10-30-2013 03:01 AM - edited 03-11-2019 07:57 PM
I currently have a Cisco ASA plugged into a single AP. This plugs into the POE port of the ASA.
the wireless point has 2 ssid's ( vlans ) 1 and 10
both side are trunked to allow the vlans.
vlan 1 is on 192.168.70.0 /24 ( production ) inisde interface
vlan 10 is on 172.16.0.0 /24 ( guest )
The Cisco ASA is acting as the DHCP server for both vlans.
we wanted people on the guest network and the production network seperate which is working good.
now we have a printer on 192.168.70.20 which the guest users will need to access.
I have tried setting up an ACL on the ASA but no luck.
Please see attached ACL list ( these are the default ) nothing has been changed.
can somone point me in the direction to get this working?
I have checked the logs when running a ping to the print from the 172.16 networkto the printer and seeing the attached NAT error
Solved! Go to Solution.
10-30-2013 08:00 AM
Hello,
The NAT exempt is another option as well instead of the Identity NAT.
I modify the ACL to make it more restrictive but sure you can leave it with the permit IP any any (as long as you do not have ambiguity on the NAT statements u will be safe there)
If there is no other question please mark it as answered; otherwise let me know
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
10-30-2013 03:50 AM
Hi,
Your probably have Dynamic PAT configured for both "inside" and "guest" when connecting to "outside" and dont have the proper NAT for traffic between these "inside" and "guest". To give the proper configurations needed would have to see the CLI format configurations.
Also, please follow up on your previous threads that you have opened with the solution and rate/mark correct reply if you have gotten helpfull information. There was one related to connecting the AP to the ASA5505 for example.
- Jouni
10-30-2013 05:39 AM
Thanks. I have attached the config. so i need an access list from inside to guest?
i only want people on the guest network 172.16.0.0 to access just 192.168.70.20 and nothing else.
I will go back to the older post and update the information.
10-30-2013 07:20 AM
Hello James,
The ACL should look like
access-list Guest_access_in permit ip any host 192.168.70.20
access-list Guest_access_in deny ip any 192.168.70.0 255.255.255.0
access-list Guest_access_in extended permit ip any any
And the Nat
static (Guest,Inside) 172.16.0.0 172.16.0.0 netmask 255.255.255.0
static (inside,guest) 192.168.70.0 192.168.70.0 netmask 255.255.255.0
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
10-30-2013 07:57 AM
all i did was an exempt nat rule on the inside interface with the source address of the printer 192.168.70.20 to destination guest network, and this has worked. did this on the adsm and selected NAT Exempt outbound traffic from interface inside to low secuirty interfaces.
can only ping the printer from thee guest network and nothing else.
10-30-2013 08:00 AM
Hello,
The NAT exempt is another option as well instead of the Identity NAT.
I modify the ACL to make it more restrictive but sure you can leave it with the permit IP any any (as long as you do not have ambiguity on the NAT statements u will be safe there)
If there is no other question please mark it as answered; otherwise let me know
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
10-30-2013 08:04 AM
access-list inside_nat0_outbound extended permit ip host printer 172.16.0.0 255.255.255.0
10-30-2013 08:05 AM
Thanks for the explanation. Now makes good sense
10-30-2013 08:10 AM
Hello James,
My pleasure to help
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
10-31-2013 02:05 AM
Hi Jcarvaja,
All is still working well. I'm used to working on routers new to this ASA stuff. so please excuse my questions if there abit
obvious to you.normally when you do inter-vlan rotuing you need a layer 3 device.
I'm just confused to how a NAT command will let you route between differentsubnets ( vlans ) ??
Thanks
p.s followed
10-31-2013 02:12 AM
Hi,
The reason why we need separate Identity NAT configurations between the local Vlans is because without them the traffic would most likely match the Dynamic PAT rules (the "nat" statements) and therefore the NAT checks on the ASA would fail.
By adding the Identity NAT configurations with "static" command is meant to override the Dynamic PAT configuration and enable the 2 Vlans communicate with their original IP addresses (what Identity NAT essentially means)
The requirement for this NAT is partly due to how the software level you use handles NAT.
With newer 8.3 (and above) software levels where the NAT was redone you wouldnt need any NAT configurations between your local interfaces which makes for a lot clearer NAT configuration on the firewall
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide