https://community.cisco.com/t5/network-security/access-lan-services-from-other-interface/m-p/2293146#M345830 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If I remember correctly you had 9.1 or some other new software running on the ASA when you previously asked about some Static PAT configurations here on CSC.</P><P></P><P>So I guess the software level you mention is for the ASDM.</P><P></P><P>I would probably start by checking what the <STRONG>"packet-tracer"</STRONG> command would say about a connection coming from the wireless network to these IP addresses and the services needed.</P><P></P><P><STRONG>packet-tracer <WIRELESS interface="" name=""> <TCP or="" udp=""> <SOURCE ip=""> <RANDOM source="" port=""> <DESTINATION ip=""> <DESTINATION port=""></DESTINATION></DESTINATION></RANDOM></SOURCE></TCP></WIRELESS></STRONG></P><P></P><P>This would tell us what the ASA would do to the packet arriving on its interface.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 25 Jul 2013 11:20:15 GMT Jouni Forss 2013-07-25T11:20:15Z https://community.cisco.com/t5/network-security/access-lan-services-from-other-interface/m-p/2293145#M345829 <P>Hi All</P><P></P><P>I really can't get my head around this - I don't know if I'm NATting it wrong or if what I'm attempting just wont work. I'm using ASA 7.1 and Cisco 4500 Switches on my LAN</P><P></P><P>On my LAN I have a Domain Controller (172.16.5.14) and and Exchange Box (172.16.5.222). The Exchange box has 1 NIC and 3 addresses, 1 for SMTP and 1 each for 2 seperate IIS OWA Sites (1 is a Public Folder, the other is OWA)</P><P></P><P>I have my Wireless network behind another interface on my ASA (Security Level 90). I need users on the Wi-Fi (192.168.10.x) to be able to access DNS on my DC and OWA on my Exchange box. My DNS on the DC points all OWA traffic to the LAN address of the Exchange box. I know I could do it by routing traffic from the WiFi to the LAN via the Switch but then what's the point of firewalling if I'm going to bypass it?</P><P></P><P>I also have a DMZ network that accesses internal services (such as IIS on the DMZ to SQL on the LAN) which is working fine so I can't understand what I'm doing wrong</P><P></P><P>Thanks</P><P>Danny</P> Tue, 12 Mar 2019 02:16:49 GMT https://community.cisco.com/t5/network-security/access-lan-services-from-other-interface/m-p/2293145#M345829 Danny Cooke 2019-03-12T02:16:49Z https://community.cisco.com/t5/network-security/access-lan-services-from-other-interface/m-p/2293146#M345830 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If I remember correctly you had 9.1 or some other new software running on the ASA when you previously asked about some Static PAT configurations here on CSC.</P><P></P><P>So I guess the software level you mention is for the ASDM.</P><P></P><P>I would probably start by checking what the <STRONG>"packet-tracer"</STRONG> command would say about a connection coming from the wireless network to these IP addresses and the services needed.</P><P></P><P><STRONG>packet-tracer <WIRELESS interface="" name=""> <TCP or="" udp=""> <SOURCE ip=""> <RANDOM source="" port=""> <DESTINATION ip=""> <DESTINATION port=""></DESTINATION></DESTINATION></RANDOM></SOURCE></TCP></WIRELESS></STRONG></P><P></P><P>This would tell us what the ASA would do to the packet arriving on its interface.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 25 Jul 2013 11:20:15 GMT https://community.cisco.com/t5/network-security/access-lan-services-from-other-interface/m-p/2293146#M345830 Jouni Forss 2013-07-25T11:20:15Z https://community.cisco.com/t5/network-security/access-lan-services-from-other-interface/m-p/2293147#M345831 <HTML><HEAD></HEAD><BODY><P>Hi Jouni</P><P></P><P>Yes, you are correct - I was rushing to type things out <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Output from Packet-Tracer</P><P></P><P></P><P>Phase: 1</P><P>Type: UN-NAT</P><P>Subtype: static</P><P>Result: ALLOW</P><P>Config:</P><P>nat (Wireless_LAN,Legacy_LAN) source static Wireless_LAN-network Wireless_LAN-network destination static SERVER22_LAN_OWA </P><P></P><P></P><P>SERVER22_LAN_OWA net-to-net</P><P>Additional Information:</P><P>NAT divert to egress interface Legacy_LAN</P><P>Untranslate 172.16.5.222/443 to 172.16.5.222/443</P><P></P><P></P><P>Phase: 2</P><P>Type: ACCESS-LIST</P><P>Subtype: log</P><P>Result: ALLOW</P><P>Config:</P><P>access-group Wireless_LAN_access_in in interface Wireless_LAN</P><P>access-list Wireless_LAN_access_in extended permit object-group DM_INLINE_SERVICE_7 object Wireless_LAN-network object-</P><P></P><P></P><P>group DM_INLINE_NETWORK_13</P><P>object-group service DM_INLINE_SERVICE_7</P><P> service-object tcp-udp destination eq domain</P><P> service-object tcp destination eq www</P><P> service-object tcp destination eq https</P><P>object-group network DM_INLINE_NETWORK_13</P><P> network-object object SERVER22_LAN_OWA</P><P> network-object object SERVER15_LAN</P><P> network-object object SERVER14_LAN</P><P>Additional Information:</P><P></P><P></P><P>Phase: 3</P><P>Type: NAT</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>nat (Wireless_LAN,Legacy_LAN) source static Wireless_LAN-network Wireless_LAN-network destination static SERVER22_LAN_OWA </P><P></P><P></P><P>SERVER22_LAN_OWA net-to-net</P><P>Additional Information:</P><P>Static translate 192.168.10.62/41298 to 192.168.10.62/41298</P><P></P><P></P><P>Phase: 4</P><P>Type: NAT</P><P>Subtype: per-session</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 5</P><P>Type: IP-OPTIONS</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 6</P><P>Type: FILTER</P><P>Subtype: filter-url</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 7</P><P>Type: FOVER</P><P>Subtype: standby-update</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 8</P><P>Type:</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 9</P><P>Type: FILTER</P><P>Subtype: filter-https</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 10</P><P>Type: NAT</P><P>Subtype: rpf-check</P><P>Result: ALLOW</P><P>Config:</P><P>nat (Wireless_LAN,Legacy_LAN) source static Wireless_LAN-network Wireless_LAN-network destination static SERVER22_LAN_OWA </P><P></P><P></P><P>SERVER22_LAN_OWA net-to-net</P><P>Additional Information:</P><P></P><P></P><P>Phase: 11</P><P>Type: USER-STATISTICS</P><P>Subtype: user-statistics</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 12</P><P>Type: NAT</P><P>Subtype: per-session</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 13</P><P>Type: IP-OPTIONS</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 14</P><P>Type: USER-STATISTICS</P><P>Subtype: user-statistics</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 15</P><P>Type: FLOW-CREATION</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>New flow created with id 32433132, packet dispatched to next module</P><P></P><P></P><P>Result:</P><P>input-interface: Wireless_LAN</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: Legacy_LAN</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: allow</P></BODY></HTML> Thu, 25 Jul 2013 11:28:53 GMT https://community.cisco.com/t5/network-security/access-lan-services-from-other-interface/m-p/2293147#M345831 Danny Cooke 2013-07-25T11:28:53Z