10-01-2015 09:43 AM - edited 03-11-2019 11:40 PM
We have the wireless network on the dmz of the firewall. I need to allow the wifi users to be able to connect to the inside subnet.
dmz subnet: 192.168.3.0/24
inside subnet: 192.168.1.0/24
My packet tracer is failing
asa# packet-tracer input dmz tcp 192.168.3.10 25 192.168.1.9 25
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
match ip inside 192.168.1.0 255.255.255.0 dmz any
static translation to 192.168.1.0
translate_hits = 0, untranslate_hits = 15
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.1.0/0 to 192.168.1.0/0 using netmask 255.255.255.0
Phase: 2
Type: ACCESS-LIST
Subtype: no-forward-rule
Result: DROP
Config:
Additional Information:
Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Here is the pertinent config:
asa# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname asa
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
description Wireless
switchport access vlan 3
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 123.123.123.201 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.3.1 255.255.255.0
!
same-security-traffic permit intra-interface
access-list inbound extended permit icmp any any unreachable
access-list inbound extended permit icmp any any echo-reply
access-list inbound extended permit icmp any any time-exceeded
access-list inbound extended permit tcp any host 123.123.123.202 eq https
access-list inbound extended permit tcp 123.65.144.0 255.255.248.0 host 123.123.123.202 eq smtp
access-list inbound extended permit tcp 123.81.64.0 255.255.248.0 host 123.123.123.202 eq smtp
access-list 121 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 121 extended permit ip 192.168.1.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list 121 extended permit ip 192.168.0.0 255.255.252.0 192.168.42.0 255.255.255.0
access-list 122 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 122 extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 122 extended permit ip 172.20.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 123 extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list datto extended permit ip host 192.168.1.12 any
access-list datto extended permit tcp any any eq ssh
access-list gsm extended permit ip 192.168.1.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list gsm extended permit ip 192.168.2.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list vpn standard permit 192.168.1.0 255.255.255.0
access-list vpn standard permit 172.20.1.0 255.255.255.0
access-list vpn standard permit 192.168.42.0 255.255.255.0
access-list nat0out extended permit ip 192.168.2.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list nat0out extended permit ip 172.20.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nat0out extended permit ip 192.168.2.0 255.255.255.0 192.168.42.0 255.255.255.0
access-list nat0out extended permit ip 192.168.42.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list oceanport extended permit ip 192.168.0.0 255.255.252.0 192.168.42.0 255.255.255.0
access-list dmz_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
ip local pool vpnpool 192.168.2.1-192.168.2.100
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list 121
nat (inside) 1 192.168.1.0 255.255.255.0
nat (outside) 0 access-list nat0out
nat (dmz) 0 access-list 123
nat (dmz) 1 192.168.3.0 255.255.255.0
static (inside,outside) 123.123.123.202 192.168.1.9 netmask 255.255.255.255 dns
static (dmz,inside) 123.123.123.202 192.168.1.9 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
access-group inbound in interface outside
access-group dmz_outbound in interface dmz
route outside 0.0.0.0 0.0.0.0 123.123.123.206 1
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
class-map datto-rate-limite
match access-list datto
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 4096
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
policy-map datto-limit
class datto-rate-limite
police output 1500000 100000
!
10-01-2015 10:51 AM
The configuration explicitly tells the ASA not to allow it:
interface Vlan3
no forward interface Vlan1
Flip that subcommand ("forward interface vlan 1") and it should work. Here's the command reference describing what it does in detail.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: