Can't get simple Inside/Outside Access Working on 5510 (VLANs)

jwhitley1 — Tue, 12 Mar 2019 06:29:17 GMT

Having issues getting VLANs via trunk access to the outside on a 5510, configured via ADSM.

I'll admit to a lack of extensive experience with the 5510 up front. I tried configuring via ADSM but am not making much progress.

My configuration is simple: Inside interface to wired network, Outside interface which is nat'd to a single public IP, and a second interface that has 2 VLANs trunked for wifi access. Inside to outside works, although I see a lot of ACL messages on internal routers that lead me to believe that a lot more than I want is getting in. But, the VLANs on the Wifi interface can't get to the outside. The 5510 is the DHCP server for them, and lists itself as the gateway - that all works fine. But no matter how many rules I tried creating in ADSM, no outside access. Using Packet Trace just showed "Denied by rule" but that wasn't much help.

All I want to do is give the 2 VLANS (201 and 202) http access to the outside interface, and that's it. Can anyone point me to what I'm missing or doing wrong, please? I'd also be interested to know why I'm seeing ACL deny messages from public IPs on my internal network. Have I opened up too much inside-to-outside?

Thanks all.

Here are the relevant lines from the config:

: Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz
:
ASA Version 9.1(6)
!
hostname ciscoasa
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 62.97.x.x 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.5.0.1 255.255.248.0
!
interface Ethernet0/2
nameif core-trunk
security-level 0
no ip address
!
interface Ethernet0/2.201
vlan 201
nameif Wifi
security-level 0
ip address 192.168.0.3 255.255.255.0
!
interface Eternet0/2.202
vlan 202
nameif GuestWifi
security-level 0
ip address 192.168.100.3 255.255.255.0
!
object network ANY
subnet 0.0.0.0 0.0.0.0
access-list Wifi_access_in extended permit ip any any
access-list GuestWifi_access_in extended permit ip any any
icmp permit any outside
icmp permit any inside
icmp permit any management
icmp permit any core-trunk
asdm image disk0:/asdm-743.bin
nat (inside,outside) source static any interface
access-group outside_access_in in interface outside
access-group wifi_access_in in interface core-trunk
route outside 0.0.0.0 0.0.0.0 62.97.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icm 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
!
threat-detection basic-threat
hreat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 209.118.204.201 source outside
webvpn
anyconnect-essentials
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns prest_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map inspection_policy
class ipsecpssthru-traffic
inspect ipsec-pass-thru
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
inspect icmp
policy-map type inspect ipsec-pass-thru ipsecpasstru
parameters
esp per-client-max 10 timeout 0:00:30
ah per-client-max 10 timeout 0:00:30
!
service-policy global_policy global
service-policy inspection_policy interface outside
prompt hostname context
: end

First thing i would do is

Robert Hillcoat — Mon, 24 Aug 2015 14:39:50 GMT

First thing i would do is create another NAT rule for wifi and guestwifi. I can only see a single NAT entry for inside to outside. Another thing is to increase the security levels of your subinterfaces to something higher than 0. perhaps 50

Let us know if this solves your issue.

Can you make the following

Jon Marshall — Mon, 24 Aug 2015 14:48:51 GMT

Can you make the following changes -

1) change the security level for wireless interfaces to be greater than outside interface and lower than inside interface.

2) replace -

nat (inside,outside) source static any interface

with this -

nat (any,outside) after-auto source dynamic any interface

then do a "clear xlate" and retest.

Edit - sorry Robert, didn't see you reply.

Jon

topic Can't get simple Inside/Outside Access Working on 5510 (VLANs) in Network Security

Can't get simple Inside/Outside Access Working on 5510 (VLANs)

First thing i would do is

Can you make the following