ā01-18-2016 11:38 AM
Hi Folks
I recently acquired an ASA 5508-X for a new build project we are doing in one of our not for profit rest houses.
I knew that there were some differences between the ASA 5505 which I'd used previously but as the 5506 also had the same issues (routed interfaces) I figured I might as well go for the more powerful 5508 (first time Iv'e had a decent budget in years!)
It's taken me a while to find my feet with this but I now have my main network up and running without problems, everything on the inside can reach the outside, and the few things on the outside that are allowed to come inside can come inside.
I have two issues however which I'm struggling to resolve
I'll take point 2 first.
I think that all I need to do is to add the following text and everything should work fine
interface GigabitEthernet1/8
nameif Residents
security-level 50
ip address 192.168.111.254 255.255.255.0
no shut
object network Residents
subnet 192.168.111.0 255.255.255.0
object network Residents
nat (Residents,outside) dynamic interface
I figured that if I used something similar I should be able to allow the WiFi network to communicate with the server.
interface GigabitEthernet1/3
nameif WiFi
security-level 100
ip address 192.168.222.254 255.255.255.0
no shut
object network WiFi
subnet 192.168.222.0 255.255.255.0
object-group network OTHERWiFiLANS
network-object object WiFi
object network WiFi
nat (WiFi,outside) dynamic interface
However that didn't work out quite as I'd hoped so I swapped the nat instruction to the following
object network WiFi
nat (WiFi,inside) dynamic interface
That didn't work either!
I tried adding in same-security-traffic permit intra-interface but I'm not sure if that has any effect unless you have sub interfaces.
So then I tried same-security-traffic permit inter-interface hoping that would solve my problem, sadly it does not and I'm running out of ideas and time!!!
Is there anyone out there who can point me in the right direction?
Cheers
Mick
ā01-18-2016 12:42 PM
Hi,
I read this as an external company needs to access a server behind the firewall on rfc1918 address space. You can either create a remote access VPN or static NAT.
Static NAT example
object network wifi-server
host 192.168.222.10 - real address of WiFi
nat (wifi,outside) static interface service tcp 443 443 (if you have a spare public IP address you could swap interface for mapped IP)
You will need an ACL on that's applied on the outside interface. UN-NAT occurs before the ACL is processed, so the ACL must contain the real IP of the server.
access-list outside-in extended permit tcp object-group remote-contractor object-group wifi-server eq 443
For above add objects or object-groups for remote-contractor and wifi-server.
To test use packet-tracer.
Hope this helps
Joel
ā01-21-2016 07:09 AM
Hi Joel
I fixed my problem by adding in
forward-reference enable
same-security-traffic permit inter-interface
Cheers
Mick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide