asked on
Ciso ASA 7.2 DMZ nat
Hi Have to set up wifi on the DMZ but the WiFi people want odd config.
2 Interfaces on the Firewall
WIFI_data - 10.90.1.1/24 SL is 50
WIFI_Mngt 10.90.1.0/24 SL is 100
WHen traffic hits my firewall I get so I cant get to the internet. Can someone help debug my config so that the WAPs can get to the internet ?
"Dec 09 2015 06:16:36 305005 8.8.8.8 No translation group found for udp src WIFI-Mgmt:10.98.1.11/61801
ebsc-ig1# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname ebsc-ig1
domain-name xxx.com
enable password DGerT0.3WeQP2akB encrypted
names
name 10.96.1.103 Sonicwall description Sonicwall emote access
name xxx.xx..59.202 External-ip description External IP
name xxx.xx.59.203 Sonicwall-External description Sonicwall External
!
interface GigabitEthernet0/0
description ISP Interface
shutdown
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet0/1
description LAN Interface
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/2
description main ISP outside2
nameif outside2
security-level 0
ip address External-ip 255.255.255.248
!
interface GigabitEthernet0/3
nameif WIFI-Mgmt
security-level 50
ip address 10.98.1.254 255.255.255.0
!
interface GigabitEthernet0/3.90
description WIFI_Data Traffic
vlan 90
nameif WIFI_Data
security-level 100
ip address 10.90.1.254 255.255.255.0
!
interface Management0/0
description managment inside
shutdown
no nameif
no security-level
no ip address
!
passwd DGerT0.3WeQP2akB encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name xxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Network_list1
network-object 10.96.1.0 255.255.255.0
network-object 10.94.1.0 255.255.255.0
network-object 10.99.1.0 255.255.255.0
network-object 10.97.1.0 255.255.255.0
network-object 10.98.1.0 255.255.255.0
network-object 10.93.1.0 255.255.255.0
network-object 10.95.1.0 255.255.255.0
object-group network WIFI_WAP_Data
description WIFI_WAP_Data
network-object 10.90.1.0 255.255.255.0
network-object 10.98.1.0 255.255.255.0
access-list outside extended permit tcp any any eq ssh
access-list ACL-ALL extended permit ip object-group Network_list1 any
access-list inside_in extended permit tcp any any log
access-list inside_in extended permit ip any any log
access-list inside_in extended permit icmp any any log
access-list ACL_OUTSIDE2 extended permit icmp any any
access-list ACL_OUTSIDE2 extended permit ip any any log
access-list WIFI-Mgmt_access_in extended permit icmp 10.98.1.0 255.255.255.0 any echo
access-list WIFI-Mgmt_access_in extended permit udp 10.98.1.0 255.255.255.0 any
access-list WIFI-Mgmt_access_in extended permit tcp any any
access-list WIFI-Mgmt_access_in extended permit udp any any
access-list WIFI_Mgnt_access_out extended permit ip any any
access-list WIFI_Mgnt_access_out extended permit tcp any any
access-list WIFI_Mgnt_access_in extended permit ip any any
access-list WIFI_Mgnt_access_in extended permit tcp any any
access-list WIFI_Mgnt_access_in extended permit udp any any
access-list WIFI_Data_access_in extended permit tcp any any
access-list WIFI_Data_access_in extended permit udp any any
access-list WIFI_Data_access_in extended permit udp 10.90.1.0 255.255.255.0 any
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging device-id hostname
logging host inside 10.95.1.2
mtu outside 1500
mtu inside 1500
mtu outside2 1500
mtu WIFI-Mgmt 1500
mtu WIFI_Data 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside2) 20 interface
nat (inside) 20 10.0.0.0 255.0.0.0
static (inside,outside2) tcp Sonicwall-External www Sonicwall www netmask 255.255.255.255
static (inside,outside2) tcp Sonicwall-External https Sonicwall https netmask 255.255.255.255
static (outside2,inside) tcp Sonicwall www External-ip www netmask 255.255.255.255
static (outside2,inside) Sonicwall Sonicwall-External netmask 255.255.255.255
access-group inside_in in interface inside
access-group ACL_OUTSIDE2 in interface outside2
access-group WIFI-Mgmt_access_in in interface WIFI-Mgmt
access-group WIFI_Data_access_in in interface WIFI_Data
route inside 10.96.1.0 255.255.255.0 10.1.1.254 1
route inside 10.95.1.0 255.255.255.0 10.1.1.254 1
route inside 10.94.1.0 255.255.255.0 10.1.1.254 1
route inside 10.99.1.0 255.255.255.0 10.1.1.254 1
route inside 10.97.1.0 255.255.255.0 10.1.1.254 1
route inside 10.93.1.0 255.255.255.0 10.1.1.254 1
route outside2 0.0.0.0 0.0.0.0 89.197.59.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username admin password VMjKUVR42fvN0IE1 encrypted
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.95.1.0 255.255.255.0 inside
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 10.0.0.0 255.255.255.0 inside
ssh 10.1.1.0 255.255.255.0 inside
ssh 10.96.1.0 255.255.255.0 inside
ssh 10.95.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
!
!
!
policy-map Global_policy
!
prompt hostname context
Cryptochecksum:e439bcd91fe
: end
2 Interfaces on the Firewall
WIFI_data - 10.90.1.1/24 SL is 50
WIFI_Mngt 10.90.1.0/24 SL is 100
WHen traffic hits my firewall I get so I cant get to the internet. Can someone help debug my config so that the WAPs can get to the internet ?
"Dec 09 2015 06:16:36 305005 8.8.8.8 No translation group found for udp src WIFI-Mgmt:10.98.1.11/61801
ebsc-ig1# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname ebsc-ig1
domain-name xxx.com
enable password DGerT0.3WeQP2akB encrypted
names
name 10.96.1.103 Sonicwall description Sonicwall emote access
name xxx.xx..59.202 External-ip description External IP
name xxx.xx.59.203 Sonicwall-External description Sonicwall External
!
interface GigabitEthernet0/0
description ISP Interface
shutdown
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet0/1
description LAN Interface
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/2
description main ISP outside2
nameif outside2
security-level 0
ip address External-ip 255.255.255.248
!
interface GigabitEthernet0/3
nameif WIFI-Mgmt
security-level 50
ip address 10.98.1.254 255.255.255.0
!
interface GigabitEthernet0/3.90
description WIFI_Data Traffic
vlan 90
nameif WIFI_Data
security-level 100
ip address 10.90.1.254 255.255.255.0
!
interface Management0/0
description managment inside
shutdown
no nameif
no security-level
no ip address
!
passwd DGerT0.3WeQP2akB encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name xxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Network_list1
network-object 10.96.1.0 255.255.255.0
network-object 10.94.1.0 255.255.255.0
network-object 10.99.1.0 255.255.255.0
network-object 10.97.1.0 255.255.255.0
network-object 10.98.1.0 255.255.255.0
network-object 10.93.1.0 255.255.255.0
network-object 10.95.1.0 255.255.255.0
object-group network WIFI_WAP_Data
description WIFI_WAP_Data
network-object 10.90.1.0 255.255.255.0
network-object 10.98.1.0 255.255.255.0
access-list outside extended permit tcp any any eq ssh
access-list ACL-ALL extended permit ip object-group Network_list1 any
access-list inside_in extended permit tcp any any log
access-list inside_in extended permit ip any any log
access-list inside_in extended permit icmp any any log
access-list ACL_OUTSIDE2 extended permit icmp any any
access-list ACL_OUTSIDE2 extended permit ip any any log
access-list WIFI-Mgmt_access_in extended permit icmp 10.98.1.0 255.255.255.0 any echo
access-list WIFI-Mgmt_access_in extended permit udp 10.98.1.0 255.255.255.0 any
access-list WIFI-Mgmt_access_in extended permit tcp any any
access-list WIFI-Mgmt_access_in extended permit udp any any
access-list WIFI_Mgnt_access_out extended permit ip any any
access-list WIFI_Mgnt_access_out extended permit tcp any any
access-list WIFI_Mgnt_access_in extended permit ip any any
access-list WIFI_Mgnt_access_in extended permit tcp any any
access-list WIFI_Mgnt_access_in extended permit udp any any
access-list WIFI_Data_access_in extended permit tcp any any
access-list WIFI_Data_access_in extended permit udp any any
access-list WIFI_Data_access_in extended permit udp 10.90.1.0 255.255.255.0 any
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging device-id hostname
logging host inside 10.95.1.2
mtu outside 1500
mtu inside 1500
mtu outside2 1500
mtu WIFI-Mgmt 1500
mtu WIFI_Data 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside2) 20 interface
nat (inside) 20 10.0.0.0 255.0.0.0
static (inside,outside2) tcp Sonicwall-External www Sonicwall www netmask 255.255.255.255
static (inside,outside2) tcp Sonicwall-External https Sonicwall https netmask 255.255.255.255
static (outside2,inside) tcp Sonicwall www External-ip www netmask 255.255.255.255
static (outside2,inside) Sonicwall Sonicwall-External netmask 255.255.255.255
access-group inside_in in interface inside
access-group ACL_OUTSIDE2 in interface outside2
access-group WIFI-Mgmt_access_in in interface WIFI-Mgmt
access-group WIFI_Data_access_in in interface WIFI_Data
route inside 10.96.1.0 255.255.255.0 10.1.1.254 1
route inside 10.95.1.0 255.255.255.0 10.1.1.254 1
route inside 10.94.1.0 255.255.255.0 10.1.1.254 1
route inside 10.99.1.0 255.255.255.0 10.1.1.254 1
route inside 10.97.1.0 255.255.255.0 10.1.1.254 1
route inside 10.93.1.0 255.255.255.0 10.1.1.254 1
route outside2 0.0.0.0 0.0.0.0 89.197.59.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username admin password VMjKUVR42fvN0IE1 encrypted
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.95.1.0 255.255.255.0 inside
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 10.0.0.0 255.255.255.0 inside
ssh 10.1.1.0 255.255.255.0 inside
ssh 10.96.1.0 255.255.255.0 inside
ssh 10.95.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
!
!
!
policy-map Global_policy
!
prompt hostname context
Cryptochecksum:e439bcd91fe
: end
CiscoNetworkingNetwork Security
Last Comment
thombie