10-01-2015 09:43 AM - edited 03-11-2019 11:40 PM
ASA 5505 running 8.2(5)
We have the wireless network on the dmz of the firewall. I need to allow the wifi users to be able to connect to the inside subnet.
dmz subnet: 192.168.3.0/24
inside subnet: 192.168.1.0/24
My packet tracer is failing
asa# packet-tracer input dmz tcp 192.168.3.10 25 192.168.1.9 25
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
match ip inside 192.168.1.0 255.255.255.0 dmz any
static translation to 192.168.1.0
translate_hits = 0, untranslate_hits = 15
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.1.0/0 to 192.168.1.0/0 using netmask 255.255.255.0
Phase: 2
Type: ACCESS-LIST
Subtype: no-forward-rule
Result: DROP
Config:
Additional Information:
Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Here is the pertinent config:
asa# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname asa
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
description Wireless
switchport access vlan 3
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 123.123.123.201 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.3.1 255.255.255.0
!
same-security-traffic permit intra-interface
access-list inbound extended permit icmp any any unreachable
access-list inbound extended permit icmp any any echo-reply
access-list inbound extended permit icmp any any time-exceeded
access-list inbound extended permit tcp any host 123.123.123.202 eq https
access-list inbound extended permit tcp 123.65.144.0 255.255.248.0 host 123.123.123.202 eq smtp
access-list inbound extended permit tcp 123.81.64.0 255.255.248.0 host 123.123.123.202 eq smtp
access-list 121 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 121 extended permit ip 192.168.1.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list 121 extended permit ip 192.168.0.0 255.255.252.0 192.168.42.0 255.255.255.0
access-list 122 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 122 extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 122 extended permit ip 172.20.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 123 extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list datto extended permit ip host 192.168.1.12 any
access-list datto extended permit tcp any any eq ssh
access-list gsm extended permit ip 192.168.1.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list gsm extended permit ip 192.168.2.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list vpn standard permit 192.168.1.0 255.255.255.0
access-list vpn standard permit 172.20.1.0 255.255.255.0
access-list vpn standard permit 192.168.42.0 255.255.255.0
access-list nat0out extended permit ip 192.168.2.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list nat0out extended permit ip 172.20.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nat0out extended permit ip 192.168.2.0 255.255.255.0 192.168.42.0 255.255.255.0
access-list nat0out extended permit ip 192.168.42.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list oceanport extended permit ip 192.168.0.0 255.255.252.0 192.168.42.0 255.255.255.0
access-list dmz_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
ip local pool vpnpool 192.168.2.1-192.168.2.100
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list 121
nat (inside) 1 192.168.1.0 255.255.255.0
nat (outside) 0 access-list nat0out
nat (dmz) 0 access-list 123
nat (dmz) 1 192.168.3.0 255.255.255.0
static (inside,outside) 123.123.123.202 192.168.1.9 netmask 255.255.255.255 dns
static (dmz,inside) 123.123.123.202 192.168.1.9 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
access-group inbound in interface outside
access-group dmz_outbound in interface dmz
route outside 0.0.0.0 0.0.0.0 123.123.123.206 1
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
class-map datto-rate-limite
match access-list datto
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 4096
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
policy-map datto-limit
class datto-rate-limite
police output 1500000 100000
!
10-01-2015 02:20 PM
10-01-2015 02:32 PM
interface Vlan3
no forward interface Vlan1 <---I think this command is blocking the traffic.
Also are you trying to bypass NAT from DMZ to Internal?
10-01-2015 03:46 PM
Duplicate post. Already answered here.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide