Having issues getting VLANs via trunk access to the outside on a 5510, configured via ADSM.
I'll admit to a lack of extensive experience with the 5510 up front. I tried configuring via ADSM but am not making much progress.
My configuration is simple: Inside interface to wired network, Outside interface which is nat'd to a single public IP, and a second interface that has 2 VLANs trunked for wifi access. Inside to outside works, although I see a lot of ACL messages on internal routers that lead me to believe that a lot more than I want is getting in. But, the VLANs on the Wifi interface can't get to the outside. The 5510 is the DHCP server for them, and lists itself as the gateway - that all works fine. But no matter how many rules I tried creating in ADSM, no outside access. Using Packet Trace just showed "Denied by rule" but that wasn't much help.
All I want to do is give the 2 VLANS (201 and 202) http access to the outside interface, and that's it. Can anyone point me to what I'm missing or doing wrong, please? I'd also be interested to know why I'm seeing ACL deny messages from public IPs on my internal network. Have I opened up too much inside-to-outside?
Thanks all.
Here are the relevant lines from the config:
: Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz
:
ASA Version 9.1(6)
!
hostname ciscoasa
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 62.97.x.x 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.5.0.1 255.255.248.0
!
interface Ethernet0/2
nameif core-trunk
security-level 0
no ip address
!
interface Ethernet0/2.201
vlan 201
nameif Wifi
security-level 0
ip address 192.168.0.3 255.255.255.0
!
interface Eternet0/2.202
vlan 202
nameif GuestWifi
security-level 0
ip address 192.168.100.3 255.255.255.0
!
object network ANY
subnet 0.0.0.0 0.0.0.0
access-list Wifi_access_in extended permit ip any any
access-list GuestWifi_access_in extended permit ip any any
icmp permit any outside
icmp permit any inside
icmp permit any management
icmp permit any core-trunk
asdm image disk0:/asdm-743.bin
nat (inside,outside) source static any interface
access-group outside_access_in in interface outside
access-group wifi_access_in in interface core-trunk
route outside 0.0.0.0 0.0.0.0 62.97.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icm 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
!
threat-detection basic-threat
hreat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 209.118.204.201 source outside
webvpn
anyconnect-essentials
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns prest_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map inspection_policy
class ipsecpssthru-traffic
inspect ipsec-pass-thru
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
inspect icmp
policy-map type inspect ipsec-pass-thru ipsecpasstru
parameters
esp per-client-max 10 timeout 0:00:30
ah per-client-max 10 timeout 0:00:30
!
service-policy global_policy global
service-policy inspection_policy interface outside
prompt hostname context
: end
