.0
!
interface Ethernet0/3
speed 100
duplex full
nameif Cogent
security-level 0
ip address 31.88.88.58 255.255.255.248
!
interface Management0/0
description Trunking Interface
no nameif
no security-level
no ip address
!
interface Management0/0.3
description Public Wi-Fi
vlan 99
nameif WAP
security-level 10
ip address 192.168.99.1 255.255.255.0 standby 192.168.99.2
!
object service HTTP
service tcp destination eq www
object service HTTPS
service tcp destination eq https
object network exchange_server
host 10.1.1.12
object network metamark_data_cogent
subnet 10.1.1.0 255.255.255.0
object network wap_subnet_cogent
subnet 192.168.99.0 255.255.255.0
object network exchange_server_smtp
host 10.1.1.12
object network exchange_server_http
host 10.1.1.12
object network exchange_server_https
host 10.1.1.12
object network exchange_server_imap4
host 10.1.1.12
object network exchange_server_587
host 10.1.1.12
object network EXT_Int
host 31.88.88.58
object network exchange_server_waphttp
host 10.1.1.12
object network exchange_server_waphttps
host 10.1.1.12
access-list Cogent_acl extended permit tcp any4 object exchange_server eq https
access-list Cogent_acl extended permit tcp any4 object exchange_server eq www
access-list Cogent_acl extended permit tcp any4 object exchange_server eq imap4
access-list Cogent_acl extended permit tcp any4 object exchange_server eq 587
access-list Cogent_acl extended permit icmp any4 any4 echo-reply
access-list wap_acl extended permit tcp any4 host 10.1.1.12 eq https
access-list wap_acl extended permit tcp any4 host 10.1.1.12 eq www
access-list wap_acl extended permit ip any4 any4
nat (inside,outside) source static exchange_server interface service SMTP SMTP
nat (inside,outside) source static exchange_server interface service HTTPS HTTPS
nat (inside,outside) source static exchange_server interface service HTTP HTTP
nat (inside,outside) source static exchange_server interface service IMAP4 IMAP4
nat (inside,outside) source static exchange_server interface service 587 587
nat (inside,outside) source static exchange_server interface service 3101 3101
nat (inside,Cogent) source static exchange_server interface service HTTPS HTTPS
nat (inside,Cogent) source static exchange_server interface service IMAP4 IMAP4
nat (inside,Cogent) source static exchange_server interface service 3101 3101
nat (inside,Cogent) source static exchange_server interface service HTTP HTTP
nat (inside,Cogent) source static exchange_server interface service 587 587
nat (inside,WAP) source static exchange_server EXT_Int service HTTP HTTP
nat (inside,WAP) source static exchange_server EXT_Int service HTTPS HTTPS
!
object network metamark_data_cogent
nat (inside,Cogent) dynamic interface
object network wap_subnet_cogent
nat (WAP,Cogent) dynamic 31.88.88.62
object network exchange_server_smtp
nat (inside,Cogent) static interface service tcp smtp smtp
object network exchange_server_http
nat (inside,Cogent) static interface service tcp www www
object network exchange_server_https
nat (inside,Cogent) static interface service tcp https https
object network exchange_server_waphttp
nat (inside,WAP) static interface service tcp www www
object network exchange_server_waphttps
nat (inside,WAP) static interface service tcp https https
access-group Cogent_acl in interface Cogent
access-group wap_acl in interface WAP
Regards
I have a guest Wi-Fi subnet ((WAP) configured on another ASA interface. My challenge is allowing the users on the guest Wi-Fi to browse to the internal website using the website's external url. There is no issue browsing to the internet in general whilst on the guest Wi-Fi.
Please help. Result of packet trace is below. Also, the relevant firewall config.
FW# packet-tracer input WAP tcp 192.168.99.154 12345 31.88.88.58 443
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 31.88.88.58 255.255.255.255 identity
Result:
input-interface: WAP
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool)
Here is the ASA config
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.254 255.255.255.0
!
interface Ethernet0/3
speed 100
duplex full
nameif Cogent
security-level 0
ip address 31.88.88.58 255.255.255.248
!
interface Management0/0
description Trunking Interface
no nameif
no security-level
no ip address
!
interface Management0/0.3
description Public Wi-Fi
vlan 99
nameif WAP
security-level 10
ip address 192.168.99.1 255.255.255.0 standby 192.168.99.2
!
object service HTTP
service tcp destination eq www
object service HTTPS
service tcp destination eq https
object network exchange_server
host 10.1.1.12
object network metamark_data_cogent
subnet 10.1.1.0 255.255.255.0
object network wap_subnet_cogent
subnet 192.168.99.0 255.255.255.0
object network exchange_server_smtp
host 10.1.1.12
object network exchange_server_http
host 10.1.1.12
object network exchange_server_https
host 10.1.1.12
object network exchange_server_imap4
host 10.1.1.12
object network exchange_server_587
host 10.1.1.12
object network EXT_Int
host 31.88.88.58
object network exchange_server_waphttp
host 10.1.1.12
object network exchange_server_waphttps
host 10.1.1.12
access-list Cogent_acl extended permit tcp any4 object exchange_server eq https
access-list Cogent_acl extended permit tcp any4 object exchange_server eq www
access-list Cogent_acl extended permit tcp any4 object exchange_server eq imap4
access-list Cogent_acl extended permit tcp any4 object exchange_server eq 587
access-list Cogent_acl extended permit icmp any4 any4 echo-reply
access-list wap_acl extended permit tcp any4 host 10.1.1.12 eq https
access-list wap_acl extended permit tcp any4 host 10.1.1.12 eq www
access-list wap_acl extended permit ip any4 any4
nat (inside,outside) source static exchange_server interface service SMTP SMTP
nat (inside,outside) source static exchange_server interface service HTTPS HTTPS
nat (inside,outside) source static exchange_server interface service HTTP HTTP
nat (inside,outside) source static exchange_server interface service IMAP4 IMAP4
nat (inside,outside) source static exchange_server interface service 587 587
nat (inside,outside) source static exchange_server interface service 3101 3101
nat (inside,Cogent) source static exchange_server interface service HTTPS HTTPS
nat (inside,Cogent) source static exchange_server interface service IMAP4 IMAP4
nat (inside,Cogent) source static exchange_server interface service 3101 3101
nat (inside,Cogent) source static exchange_server interface service HTTP HTTP
nat (inside,Cogent) source static exchange_server interface service 587 587
nat (inside,WAP) source static exchange_server EXT_Int service HTTP HTTP
nat (inside,WAP) source static exchange_server EXT_Int service HTTPS HTTPS
!
object network metamark_data_cogent
nat (inside,Cogent) dynamic interface
object network wap_subnet_cogent
nat (WAP,Cogent) dynamic 31.88.88.62
object network exchange_server_smtp
nat (inside,Cogent) static interface service tcp smtp smtp
object network exchange_server_http
nat (inside,Cogent) static interface service tcp www www
object network exchange_server_https
nat (inside,Cogent) static interface service tcp https https
object network exchange_server_waphttp
nat (inside,WAP) static interface service tcp www www
object network exchange_server_waphttps
nat (inside,WAP) static interface service tcp https https
access-group Cogent_acl in interface Cogent
access-group wap_acl in interface WAP
Regards
ASKER
Thanks for your response, Rauenpc
I would greatlyappreciate it if you could provide an example based on the sample config I posted.
Regards
I would greatlyappreciate it if you could provide an example based on the sample config I posted.
Regards
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Another would be to allow guest users access to your internal DNS servers, limit them to DNS queries only, and then they will get internal results and you would just have to allow that traffic between the interfaces.
The other method is to use dns doctoring. This would require a one-to-one nat, however, and all of your current nat statements appear to use port forwarding/PAT. Below is a DNS doctoring example.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115753-dns-doctoring-asa-config.html