Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
962
Views
0
Helpful
2
Replies

ASA 5508-X cant ping inside resources from other subnet

de-hoeksteen
Level 1
Level 1

‎01-18-2016 11:38 AM

Hi Folks

I recently acquired an ASA 5508-X for a new build project we are doing in one of our not for profit rest houses.

I knew that there were some differences between the ASA 5505 which I'd used previously but as the 5506 also had the same issues (routed interfaces) I figured I might as well go for the more powerful 5508 (first time Iv'e had a decent budget in years!)

It's taken me a while to find my feet with this but I now have my main network up and running without problems, everything on the inside can reach the outside, and the few things on the outside that are allowed to come inside can come inside.

I have two issues however which I'm struggling to resolve

  1. I need to allow traffic from an external contractor who is setting up a WiFi network to come into our network and communicate with our server.
  2. I need to set up a separate data network for resident which will just pass through our firewall.

I'll take point 2 first.

I think that all I need to do is to add the following text and everything should work fine

interface GigabitEthernet1/8
nameif Residents
security-level 50
ip address 192.168.111.254 255.255.255.0
no shut

object network Residents
subnet 192.168.111.0 255.255.255.0

object network Residents
nat (Residents,outside) dynamic interface

I figured that if I used something similar I should be able to allow the WiFi network to communicate with the server.

interface GigabitEthernet1/3
nameif WiFi
security-level 100
ip address 192.168.222.254 255.255.255.0
no shut

object network WiFi
subnet 192.168.222.0 255.255.255.0

object-group network OTHERWiFiLANS
network-object object WiFi

object network WiFi
nat (WiFi,outside) dynamic interface

However that didn't work out quite as I'd hoped so I swapped the nat instruction to the following

object network WiFi
nat (WiFi,inside) dynamic interface

That didn't work either!

I tried adding in same-security-traffic permit intra-interface but I'm not sure if that has any effect unless you have sub interfaces.

So then I tried same-security-traffic permit inter-interface hoping that would solve my problem, sadly it does not and I'm running out of ideas and time!!!

Is there anyone out there who can point me in the right direction?

Cheers

Mick

Labels:
0 Helpful
2 Replies 2

Joel
Level 1
Level 1

‎01-18-2016 12:42 PM

Hi,

  • I need to allow traffic from an external contractor who is setting up a WiFi network to come into our network and communicate with our server.

I read this as an external company needs to access a server behind the firewall on rfc1918 address space. You can either create a remote access VPN or static NAT.

Static NAT example

object network wifi-server
 host 192.168.222.10 - real address of WiFi
 nat (wifi,outside) static interface service tcp 443 443 (if you have a spare public IP address you could swap interface for mapped IP)

You will need an ACL on that's applied on the outside interface. UN-NAT occurs before the ACL is processed, so the ACL must contain the real IP of the server.

access-list outside-in extended permit tcp object-group remote-contractor object-group wifi-server eq 443

For above add objects or object-groups for remote-contractor and wifi-server.

To test use packet-tracer.

Hope this helps

Joel

0 Helpful

de-hoeksteen
Level 1
Level 1
In response to Joel

‎01-21-2016 07:09 AM

Hi Joel 

I fixed my problem by adding in 

forward-reference enable
same-security-traffic permit inter-interface

Cheers

Mick

0 Helpful
Customers Also Viewed These Support Documents