08-14-2013 01:30 PM - edited 03-11-2019 07:25 PM
I am running into an issue that I cant figure out. I have a ASA that is connected to my internet connection. Connected to the ASA I have 192.168.2.0/24 as my normal home network. I attached a 881W to one of the ASA ports with the network of 192.168.3.0/24. I have been unable to get communications to the Internet on the 192.168.3 network. I brought up packet tracer and the log viewer and started to see these
%ASA-2-106016: Deny IP spoof from (192.168.2.1) to 192.168.3.10 on interface inside
Any help with my problem would be greatly appreciated. Here is my ASA config. I have edited out any sensitive data.
ASA Version 9.0(1)
!
hostname ciscoasa
enable password .ITHiMtVZPEIt5Ee encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd encrypted
names
ip local pool VPN 192.168.2.45-192.168.2.50 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport monitor Ethernet0/0
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa901-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object service Bittorrent
service udp destination eq 51413
description bittorrent traffic
object network Transmission
host 192.168.2.8
description NAS4Free server
object network IPCameras
range 192.168.2.30 192.168.2.33
description IP Cameras
object network CiscoLab
subnet 192.168.10.0 255.255.255.0
description Network Lab
object network Switches
range 192.168.2.253 192.168.2.254
description Network Switches
object network ESXi
host 192.168.2.6
description ESXI server
object network Windows2k8
host 192.168.2.11
description Windows 2008 running Plixer software
object service NetFlow-2055
service udp destination eq 2055
object service NetFlow-555
service udp destination eq 555
object service NetFlow-9995
service udp destination eq 9995
object service NetFlow-9996
service udp destination eq 9996
object network CIF
host 192.168.2.13
description Collective Intelligence Framework
object network SiLK
host 192.168.2.3
description SiLK flow collector
object network laelapssecurity.com
host 50.87.102.183
description Just Host hosting site.
object service MySQL
service tcp destination eq 3306
description MySQL
object service NCListener
service tcp destination eq 4444
object network laelapsNetwork
subnet 192.168.3.0 255.255.255.0
description Laelaps Network connected to Cisco 881w
object-group service Torrent udp
description Bittorrent traffic
port-object eq 51413
object-group network APT
description APT IP addreses
network-object host 96.44.136.115
network-object host 119.91.241.30
network-object host 66.153.86.14
network-object host 218.210.49.203
object-group service NetFlow
description NetFlow
service-object object NetFlow-2055
service-object object NetFlow-555
service-object object NetFlow-9995
service-object object NetFlow-9996
object-group service minidlna tcp
description Minidlna streaming port
port-object eq 8200
object-group service Alternate_HTTPS tcp
description alternate https port for CIF comms
port-object eq 8443
object-group network BlockIPs
description IPs to block from Alienvault alerts
network-object host 114.247.134.7
network-object host 89.19.240.79
network-object host 1.232.34.242
network-object host 220.60.110.25
access-list outside_access_in extended deny ip object-group BlockIPs any
access-list outside_access_in remark Blocking APT actors
access-list outside_access_in extended deny tcp object-group APT any eq ssh
access-list outside_access_in remark Bittorrent traffic
access-list outside_access_in extended permit object Bittorrent any object Transmission
access-list outside_access_in remark ICMP to Transmission
access-list outside_access_in extended permit icmp any4 object Transmission
access-list outside_access_in extended permit object MySQL object laelapssecurity.com object SiLK
access-list outside_access_in extended permit tcp any object CIF eq ssh
access-list outside_access_in remark Communications to CIF from external
access-list outside_access_in extended permit tcp any object CIF eq 8443
access-list outside_access_in extended permit object NCListener any object CIF
access-list outside_access_in extended permit tcp any object Transmission eq 8200 inactive
access-list outside_access_in extended deny ip any any
access-list inside_access_in extended deny ip any object-group APT
access-list inside_access_in extended permit icmp 192.168.2.0 255.255.255.0 object laelapsNetwork inactive
access-list inside_access_in extended permit icmp object laelapsNetwork 192.168.2.0 255.255.255.0 inactive
access-list inside_access_in extended permit ip object laelapsNetwork any
access-list inside_access_in extended permit ip any any
access-list inside_access_in_1 extended permit ip any4 any4
access-list Local_Lan_Access remark Local Lan access
access-list Local_Lan_Access standard permit any4
access-list global_access extended permit icmp 192.168.2.0 255.255.255.0 object laelapsNetwork inactive
access-list global_access extended permit icmp object laelapsNetwork 192.168.2.0 255.255.255.0 inactive
pager lines 24
logging enable
logging timestamp
logging trap debugging
logging asdm debugging
logging from-address cisco@laelapssecurity.com
logging recipient-address don@laelapssecurity.com level errors
logging facility 23
logging host inside 192.168.2.5
logging host inside 192.168.2.15
flow-export destination inside 192.168.2.15 555
flow-export destination inside 192.168.2.5 555
flow-export template timeout-rate 1
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
object network Transmission
nat (inside,outside) static interface service udp 51413 51413
object network CIF
nat (any,outside) static interface
object network SiLK
nat (any,outside) static interface
access-group inside_access_in_1 in interface inside control-plane
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
!
router ospf 20
network 192.168.2.0 255.255.255.0 area 10
area 10 range 192.168.2.0 255.255.255.0
log-adj-changes
!
router eigrp 10
no auto-summary
eigrp router-id 192.168.2.1
network 192.168.2.0 255.255.255.0
passive-interface outside
!
router rip
network 192.168.2.0
passive-interface outside
version 2
no auto-summary
!
route inside 192.168.3.0 255.255.255.0 192.168.2.50 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record test
network-acl inside_access_in_1
webvpn
url-list value Home
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http authentication-certificate outside
snmp-server host inside
snmp-server host inside
snmp-server location
snmp-server contact
snmp-server community
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
keypair laelaps
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 1e839a51
308201cf 30820138 a0030201 0202041e 839a5130 0d06092a 864886f7 0d010105
0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648
86f70d01 09021608 63697363 6f617361 301e170d 31333035 32323131 34333439
5a170d32 33303532 30313134 3334395a 302c3111 300f0603 55040313 08636973
636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613081
9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 8181008b f6c89634
6487d8c9 e5aea221 eeffd3da 11575d7a 2075abd1 7f6aa914 0c59a564 ed7e7791
7f2b1631 6314a475 b2e8f5d7 c4bac460 e41c724d 6653f513 9b6e6584 a079e37d
e87dde2a 39d20317 96cb5455 c275ef53 8e576276 5cc4b395 f0ce6e0a cf4f3c64
8f7f0aca 663d8e64 4c127308 7c7a5f98 0a3da425 da223824 881fcb02 03010001
300d0609 2a864886 f70d0101 05050003 81810006 d6757674 3dbfce09 9c0eb595
57363440 ba8e3c4b 37d8c7b9 1960e743 e2447162 5e7df9bc b5d2ab57 95b8582f
0c87263d 1c9bdaf3 c6ad0d0d 8140b3ed c7a7c3a5 1060d18b 389c8452 f6e74099
0cd89a36 d730d377 653a47de e2c62279 e3debabb 0e87eb27 e6cb3107 e66e7bde
462e7fd3 17b444e0 ad89997e f9a069d3 5eddfd
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd dns 192.168.2.9 8.8.8.8
dhcpd domain laelaps.local
dhcpd auto_config outside vpnclient-wins-override
!
dhcpd address 192.168.2.16-192.168.2.29 inside
dhcpd dns 192.168.2.9 8.8.8.8 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.28 source outside
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside
webvpn
enable inside
enable outside
csd image disk0:/csd_3.6.6249-k9.pkg
anyconnect profiles New_laelaps_client_profile disk0:/New_laelaps_client_profile.xml
anyconnect profiles laelaps disk0:/laelaps.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.2.9
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_New_laelaps internal
group-policy GroupPolicy_New_laelaps attributes
wins-server none
dns-server value 192.168.2.9
vpn-tunnel-protocol ikev2 ssl-client
default-domain value laelaps.local
webvpn
anyconnect profiles value New_laelaps_client_profile type user
group-policy laelaps_anyconnect internal
group-policy laelaps_anyconnect attributes
banner value Unauthorized Access prohibited
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
group-lock value laelaps_Home
split-tunnel-network-list value Local_Lan_Access
address-pools value VPN
webvpn
anyconnect profiles value laelaps type user
group-policy laelapsPolicy internal
group-policy laelapsPolicy attributes
wins-server none
dns-server value 192.168.2.9
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
default-domain value laelaps.local
webvpn
url-list value Home
anyconnect profiles value laelaps type user
group-policy clientless-vpn internal
group-policy clientless-vpn attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value Home
username password encrypted privilege 15
username attributes
vpn-group-policy laelapsPolicy
username password encrypted privilege 0
username attributes
vpn-group-policy laelapsPolicy
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias Default enable
tunnel-group New_laelaps type remote-access
tunnel-group New_laelaps general-attributes
address-pool VPN
default-group-policy GroupPolicy_New_laelaps
tunnel-group New_laelaps webvpn-attributes
group-alias New_laelaps enable
tunnel-group laelaps_Home type remote-access
tunnel-group laelaps_Home general-attributes
address-pool VPN
default-group-policy laelapsPolicy
tunnel-group laelaps_Home webvpn-attributes
group-alias Laelaps enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
inspect icmp
class class-default
flow-export event-type all destination 192.168.2.5 192.168.2.15
!
service-policy global_policy global
smtp-server 192.168.2.9
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:2f888d9d4c342e7bbcb669f0c35ae815
: end
08-14-2013 02:10 PM
Hi,
Is there any specific reason why you have configured 3 different routing protocols on the ASA? And you also have a Static route for the network.
You seem to have the Unicast RPF on the "outside" interface but this shouldnt generate the log message I guess?
What seems strange in the message is though that it mentions your ASA interface as the source.
Are you sure you have not misconfigured the actual router with wrong IP address (192.168.2.1) or something?
What does the ASA routing table say with "show route"?
- Jouni
08-14-2013 02:19 PM
I was trying to figure out the issue with the routing protocols. I read somewhere that the static route would fix the issue but it didnt. I didnt even realize that OSPF was running. I though I had disabled it.
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 24.99.108.1 to network 0.0.0.0
C 24.99.108.0 255.255.255.0 is directly connected, outside
C 192.168.2.0 255.255.255.0 is directly connected, inside
S 192.168.3.0 255.255.255.0 [1/0] via 192.168.2.50, inside
d* 0.0.0.0 0.0.0.0 [1/0] via 24.99.108.1, outside
08-14-2013 02:38 PM
Hi,
Well the routing table in its current form would seem pretty clear.
Whats the configurations on the router?
- Jouni
08-14-2013 04:52 PM
Current configuration : 7226 bytes
!
! Last configuration change at 18:46:42 UTC Wed Aug 14 2013 by admin
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname laelaps
!
boot-start-marker
boot-end-marker
!
!
no logging console
!
no aaa new-model
memory-size iomem 10
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TP-self-signed-682565691
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-682565691
revocation-check none
rsakeypair TP-self-signed-682565691
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-682565691
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 36383235 36353639 31301E17 0D313330 38313431 32343932
315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3638 32353635
36393130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
C6AF8D9F D93218BC B9CEE383 AF833DD4 4DCFF83A 78206322 0EA925D4 EDE70F42
83BE4BF1 4808E97D 4512FDD8 BA58995B 76691930 7165083E DD45F240 0C046346
6DE4F3F9 99EF43F6 57B36A36 56B8EAEC 6939B60D 3E67CCFD BA0B9BA9 EADBD607
D93F375B AB6D7BA8 B0B0086B 5CF20D69 C2CAD17F C702AC10 C8951A8A 3C052F9B
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 16801408 9023A634 03C54CE0 5CFB7C6A 78ED6E77 E1D18E30 1D060355
1D0E0416 04140890 23A63403 C54CE05C FB7C6A78 ED6E77E1 D18E300D 06092A86
4886F70D 01010505 00038181 00305E3E 6E55F42E A8E7AA7E 3C8DA980 D6C8AAF5
742BFE74 1A81230B 2A3B9130 9981E673 5D229964 EBD04642 AE9632C2 7589F67F
6C307F43 0C22247A DD1A7885 17B59A2D 19A4AF5E 9E5A2AB6 C35F324A 16732CCE
1C768650 47B80730 AAA98B6C 85A554AF 256C4055 6789FB38 AC26BBC3 F5E74B27
EFDD639B 6A7D7536 C9D4B58A 9D
quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
!
!
!
!
!
ip dhcp excluded-address 192.168.3.1 192.168.3.9
ip dhcp excluded-address 192.168.3.21 192.168.3.254
!
ip dhcp pool laelaps
import all
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server 192.168.2.9 192.168.2.2
!
!
!
ip domain name laelaps2.local
ip name-server 192.168.2.9
ip name-server 192.168.2.2
ip ips config location flash: retries 1
ip ips notify SDEE
ip ips name sdm_ips_rule
!
ip ips signature-category
category all
retired true
category ios_ips advanced
retired false
!
ip cef
no ipv6 cef
ipv6 multicast rpf use-bgp
!
!
multilink bundle-name authenticated
license udi pid CISCO881W-GN-A-K9 sn FTX1622847J
license boot module c880-data level advipservices
!
!
username admin privilege 15 password 7 0454190301151B4524
username dmccoy privilege 15 secret 4 CcTvzNzf8Sbm0xGL4d9GIyCNwEiqZodEO78LO3uzMOg
!
!
!
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
!
!
!
class-map type inspect match-all ccp-cls--1
match access-group name Allow_All_Out
class-map type inspect match-all ccp-cls--3
match access-group name All
class-map type inspect match-all ccp-cls--2
match access-group name All_ALL_IN
class-map type inspect match-all ccp-cls--4
match access-group name All_Self_Inside
!
policy-map type inspect ccp-policy-ccp-cls--4
class type inspect ccp-cls--4
pass log
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--1
class type inspect ccp-cls--1
pass log
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--2
class type inspect ccp-cls--2
inspect
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--3
class type inspect ccp-cls--3
pass log
class class-default
drop
!
zone security Outside
zone security Inside
zone-pair security sdm-zp-Inside-Outside source Inside destination Outside
service-policy type inspect ccp-policy-ccp-cls--1
zone-pair security sdm-zp-Outside-Inside source Outside destination Inside
service-policy type inspect ccp-policy-ccp-cls--2
zone-pair security sdm-zp-self-Outside source self destination Outside
service-policy type inspect ccp-policy-ccp-cls--3
zone-pair security sdm-zp-self-Inside source self destination Inside
service-policy type inspect ccp-policy-ccp-cls--4
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
!
!
!
!
!
!
!
!
interface FastEthernet0
switchport mode trunk
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description $ETH-WAN$
ip address 192.168.2.50 255.255.255.0
ip ips sdm_ips_rule in
ip virtual-reassembly in
zone-member security Outside
duplex auto
speed auto
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
!
interface Vlan1
ip address 192.168.3.1 255.255.255.0
ip ips sdm_ips_rule out
ip virtual-reassembly in
zone-member security Inside
!
!
router eigrp 10
network 192.168.2.0
network 192.168.3.0
passive-interface Wlan-GigabitEthernet0
passive-interface wlan-ap0
!
ip default-gateway 192.168.2.1
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 192.168.2.1
ip route 192.168.2.0 255.255.255.0 192.168.2.1
!
ip access-list extended All
remark CCP_ACL Category=128
permit ip any any
ip access-list extended All_ALL_IN
remark CCP_ACL Category=128
permit ip any any
ip access-list extended All_Self_Inside
remark CCP_ACL Category=128
permit ip any any
ip access-list extended Allow_All_Out
remark CCP_ACL Category=128
permit ip any any
!
logging host 192.168.2.5
!
access-list 10 remark NAT ACL
access-list 10 remark CCP_ACL Category=2
access-list 10 remark Internal Network
access-list 10 permit 192.168.3.0 0.0.0.255 log
!
control-plane
!
!
!
line con 0
login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
login local
transport input telnet ssh
!
!
end
08-15-2013 06:06 PM
I figured out one piece. When I switched from wireless to a wired port I was able to communicate with any address on the 192.168.2.0 network. Is there something that the WLAN is doing to the packet that would cause it to appear as an spoofed address?
08-16-2013 12:50 AM
Hi,
What is this route on the Router?
ip route 192.168.2.0 255.255.255.0 192.168.2.1
It doesnt make sense to have a route for connected network pointing to some IP address that belongs to that network.
You should not need this route. Only the default route pointing traffic to the ASA.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide