troubleshooting Question

Ciso ASA 7.2 DMZ nat

Avatar of thombie
thombie asked on
CiscoNetworkingNetwork Security
6 Comments1 Solution102 ViewsLast Modified:
Hi Have  to set up wifi on the DMZ  but the  WiFi people  want odd config.

2 Interfaces on the Firewall
  WIFI_data  - 10.90.1.1/24   SL is 50
   WIFI_Mngt  10.90.1.0/24  SL is 100

WHen traffic hits my firewall I  get  so I cant get to the internet. Can someone help debug my config so that the  WAPs can get to the internet ?

"Dec 09 2015      06:16:36      305005      8.8.8.8             No translation group found for udp src WIFI-Mgmt:10.98.1.11/61801 dst outside2:8.8.8.8/53"


ebsc-ig1# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname ebsc-ig1
domain-name xxx.com
enable password DGerT0.3WeQP2akB encrypted
names
name 10.96.1.103 Sonicwall description Sonicwall emote access
name xxx.xx..59.202 External-ip description External IP
name xxx.xx.59.203 Sonicwall-External description Sonicwall External
!
interface GigabitEthernet0/0
 description ISP Interface
 shutdown
 nameif outside
 security-level 0
 ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet0/1
 description LAN Interface
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/2
 description main ISP outside2
 nameif outside2
 security-level 0
 ip address External-ip 255.255.255.248
!
interface GigabitEthernet0/3
 nameif WIFI-Mgmt
 security-level 50
 ip address 10.98.1.254 255.255.255.0
!
interface GigabitEthernet0/3.90
 description WIFI_Data Traffic
 vlan 90
 nameif WIFI_Data
 security-level 100
 ip address 10.90.1.254 255.255.255.0
!
interface Management0/0
 description managment inside
 shutdown
 no nameif
 no security-level
 no ip address
!            
passwd DGerT0.3WeQP2akB encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name xxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Network_list1
 network-object 10.96.1.0 255.255.255.0
 network-object 10.94.1.0 255.255.255.0
 network-object 10.99.1.0 255.255.255.0
 network-object 10.97.1.0 255.255.255.0
 network-object 10.98.1.0 255.255.255.0
 network-object 10.93.1.0 255.255.255.0
 network-object 10.95.1.0 255.255.255.0
object-group network WIFI_WAP_Data
 description WIFI_WAP_Data
 network-object 10.90.1.0 255.255.255.0
 network-object 10.98.1.0 255.255.255.0
access-list outside extended permit tcp any any eq ssh
access-list ACL-ALL extended permit ip object-group Network_list1 any
access-list inside_in extended permit tcp any any log
access-list inside_in extended permit ip any any log
access-list inside_in extended permit icmp any any log
access-list ACL_OUTSIDE2 extended permit icmp any any
access-list ACL_OUTSIDE2 extended permit ip any any log
access-list WIFI-Mgmt_access_in extended permit icmp 10.98.1.0 255.255.255.0 any echo
access-list WIFI-Mgmt_access_in extended permit udp 10.98.1.0 255.255.255.0 any
access-list WIFI-Mgmt_access_in extended permit tcp any any
access-list WIFI-Mgmt_access_in extended permit udp any any
access-list WIFI_Mgnt_access_out extended permit ip any any
access-list WIFI_Mgnt_access_out extended permit tcp any any
access-list WIFI_Mgnt_access_in extended permit ip any any
access-list WIFI_Mgnt_access_in extended permit tcp any any
access-list WIFI_Mgnt_access_in extended permit udp any any
access-list WIFI_Data_access_in extended permit tcp any any
access-list WIFI_Data_access_in extended permit udp any any
access-list WIFI_Data_access_in extended permit udp 10.90.1.0 255.255.255.0 any
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging device-id hostname
logging host inside 10.95.1.2
mtu outside 1500
mtu inside 1500
mtu outside2 1500
mtu WIFI-Mgmt 1500
mtu WIFI_Data 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside2) 20 interface
nat (inside) 20 10.0.0.0 255.0.0.0
static (inside,outside2) tcp Sonicwall-External www Sonicwall www netmask 255.255.255.255
static (inside,outside2) tcp Sonicwall-External https Sonicwall https netmask 255.255.255.255
static (outside2,inside) tcp Sonicwall www External-ip www netmask 255.255.255.255
static (outside2,inside) Sonicwall Sonicwall-External netmask 255.255.255.255
access-group inside_in in interface inside
access-group ACL_OUTSIDE2 in interface outside2
access-group WIFI-Mgmt_access_in in interface WIFI-Mgmt
access-group WIFI_Data_access_in in interface WIFI_Data
route inside 10.96.1.0 255.255.255.0 10.1.1.254 1
route inside 10.95.1.0 255.255.255.0 10.1.1.254 1
route inside 10.94.1.0 255.255.255.0 10.1.1.254 1
route inside 10.99.1.0 255.255.255.0 10.1.1.254 1
route inside 10.97.1.0 255.255.255.0 10.1.1.254 1
route inside 10.93.1.0 255.255.255.0 10.1.1.254 1
route outside2 0.0.0.0 0.0.0.0 89.197.59.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username admin password VMjKUVR42fvN0IE1 encrypted
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.95.1.0 255.255.255.0 inside
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 10.0.0.0 255.255.255.0 inside
ssh 10.1.1.0 255.255.255.0 inside
ssh 10.96.1.0 255.255.255.0 inside
ssh 10.95.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
!
!
!            
policy-map Global_policy
!
prompt hostname context
Cryptochecksum:e439bcd91fe2a64db255e349452e657b
: end
ASKER CERTIFIED SOLUTION
asavener

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 6 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 6 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros