Internal traffic not allowed

brunellej · ‎07-30-2011

Ok, I have reviewed this configuration a couple of times and I am not seeing my error.

I have two internal subnets, in different VLANs with the ASA being the default router. The internal zone works fine, but the zone called wireless on VLAN 13 doesn't. The firewall blocks all communications and the rules look correct to me.

I want all traffic on this wireless subnet to be allowed to cross over the firewall and NAT to the outside interface, just as the inside zone does.

The configuration is here:

:

ASA Version 8.3(2)

!

hostname xxx-fw1

domain-name xxxxx.xxx

enable password xxxx encrypted

passwd xxxxxxx encrypted

names

!

interface Vlan1

description Internal Network

nameif inside

security-level 100

ip address 192.168.9.1 255.255.255.0

!

interface Vlan2

description Public Internet

nameif outside

security-level 0

ip address xxx.xxx.xxx.xxx 255.255.255.248

!

interface Vlan3

nameif dmz

security-level 50

no ip address

!

interface Vlan13

description Guest Wireless

nameif Wireless-Guest

security-level 25

ip address 192.168.1.1 255.255.255.0

!

interface Vlan23

nameif StateNet

security-level 75

ip address xxx.xxx.xxx.xxx 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport trunk allowed vlan 1,13

switchport trunk native vlan 1

switchport mode trunk

speed 100

duplex full

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport trunk allowed vlan 1,13

switchport trunk native vlan 1

switchport mode trunk

!

interface Ethernet0/5

switchport access vlan 23

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

switchport trunk allowed vlan 1

switchport trunk native vlan 1

switchport mode trunk

shutdown

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name xxxxxxxx.xxx

same-security-traffic permit inter-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object service IMAPoverSSL

service tcp destination eq 993

description IMAP over SSL

object service POPoverSSL

service tcp destination eq 995

description POP3 over SSL

object service SMTPwTLS

service tcp destination eq 465

description SMTP with TLS

object network obj-192.168.9.20

host 192.168.9.20

object network obj-claggett-https

host 192.168.9.20

object network obj-claggett-imap4

host 192.168.9.20

object network obj-claggett-pop3

host 192.168.9.20

object network obj-claggett-smtp

host 192.168.9.20

object network obj-claggett-imapoverssl

host 192.168.9.20

object network obj-claggett-popoverssl

host 192.168.9.20

object network obj-claggett-smtpwTLS

host 192.168.9.20

object network obj-192.168.9.120

host 192.168.9.120

object network obj-192.168.9.119

host 192.168.9.119

object network obj-192.168.9.121

host 192.168.9.121

object network obj-wirelessnet

subnet 192.168.1.0 255.255.255.0

object network WirelessClients

subnet 192.168.1.0 255.255.255.0

object-group service EmailServices

description Normal Email/Exchange Services

service-object object IMAPoverSSL

service-object object POPoverSSL

service-object object SMTPwTLS

service-object tcp destination eq https

service-object tcp destination eq imap4

service-object tcp destination eq pop3

service-object tcp destination eq smtp

object-group service DM_INLINE_SERVICE_1

service-object object IMAPoverSSL

service-object object POPoverSSL

service-object object SMTPwTLS

service-object tcp destination eq pop3

service-object tcp destination eq https

service-object tcp destination eq smtp

object-group service DM_INLINE_SERVICE_2

service-object object IMAPoverSSL

service-object object POPoverSSL

service-object object SMTPwTLS

service-object tcp destination eq https

service-object tcp destination eq pop3

service-object tcp destination eq smtp

object-group network obj_clerkpc

description Clerk's PCs

network-object object obj-192.168.9.119

network-object object obj-192.168.9.120

network-object object obj-192.168.9.121

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any interface outside

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.9.20

access-list StateNet_access_in extended permit ip object-group obj_clerkpc any

pager lines 24

logging enable

logging asdm warnings

mtu inside 1500

mtu outside 1500

mtu dmz 1500

mtu Wireless-Guest 1500

mtu StateNet 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-635.bin

no asdm history enable

arp timeout 14400

!

object network obj_any

nat (inside,outside) static interface

object network obj-claggett-https

nat (inside,outside) static interface service tcp https https

object network obj-claggett-imap4

nat (inside,outside) static interface service tcp imap4 imap4

object network obj-claggett-pop3

nat (inside,outside) static interface service tcp pop3 pop3

object network obj-claggett-smtp

nat (inside,outside) static interface service tcp smtp smtp

object network obj-claggett-imapoverssl

nat (inside,outside) static interface service tcp 993 993

object network obj-claggett-popoverssl

nat (inside,outside) static interface service tcp 995 995

object network obj-claggett-smtpwTLS

nat (inside,outside) static interface service tcp 465 465

object network obj-192.168.9.120

nat (inside,StateNet) static 10.63.198.12

object network obj-192.168.9.119

nat (any,StateNet) static 10.63.198.10

object network obj-192.168.9.121

nat (any,StateNet) static 10.63.198.11

access-group outside_access_in in interface outside

access-group StateNet_access_in in interface StateNet

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

route StateNet 10.0.0.0 255.0.0.0 10.63.xxx.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable 5443

http 192.168.9.0 255.255.255.0 inside

http 74.94.142.225 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.9.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns 8.8.8.8 8.8.4.4

dhcpd lease 10800

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.254 Wireless-Guest

dhcpd enable Wireless-Guest

!

threat-detection basic-threat

threat-detection statistics host number-of-rate 2

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 63.240.161.99 source outside prefer

ntp server 207.171.30.106 source outside prefer

ntp server 70.86.250.6 source outside prefer

!

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DD

CEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:05c24559cf3efa9f924eacb8756addfe

: end

Thanks in advance for any assistance.

John

clooney · ‎07-30-2011

You don't have any nat setup for the guest wireless interface. It'd look something like this:

object network obj-wirelessnet

subnet 192.168.1.0 255.255.255.0

nat (Wireless-Guest,outside) static interface

That would PAT all of the hosts on the guest network to the outside ip address.