03-04-2014 03:11 PM - edited 03-11-2019 08:53 PM
I'm attempting to setup a new vlan on my Cisco ASA 5512 running version 8.6(1)2. This vlan will provide access for wireless "guest" AP's in my network. I have the guest vlan setup through to my switches, I'm able to dedicate a switch port to VLAN 40 and aquire an IP address in the 10.40.10.0/24 network. Below is excerpt of what I think is the relevent config information. I'm trying to route guest traffic out my "outside" interface.
Obvious to me I'm missing another command in here. Any help would be greatling appreciated. If more the running-config is needed please advise. Thanks in advance!
_________________________________________________________
interface GigabitEthernet0/1.40
description Guest Wireless Network
vlan 40
nameif guestwireless
security-level 50
ip address 10.40.10.5 255.255.255.0
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1 (public IP at X.X.X.X)
access-list guestwireless_access_in extended permit ip 10.40.10.0 255.255.255.0 interface outside
mtu guestwireless 1500
access-group guestwireless_access_in in interface guestwireless
dhcpd address 10.40.10.50-10.40.10.250 guestwireless
dhcpd dns 8.8.8.8 interface guestwireless
dhcpd enable guestwireless
________________________________________________________
Solved! Go to Solution.
03-04-2014 05:57 PM
Here is the killing part
interface GigabitEthernet0/0
description ISP Interface
nameif outside
security-level 100
Change it to
interface GigabitEthernet0/0
security level 0
You do not want the most insecure interface with the highest security level hehe
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
03-04-2014 03:19 PM
Hello,
This is not needed (and it's actually wrong)
access-list guestwireless_access_in extended permit ip 10.40.10.0 255.255.255.0 interface outside
Now you are missing the NAT I guess
nat (guestwirelless,outside) after-auto source dynamic any interface
Give it a try!
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
03-04-2014 03:54 PM
I removed
access-list guestwireless_access_in extended permit ip 10.40.10.0 255.255.255.0 interface outside
added
nat (guestwireless,outside) after-auto source dynamic any interface dns
included the DNS piece.
Still not able to reach outside internet.
Thanks for the quick reply
03-04-2014 03:57 PM
You are doing NAT on the wireless right??
No need to include the DNS in the NAT
cap guest interface guestwireless match icmp any host 4.2.2.2
cap capout interface outside match icmp any host 4.2.2.2
Then from a PC ping 4.2.2.2 and provide
show cap guest
show cap capout
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
03-04-2014 04:01 PM
show cap guest
4 packets captured
1: 18:00:08.100229 802.1Q vlan#40 P0 10.40.10.50 > 4.2.2.2: icmp: echo request
2: 18:00:12.853440 802.1Q vlan#40 P0 10.40.10.50 > 4.2.2.2: icmp: echo request
3: 18:00:17.845705 802.1Q vlan#40 P0 10.40.10.50 > 4.2.2.2: icmp: echo request
4: 18:00:22.853547 802.1Q vlan#40 P0 10.40.10.50 > 4.2.2.2: icmp: echo request
4 packets shown
ASA# sh cap capout
0 packet captured
0 packet shown
ASA#
03-04-2014 05:28 PM
Hello,
Can you share entire configuration please
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
03-04-2014 05:48 PM
Stripped out some config pertaining to crypto and credentials
--------------Config Below-----------------------------------
: Saved
:
ASA Version 8.6(1)2
!
hostname ASA
domain-name company.local
names
!
interface GigabitEthernet0/0
description ISP Interface
nameif outside
security-level 100
ip address ##.##.###.### 255.255.255.248
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.40
description Guest Wireless Network
vlan 40
nameif guestwireless
security-level 50
ip address 10.40.10.5 255.255.255.0
!
interface GigabitEthernet0/2
nameif inside-tempnet
security-level 0
ip address 172.29.0.252 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name company.local
same-security-traffic permit inter-interface
object network NETWORK_OBJ_10.100.10.0_24
subnet 10.100.10.0 255.255.255.0
access-list outside_access_in extended permit ip object NETWORK_OBJ_10.100.10.0_24 any
access-list inside-tempnet_access_in extended permit ip 172.29.0.0 255.255.255.0 object NETWORK_OBJ_10.100.10.0_24
access-list Split_Tunnel_List standard permit 172.29.0.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu guestwireless 1500
mtu inside-tempnet 1500
mtu management 1500
ip local pool ClientVPN-DHCP-Pool 10.100.10.50-10.100.10.250 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
asdm history enable
arp timeout 14400
nat (inside-tempnet,outside) source static any any destination static NETWORK_OBJ_10.100.10.0_24 NETWORK_OBJ_10.100.10.0_24 no-proxy-arp route-lookup
!
nat (guestwireless,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group inside-tempnet_access_in in interface inside-tempnet
route outside 0.0.0.0 0.0.0.0 ##.##.###.### 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
http server enable
http 0.0.0.0 0.0.0.0 inside-tempnet
http 172.29.0.0 255.255.255.0 inside-tempnet
http redirect inside-tempnet 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
dhcpd address 10.40.10.50-10.40.10.250 guestwireless
dhcpd dns 8.8.8.8 interface guestwireless
dhcpd enable guestwireless
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes256-sha1 aes128-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside-tempnet
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
anyconnect profiles VPNConnect disk0:/vpnconnect.xml
anyconnect enable
tunnel-group-list enable
group-policy "GroupPolicy_VPN Connect" internal
group-policy "GroupPolicy_VPN Connect" attributes
wins-server none
dns-server value #.#.#.#
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value company.local
webvpn
anyconnect profiles value VPNConnect type user
tunnel-group "VPN Connect" type remote-access
tunnel-group "VPN Connect" general-attributes
address-pool ClientVPN-DHCP-Pool
authentication-server-group compnay.LOCAL LOCAL
default-group-policy "GroupPolicy_VPN Connect"
tunnel-group "VPN Connect" webvpn-attributes
group-alias "VPN Connect" enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
: end
03-04-2014 05:57 PM
Here is the killing part
interface GigabitEthernet0/0
description ISP Interface
nameif outside
security-level 100
Change it to
interface GigabitEthernet0/0
security level 0
You do not want the most insecure interface with the highest security level hehe
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
03-04-2014 06:15 PM
Doh....I swapped Gig intefaces when I initially set it up and must have over looked that....good thing this isn't in production yet. I've made the change I'll verify tomorrow.
Thanks again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide