Ciso ASA 7.2 DMZ  nat

thombie
thombie used Ask the Experts™
on
Hi Have  to set up wifi on the DMZ  but the  WiFi people  want odd config.

2 Interfaces on the Firewall
  WIFI_data  - 10.90.1.1/24   SL is 50
   WIFI_Mngt  10.90.1.0/24  SL is 100

WHen traffic hits my firewall I  get  so I cant get to the internet. Can someone help debug my config so that the  WAPs can get to the internet ?

"Dec 09 2015      06:16:36      305005      8.8.8.8             No translation group found for udp src WIFI-Mgmt:10.98.1.11/61801 dst outside2:8.8.8.8/53"


ebsc-ig1# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname ebsc-ig1
domain-name xxx.com
enable password DGerT0.3WeQP2akB encrypted
names
name 10.96.1.103 Sonicwall description Sonicwall emote access
name xxx.xx..59.202 External-ip description External IP
name xxx.xx.59.203 Sonicwall-External description Sonicwall External
!
interface GigabitEthernet0/0
 description ISP Interface
 shutdown
 nameif outside
 security-level 0
 ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet0/1
 description LAN Interface
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/2
 description main ISP outside2
 nameif outside2
 security-level 0
 ip address External-ip 255.255.255.248
!
interface GigabitEthernet0/3
 nameif WIFI-Mgmt
 security-level 50
 ip address 10.98.1.254 255.255.255.0
!
interface GigabitEthernet0/3.90
 description WIFI_Data Traffic
 vlan 90
 nameif WIFI_Data
 security-level 100
 ip address 10.90.1.254 255.255.255.0
!
interface Management0/0
 description managment inside
 shutdown
 no nameif
 no security-level
 no ip address
!            
passwd DGerT0.3WeQP2akB encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name xxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Network_list1
 network-object 10.96.1.0 255.255.255.0
 network-object 10.94.1.0 255.255.255.0
 network-object 10.99.1.0 255.255.255.0
 network-object 10.97.1.0 255.255.255.0
 network-object 10.98.1.0 255.255.255.0
 network-object 10.93.1.0 255.255.255.0
 network-object 10.95.1.0 255.255.255.0
object-group network WIFI_WAP_Data
 description WIFI_WAP_Data
 network-object 10.90.1.0 255.255.255.0
 network-object 10.98.1.0 255.255.255.0
access-list outside extended permit tcp any any eq ssh
access-list ACL-ALL extended permit ip object-group Network_list1 any
access-list inside_in extended permit tcp any any log
access-list inside_in extended permit ip any any log
access-list inside_in extended permit icmp any any log
access-list ACL_OUTSIDE2 extended permit icmp any any
access-list ACL_OUTSIDE2 extended permit ip any any log
access-list WIFI-Mgmt_access_in extended permit icmp 10.98.1.0 255.255.255.0 any echo
access-list WIFI-Mgmt_access_in extended permit udp 10.98.1.0 255.255.255.0 any
access-list WIFI-Mgmt_access_in extended permit tcp any any
access-list WIFI-Mgmt_access_in extended permit udp any any
access-list WIFI_Mgnt_access_out extended permit ip any any
access-list WIFI_Mgnt_access_out extended permit tcp any any
access-list WIFI_Mgnt_access_in extended permit ip any any
access-list WIFI_Mgnt_access_in extended permit tcp any any
access-list WIFI_Mgnt_access_in extended permit udp any any
access-list WIFI_Data_access_in extended permit tcp any any
access-list WIFI_Data_access_in extended permit udp any any
access-list WIFI_Data_access_in extended permit udp 10.90.1.0 255.255.255.0 any
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging device-id hostname
logging host inside 10.95.1.2
mtu outside 1500
mtu inside 1500
mtu outside2 1500
mtu WIFI-Mgmt 1500
mtu WIFI_Data 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside2) 20 interface
nat (inside) 20 10.0.0.0 255.0.0.0
static (inside,outside2) tcp Sonicwall-External www Sonicwall www netmask 255.255.255.255
static (inside,outside2) tcp Sonicwall-External https Sonicwall https netmask 255.255.255.255
static (outside2,inside) tcp Sonicwall www External-ip www netmask 255.255.255.255
static (outside2,inside) Sonicwall Sonicwall-External netmask 255.255.255.255
access-group inside_in in interface inside
access-group ACL_OUTSIDE2 in interface outside2
access-group WIFI-Mgmt_access_in in interface WIFI-Mgmt
access-group WIFI_Data_access_in in interface WIFI_Data
route inside 10.96.1.0 255.255.255.0 10.1.1.254 1
route inside 10.95.1.0 255.255.255.0 10.1.1.254 1
route inside 10.94.1.0 255.255.255.0 10.1.1.254 1
route inside 10.99.1.0 255.255.255.0 10.1.1.254 1
route inside 10.97.1.0 255.255.255.0 10.1.1.254 1
route inside 10.93.1.0 255.255.255.0 10.1.1.254 1
route outside2 0.0.0.0 0.0.0.0 89.197.59.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username admin password VMjKUVR42fvN0IE1 encrypted
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.95.1.0 255.255.255.0 inside
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 10.0.0.0 255.255.255.0 inside
ssh 10.1.1.0 255.255.255.0 inside
ssh 10.96.1.0 255.255.255.0 inside
ssh 10.95.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
!
!
!            
policy-map Global_policy
!
prompt hostname context
Cryptochecksum:e439bcd91fe2a64db255e349452e657b
: end
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Add this line:

nat (WIFI-Mgmt) 20 10.98.0.0 255.255.255.0

and possibly this one:

nat (WIFI_Data) 20 10.90.0.0 255.255.255.0

Author

Commented:
THanks,  I have the same issue the logs are saying
3      Dec 09 2015      09:46:33      305005      185.17.255.164             No translation group found for udp src WIFI-Mgmt:10.98.1.10/43538 dst outside2:185.17.255.164/7351
run "clear xlate".
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
same problem
Whoops.  I messed up the subnets:

clear xlate
no nat (WIFI-Mgmt) 20 10.98.0.0 255.255.255.0
no nat (WIFI_Data) 20 10.90.0.0 255.255.255.0

nat (WIFI-Mgmt) 20 10.98.1.0 255.255.255.0
nat (WIFI_Data) 20 10.90.1.0 255.255.255.0

Author

Commented:
Perfect thanks that works

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial