01-16-2013 08:21 AM - edited 03-11-2019 05:48 PM
Hi, i need to route to subnets form 2 diferents ASA interfases. The ASA also has an outside interfase works like gateway for internet access.
Here is my configuraition
ASA Version 8.2(1)
!
hostname ICE3
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 201.199.xxx.xx 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.x 255.255.255.0
!
interface Ethernet0/2
nameif
security-level 100
ip address 0.0.0.0 0.0.0.0
!
interface Ethernet0/3
nameif Wireless
security-level 100
ip address 192.168.1.2 255.255.255.0
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns domain-lookup outside
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service web-ports tcp
port-object eq https
port-object eq www
object-group network Wireless
network-object host 192.168.1.1
access-list outbound extended permit ip object-group trusted any
access-list outbound extended permit tcp object-group web-servers any object-group web-ports
access-list outbound extended permit tcp 10.1.1.0 255.255.255.0 any object-group general-access
access-list outbound extended permit tcp host 201.199.xxx.xx any object-group web-ports
access-list inside_access_in extended permit ip object-group trusted any
access-list inside_access_in extended permit ip object-group DNS-Servers any log disable inactive
access-list inside_access_in extended permit ip any any inactive
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list Wireless_access_in extended permit ip any any
!
tcp-map TCPMAP
reserved-bits clear
synack-data allow
invalid-ack allow
seq-past-window allow
urgent-flag allow
!
pager lines 24
logging enable
logging list configLog level debugging class auth
logging list configLog level debugging class config
logging list system-IDSLog level informational class ids
logging list system-IDSLog level informational class sys
logging buffer-size 10000
logging asdm informational
no logging message 111008
no logging message 111007
mtu outside 1500
mtu inside 1500
mtu ISA 1500
mtu management 1500
mtu Wireless 1500
ip audit name attackPolicy attack action alarm drop
ip audit name antiSnifferPolicy info action drop
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 10 interface
nat (inside) 1 10.1.1.0 255.255.255.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group Wireless_access_in in interface Wireless
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community DotNet
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
sysopt connection tcpmss 0
service resetinbound interface ISA
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn 201.199.xxx.xx
subject-name CN=201.199.xxx.xx
ip-address 201.199.xxx.xx
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 0efba950
30820227 30820190 a0030201 0202040e fba95030 0d06092a 864886f7 0d010104
05003058 31183016 06035504 03130f32 30312e31 39392e31 33352e31 3134313c
301c0609 2a864886 f70d0109 02160f32 30312e31 39392e31 33352e31 3134301c
06092a86 4886f70d 01090813 0f323031 2e313939 2e313335 2e313134 301e170d
31323131 31393039 32353334 5a170d32 32313131 37303932 3533345a 30583118
30160603 55040313 0f323031 2e313939 2e313335 2e313134 313c301c 06092a86
4886f70d 01090216 0f323031 2e313939 2e313335 2e313134 301c0609 2a864886
f70d0109 08130f32 30312e31 39392e31 33352e31 31343081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 818100e4 52687fe4 bc46d95c bb14cb51
c9ba2757 692683e2 315fb2cb 585c9785 295e9090 88dea89d 5a1497f5 49107a1f
ea35d71b fd05d9ff 68766519 652f1ff9 d19dc584 310312b2 b369673f 70db355a
8d1e0a5e 4c825c27 7ad5e4f6 d36cbda7 b4ad77a5 f490d942 2ef2488a bcb97b3f
5795bbcd 5f5b5c5a ff965272 2c8deaa5 2aa78902 03010001 300d0609 2a864886
f70d0101 04050003 8181003b ef56a23a 6637ab51 4660e6ef 67833dc4 6fb836c7
a0130247 a9b56f10 4ebe4214 0956aac8 f864b9bf 7af668d7 766b04c2 f5661fda
93da385e 2d0bdf7a 41c75c86 ebdfd48c ea873cce 291ee10c 8bd75a69 cc68540a
f01b8380 de3c72c0 3a6e5201 f8631e34 596ac1aa 8eb09de6 4c40265d 0533288a
76e9dc77 fc64af00 2a2874
quit
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
!
class-map inspection_default
match any
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
service-policy global_policy global
smtp-server 10.1.1.xx
prompt hostname context
Cryptochecksum:f797f6e302a487264396e7a8509d61bf
Thanks in advance
01-16-2013 08:37 AM
you will need to add static route for that, if you want to route to the outside interface then you will need to add a default route, from and to which subnets are you trying to route?
01-16-2013 08:42 AM
Hi Thanks im trying to route from wireless interfase to Inside and viseversa
01-16-2013 09:56 AM
Hello Oscar,
Add the following:.
access-list inside_access_in extended permit ip any any
static (inside,wireless) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
static (wireless,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
Do that and let me know the results,
Julio
01-16-2013 11:39 AM
Hi thanks, i got SYN Timeout
01-16-2013 11:43 AM
Hello Oscar do the following:
packet-tracer input inside tcp 10.1.1.15 1025 192.168.1.20 80
packet-tracer input wireless tcp 192.168.1.20 1025 10.1.1.15 80
Provide the entire output of each of them and I will get back to you
01-17-2013 06:27 AM
Thanks Julio here is the output
Result of the command: "packet-tracer input inside tcp 10.1.1.15 1025 192.168.1.20 80"
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (Wireless,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
match ip Wireless 192.168.1.0 255.255.255.0 inside any
static translation to 192.168.1.0
translate_hits = 0, untranslate_hits = 124
Additional Information:
NAT divert to egress interface Wireless
Untranslate 192.168.1.0/0 to 192.168.1.0/0 using netmask 255.255.255.0
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map inspection_default
match any
policy-map global_policy
class inspection_default
inspect ftp
service-policy global_policy global
Additional Information:
Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 10.1.1.0 255.255.255.0 Wireless 192.168.1.0 255.255.255.0
NAT exempt
translate_hits = 57, untranslate_hits = 0
Additional Information:
Phase: 8
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,Wireless) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
match ip inside 10.1.1.0 255.255.255.0 Wireless any
static translation to 10.1.1.0
translate_hits = 25, untranslate_hits = 6442
Additional Information:
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,Wireless) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
match ip inside 10.1.1.0 255.255.255.0 Wireless any
static translation to 10.1.1.0
translate_hits = 25, untranslate_hits = 6442
Additional Information:
Phase: 11
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (Wireless,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
match ip Wireless 192.168.1.0 255.255.255.0 inside any
static translation to 192.168.1.0
translate_hits = 0, untranslate_hits = 124
Additional Information:
Phase: 12
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (Wireless,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
match ip Wireless 192.168.1.0 255.255.255.0 inside any
static translation to 192.168.1.0
translate_hits = 0, untranslate_hits = 124
Additional Information:
Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 8093903, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: Wireless
output-status: up
output-line-status: up
Action: allow
Result of the command: "packet-tracer input wireless tcp 192.168.1.20 1025 10.1.1.15 80"
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,Wireless) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
match ip inside 10.1.1.0 255.255.255.0 Wireless any
static translation to 10.1.1.0
translate_hits = 25, untranslate_hits = 6443
Additional Information:
NAT divert to egress interface inside
Untranslate 10.1.1.0/0 to 10.1.1.0/0 using netmask 255.255.255.0
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Wireless_access_in in interface Wireless
access-list Wireless_access_in extended permit ip any any
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip Wireless 192.168.1.0 255.255.255.0 inside 10.1.1.0 255.255.255.0
NAT exempt
translate_hits = 1, untranslate_hits = 52
Additional Information:
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
static (Wireless,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
match ip Wireless 192.168.1.0 255.255.255.0 inside any
static translation to 192.168.1.0
translate_hits = 0, untranslate_hits = 124
Additional Information:
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (Wireless,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
match ip Wireless 192.168.1.0 255.255.255.0 inside any
static translation to 192.168.1.0
translate_hits = 0, untranslate_hits = 124
Additional Information:
Phase: 11
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,Wireless) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
match ip inside 10.1.1.0 255.255.255.0 Wireless any
static translation to 10.1.1.0
translate_hits = 25, untranslate_hits = 6443
Additional Information:
Phase: 12
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,Wireless) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
match ip inside 10.1.1.0 255.255.255.0 Wireless any
static translation to 10.1.1.0
translate_hits = 25, untranslate_hits = 6443
Additional Information:
Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 8093904, packet dispatched to next module
Result:
input-interface: Wireless
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
01-17-2013 10:37 AM
Hello Oscar,
Everything looks good, packets being allowed, Natted as they should, ASA setup is the one required.
Time to move with the packet-captures
May I know 2 ip addresses on those subnets that you could use to test connectivity?
01-17-2013 12:13 PM
Sure 10.1.1.41 and the 192.168.1.15
Result of the command: "packet-tracer input inside tcp 10.1.1.41 1025 192.168.1.15 3389"
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (Wireless,inside) Wireless Wireless netmask 255.255.255.0
match ip Wireless Wireless 255.255.255.0 inside any
static translation to Wireless
translate_hits = 0, untranslate_hits = 19
Additional Information:
NAT divert to egress interface Wireless
Untranslate Wireless/0 to Wireless/0 using netmask 255.255.255.0
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip object-group trusted any
object-group network trusted
network-object host 10.1.1.40
network-object host 10.1.1.41
network-object host 10.1.1.42
network-object host 10.1.1.43
network-object host 10.1.1.44
network-object host 10.1.1.45
network-object host 10.1.1.46
network-object host 10.1.1.47
network-object host 10.1.1.48
network-object host 10.1.1.49
network-object host Jake-PC
network-object host DonMiguel
network-object host Sean-Tv
network-object host Marti
network-object host Handpunch
network-object host Ricky
network-object host dnbst2202
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map inspection_default
match any
policy-map global_policy
class inspection_default
inspect ftp
service-policy global_policy global
Additional Information:
Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 10.1.1.0 255.255.255.0 Wireless Wireless 255.255.255.0
NAT exempt
translate_hits = 13, untranslate_hits = 0
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,Wireless) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
match ip inside 10.1.1.0 255.255.255.0 Wireless any
static translation to 10.1.1.0
translate_hits = 37, untranslate_hits = 6443
Additional Information:
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,Wireless) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
match ip inside 10.1.1.0 255.255.255.0 Wireless any
static translation to 10.1.1.0
translate_hits = 37, untranslate_hits = 6443
Additional Information:
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (Wireless,inside) Wireless Wireless netmask 255.255.255.0
match ip Wireless Wireless 255.255.255.0 inside any
static translation to Wireless
translate_hits = 0, untranslate_hits = 19
Additional Information:
Phase: 11
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (Wireless,inside) Wireless Wireless netmask 255.255.255.0
match ip Wireless Wireless 255.255.255.0 inside any
static translation to Wireless
translate_hits = 0, untranslate_hits = 19
Additional Information:
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 8169729, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: Wireless
output-status: up
output-line-status: up
Action: allow
Result of the command: "packet-tracer input wireless tcp 192.168.1.15 1025 10.1.1.41 3389"
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,Wireless) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
match ip inside 10.1.1.0 255.255.255.0 Wireless any
static translation to 10.1.1.0
translate_hits = 37, untranslate_hits = 6444
Additional Information:
NAT divert to egress interface inside
Untranslate 10.1.1.0/0 to 10.1.1.0/0 using netmask 255.255.255.0
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Wireless_access_in in interface Wireless
access-list Wireless_access_in extended permit ip any any
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
static (Wireless,inside) Wireless Wireless netmask 255.255.255.0
match ip Wireless Wireless 255.255.255.0 inside any
static translation to Wireless
translate_hits = 1, untranslate_hits = 19
Additional Information:
Static translate Wireless/0 to Wireless/0 using netmask 255.255.255.0
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (Wireless,inside) Wireless Wireless netmask 255.255.255.0
match ip Wireless Wireless 255.255.255.0 inside any
static translation to Wireless
translate_hits = 1, untranslate_hits = 19
Additional Information:
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,Wireless) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
match ip inside 10.1.1.0 255.255.255.0 Wireless any
static translation to 10.1.1.0
translate_hits = 37, untranslate_hits = 6444
Additional Information:
Phase: 11
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,Wireless) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
match ip inside 10.1.1.0 255.255.255.0 Wireless any
static translation to 10.1.1.0
translate_hits = 37, untranslate_hits = 6444
Additional Information:
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 8169730, packet dispatched to next module
Result:
input-interface: Wireless
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
01-17-2013 12:47 PM
Hello Oscar,
Great, lets move forward with the captures
cap capin interface inside match ip host 10.1.1.41 host 192.168.1.15
cap dmz interface dmz match ip host 10.1.1.41 host 192.168.1.15
Then innitiate a connection ( whatever protocol telnet,icmp,http) but just once
Then provide the following info
show cap capin
show cap dmz
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide