Problem with Aironet IP redirection on ASA

jamesdborden — Mon, 11 Mar 2019 23:52:06 GMT

Ok, so I have an aironet redirecting all traffic to the ASA, the problem is that I can ping websites, however I can not access the web page.

When I go through the ASA log here is what I get.

3 Sep 10 2012 09:52:58 10.0.3.41 2120 10.0.1.254 80 TCP access denied by ACL from 10.0.3.41/2120 to Corp:10.0.1.254/80

Here are the incoming rules.

Corp (5 incoming rules)
1	True	10.70.0.0/24	10.0.1.0/24	ip	Permit	0	Default
2	True	any	any	ip	Permit	19110969	Default
3	True	any	any	gre	Permit	0	Default
4	True	any	any	udp/domain	Permit	0	Default
5	True	any	any	tcp/pptp	Permit	0	Default

Problem with Aironet IP redirection on ASA

terrencepayet — Mon, 10 Sep 2012 15:42:52 GMT

Hi James,

Please post the config of your ASA in order for us to help further.

Regards,

Terence

Re: Problem with Aironet IP redirection on ASA

jamesdborden — Mon, 10 Sep 2012 17:19:43 GMT

Here is the running configuration

: Saved

: Written by enable_15 at 12:14:12.994 CDT Mon Sep 10 2012

ASA Version 8.4(2)

hostname ASA

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 10.7.1.0 ScottNet

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

switchport access vlan 3

interface Ethernet0/2

switchport access vlan 5

interface Ethernet0/3

switchport access vlan 5

interface Ethernet0/4

switchport access vlan 6

interface Ethernet0/5

interface Ethernet0/6

switchport access vlan 3

interface Ethernet0/7

switchport trunk allowed vlan 3,5,7,16

switchport mode trunk

interface Vlan2

backup interface Vlan16

nameif outside

security-level 0

ip address XXX.XXX.XXX.XXX 255.255.255.240

interface Vlan3

nameif Development

security-level 0

ip address 172.16.32.254 255.255.255.0

interface Vlan5

nameif Corp

security-level 100

ip address 10.0.1.254 255.255.252.0

interface Vlan6

nameif NED

security-level 100

ip address 10.60.0.254 255.255.255.0

interface Vlan16

nameif BACKUP

security-level 0

ip address 192.168.15.2 255.255.255.0

boot system disk0:/asa842-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

access-list outside_cryptomap extended permit ip 10.0.0.0 255.255.0.0 10.7.1.0 255.255.255.0

access-list inside_access_in extended permit ip 172.16.32.0 255.255.255.0 any inactive

access-list inside_access_in extended permit 53 any any inactive

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit object-group TCPUDP 172.16.32.0 255.255.255.0 host 10.0.1.221 eq domain

access-list Development_access_in extended permit 53 any any

access-list Development_access_in extended permit object-group TCPUDP any any

access-list Development_access_in extended permit ip any any

access-list Development_access_in extended deny tcp any any eq smtp

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list Corp_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.70.0.0 255.255.255.0

access-list Corp_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.70.0.0 255.255.255.0

access-list Corp_nat0_outbound extended permit ip 172.16.30.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list Corp_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.1.2.0 255.255.255.0

access-list Corp_nat0_outbound extended permit ip 10.70.0.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list Corp_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 object ScottNet

access-list Corp_access_in extended permit ip 10.70.0.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list Corp_access_in extended permit ip any any

access-list Corp_access_in extended permit gre any any

access-list Corp_access_in extended permit udp any any eq domain

access-list Corp_access_in extended permit tcp any any eq pptp

access-list outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.252.0 object CoryNet

access-list NED_access_in extended permit ip 10.0.1.0 255.255.255.0 10.70.0.0 255.255.255.0

access-list NED_access_in extended permit ip any any

access-list Backup_access_in extended permit ip any any

access-list outside_access_in extended permit tcp any host 10.0.1.221 object-group DM_INLINE_TCP_1

access-list outside_access_in extended permit tcp any host 10.0.1.144 object-group TMS_Services

access-list outside_access_in extended permit tcp any host 10.0.1.146 object-group TMS_Services

access-list outside_access_in extended permit gre any host 10.0.1.221

access-list outside_access_in extended permit tcp any host 10.0.1.161 object-group DM_INLINE_TCP_2

access-list outside_access_in extended permit udp any host 10.0.1.221 eq domain

access-list outside_access_in extended permit udp host XXX.XXX.XXX.XXX any eq tftp

access-list outside_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_1 eq 8005

access-list outside_access_in extended permit ip 172.16.30.0 255.255.255.0 any

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 10.0.1.151

access-list outside_access_in extended permit tcp any host 10.0.1.116 eq pptp

access-list outside_access_in extended permit gre any host 10.0.1.116

access-list outside_access_in extended permit tcp any host 10.0.1.116 object-group DM_INLINE_TCP_4

access-list outside_access_in extended permit tcp any host 10.0.1.41 eq 3389

access-list outside_access_in extended permit tcp any host 10.0.1.125 eq smtp

access-list outside_access_in extended permit icmp any any

pager lines 24

logging enable

logging asdm warnings

mtu outside 1500

mtu Development 1500

mtu Corp 1500

mtu NED 1500

mtu BACKUP 1500

ip local pool VPN-address-pool 10.0.2.20-10.0.2.50 mask 255.255.252.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645-206.bin

asdm location ScottNet 255.255.255.0 Corp

no asdm history enable

arp timeout 14400

access-group outside_access_in in interface outside

access-group Development_access_in in interface Development

access-group Corp_access_in in interface Corp

access-group NED_access_in in interface NED

route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.30 1 track 1

route BACKUP 0.0.0.0 0.0.0.0 192.168.15.1 254

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 10.0.3.0 255.255.255.0 Corp

http 10.0.1.0 255.255.255.0 Corp

http 172.16.32.0 255.255.255.0 Development

track 1 rtr 123 reachability

telnet 172.16.32.0 255.255.255.0 Development

telnet 10.0.0.0 255.255.252.0 Corp

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

dhcpd address 172.16.32.15-172.16.32.100 Development

dhcpd dns 4.2.2.1 4.2.2.2 interface Development

dhcpd enable Development

dhcpd address 10.0.1.101-10.0.1.124 Corp

dhcpd dns 10.0.1.221 10.0.1.160 interface Corp

dhcpd wins 10.0.1.221 interface Corp

dhcpd option 66 ip 10.0.1.1 interface Corp

dhcpd option 150 ip 10.0.1.1 interface Corp

dhcpd dns 10.0.1.221 4.2.2.1 interface NED

dhcpd wins 10.0.1.221 interface NED

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

inspect ip-options

Problem with Aironet IP redirection on ASA

terrencepayet — Mon, 10 Sep 2012 17:43:27 GMT

I take it that the 10.0.3.0 network is the WiFi network?

First thing first. It seems you don't have route for this network.

Please add a route for the mentioned network.

route corp 10.0.3.0 255.255.255.0 gateway of network

And you also need to parse through your config and clean it up a bit especially in your ACL.

HTH.

Terence

Re: Problem with Aironet IP redirection on ASA

jamesdborden — Tue, 11 Sep 2012 20:35:26 GMT

The corp network is 10.0.0.0/22 but unfortunately that isn't included in the running config. When I remove the redirect everything works fine. The problem is that it is hitting an acl when I set an ip redirect to the gateway 10.0.1.254

Re: Problem with Aironet IP redirection on ASA

Julio Carvajal — Tue, 11 Sep 2012 21:03:38 GMT

Hello James,

Please remove the HTTP configuration and put it back.

clear configure http

http server enable

http 10.0.3.0 255.255.255.0 Corp

http 10.0.1.0 255.255.255.0 Corp

http 172.16.32.0 255.255.255.0 Development

Also remove the ACL as its not doing anything in here:

clear configure access-list Corp_access_in

Let me know,

topic Re: Problem with Aironet IP redirection on ASA in Network Security

Problem with Aironet IP redirection on ASA

Problem with Aironet IP redirection on ASA

Re: Problem with Aironet IP redirection on ASA

Problem with Aironet IP redirection on ASA

Re: Problem with Aironet IP redirection on ASA

Re: Problem with Aironet IP redirection on ASA