We help IT Professionals succeed at work.
Get Started

Ciso ASA 7.2 DMZ  nat

95 Views
Last Modified: 2015-12-09
Hi Have  to set up wifi on the DMZ  but the  WiFi people  want odd config.

2 Interfaces on the Firewall
  WIFI_data  - 10.90.1.1/24   SL is 50
   WIFI_Mngt  10.90.1.0/24  SL is 100

WHen traffic hits my firewall I  get  so I cant get to the internet. Can someone help debug my config so that the  WAPs can get to the internet ?

"Dec 09 2015      06:16:36      305005      8.8.8.8             No translation group found for udp src WIFI-Mgmt:10.98.1.11/61801 dst outside2:8.8.8.8/53"


ebsc-ig1# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname ebsc-ig1
domain-name xxx.com
enable password DGerT0.3WeQP2akB encrypted
names
name 10.96.1.103 Sonicwall description Sonicwall emote access
name xxx.xx..59.202 External-ip description External IP
name xxx.xx.59.203 Sonicwall-External description Sonicwall External
!
interface GigabitEthernet0/0
 description ISP Interface
 shutdown
 nameif outside
 security-level 0
 ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet0/1
 description LAN Interface
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/2
 description main ISP outside2
 nameif outside2
 security-level 0
 ip address External-ip 255.255.255.248
!
interface GigabitEthernet0/3
 nameif WIFI-Mgmt
 security-level 50
 ip address 10.98.1.254 255.255.255.0
!
interface GigabitEthernet0/3.90
 description WIFI_Data Traffic
 vlan 90
 nameif WIFI_Data
 security-level 100
 ip address 10.90.1.254 255.255.255.0
!
interface Management0/0
 description managment inside
 shutdown
 no nameif
 no security-level
 no ip address
!            
passwd DGerT0.3WeQP2akB encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name xxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Network_list1
 network-object 10.96.1.0 255.255.255.0
 network-object 10.94.1.0 255.255.255.0
 network-object 10.99.1.0 255.255.255.0
 network-object 10.97.1.0 255.255.255.0
 network-object 10.98.1.0 255.255.255.0
 network-object 10.93.1.0 255.255.255.0
 network-object 10.95.1.0 255.255.255.0
object-group network WIFI_WAP_Data
 description WIFI_WAP_Data
 network-object 10.90.1.0 255.255.255.0
 network-object 10.98.1.0 255.255.255.0
access-list outside extended permit tcp any any eq ssh
access-list ACL-ALL extended permit ip object-group Network_list1 any
access-list inside_in extended permit tcp any any log
access-list inside_in extended permit ip any any log
access-list inside_in extended permit icmp any any log
access-list ACL_OUTSIDE2 extended permit icmp any any
access-list ACL_OUTSIDE2 extended permit ip any any log
access-list WIFI-Mgmt_access_in extended permit icmp 10.98.1.0 255.255.255.0 any echo
access-list WIFI-Mgmt_access_in extended permit udp 10.98.1.0 255.255.255.0 any
access-list WIFI-Mgmt_access_in extended permit tcp any any
access-list WIFI-Mgmt_access_in extended permit udp any any
access-list WIFI_Mgnt_access_out extended permit ip any any
access-list WIFI_Mgnt_access_out extended permit tcp any any
access-list WIFI_Mgnt_access_in extended permit ip any any
access-list WIFI_Mgnt_access_in extended permit tcp any any
access-list WIFI_Mgnt_access_in extended permit udp any any
access-list WIFI_Data_access_in extended permit tcp any any
access-list WIFI_Data_access_in extended permit udp any any
access-list WIFI_Data_access_in extended permit udp 10.90.1.0 255.255.255.0 any
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging device-id hostname
logging host inside 10.95.1.2
mtu outside 1500
mtu inside 1500
mtu outside2 1500
mtu WIFI-Mgmt 1500
mtu WIFI_Data 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside2) 20 interface
nat (inside) 20 10.0.0.0 255.0.0.0
static (inside,outside2) tcp Sonicwall-External www Sonicwall www netmask 255.255.255.255
static (inside,outside2) tcp Sonicwall-External https Sonicwall https netmask 255.255.255.255
static (outside2,inside) tcp Sonicwall www External-ip www netmask 255.255.255.255
static (outside2,inside) Sonicwall Sonicwall-External netmask 255.255.255.255
access-group inside_in in interface inside
access-group ACL_OUTSIDE2 in interface outside2
access-group WIFI-Mgmt_access_in in interface WIFI-Mgmt
access-group WIFI_Data_access_in in interface WIFI_Data
route inside 10.96.1.0 255.255.255.0 10.1.1.254 1
route inside 10.95.1.0 255.255.255.0 10.1.1.254 1
route inside 10.94.1.0 255.255.255.0 10.1.1.254 1
route inside 10.99.1.0 255.255.255.0 10.1.1.254 1
route inside 10.97.1.0 255.255.255.0 10.1.1.254 1
route inside 10.93.1.0 255.255.255.0 10.1.1.254 1
route outside2 0.0.0.0 0.0.0.0 89.197.59.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username admin password VMjKUVR42fvN0IE1 encrypted
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.95.1.0 255.255.255.0 inside
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 10.0.0.0 255.255.255.0 inside
ssh 10.1.1.0 255.255.255.0 inside
ssh 10.96.1.0 255.255.255.0 inside
ssh 10.95.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
!
!
!            
policy-map Global_policy
!
prompt hostname context
Cryptochecksum:e439bcd91fe2a64db255e349452e657b
: end
Comment
Watch Question
CERTIFIED EXPERT
Commented:
This problem has been solved!
Unlock 1 Answer and 6 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE