09-10-2012 08:13 AM - edited 03-11-2019 04:52 PM
Ok, so I have an aironet redirecting all traffic to the ASA, the problem is that I can ping websites, however I can not access the web page.
When I go through the ASA log here is what I get.
3 Sep 10 2012 09:52:58 10.0.3.41 2120 10.0.1.254 80 TCP access denied by ACL from 10.0.3.41/2120 to Corp:10.0.1.254/80
Here are the incoming rules.
Corp (5 incoming rules) | ||||||||||
1 | True | 10.70.0.0/24 | 10.0.1.0/24 | ip | Permit | 0 | Default | |||
2 | True | any | any | ip | Permit | 19110969 | Default | |||
3 | True | any | any | gre | Permit | 0 | Default | |||
4 | True | any | any | udp/domain | Permit | 0 | Default | |||
5 | True | any | any | tcp/pptp | Permit | 0 | Default |
09-10-2012 08:42 AM
Hi James,
Please post the config of your ASA in order for us to help further.
Regards,
Terence
09-10-2012 10:19 AM
Here is the running configuration
: Saved
: Written by enable_15 at 12:14:12.994 CDT Mon Sep 10 2012
!
ASA Version 8.4(2)
!
hostname ASA
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.7.1.0 ScottNet
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 5
!
interface Ethernet0/3
switchport access vlan 5
!
interface Ethernet0/4
switchport access vlan 6
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport trunk allowed vlan 3,5,7,16
switchport mode trunk
!
interface Vlan2
backup interface Vlan16
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.240
!
interface Vlan3
nameif Development
security-level 0
ip address 172.16.32.254 255.255.255.0
!
interface Vlan5
nameif Corp
security-level 100
ip address 10.0.1.254 255.255.252.0
!
interface Vlan6
nameif NED
security-level 100
ip address 10.60.0.254 255.255.255.0
!
interface Vlan16
nameif BACKUP
security-level 0
ip address 192.168.15.2 255.255.255.0
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
access-list outside_cryptomap extended permit ip 10.0.0.0 255.255.0.0 10.7.1.0 255.255.255.0
access-list inside_access_in extended permit ip 172.16.32.0 255.255.255.0 any inactive
access-list inside_access_in extended permit 53 any any inactive
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit object-group TCPUDP 172.16.32.0 255.255.255.0 host 10.0.1.221 eq domain
access-list Development_access_in extended permit 53 any any
access-list Development_access_in extended permit object-group TCPUDP any any
access-list Development_access_in extended permit ip any any
access-list Development_access_in extended deny tcp any any eq smtp
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list Corp_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.70.0.0 255.255.255.0
access-list Corp_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.70.0.0 255.255.255.0
access-list Corp_nat0_outbound extended permit ip 172.16.30.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list Corp_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list Corp_nat0_outbound extended permit ip 10.70.0.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list Corp_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 object ScottNet
access-list Corp_access_in extended permit ip 10.70.0.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list Corp_access_in extended permit ip any any
access-list Corp_access_in extended permit gre any any
access-list Corp_access_in extended permit udp any any eq domain
access-list Corp_access_in extended permit tcp any any eq pptp
access-list outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.252.0 object CoryNet
access-list NED_access_in extended permit ip 10.0.1.0 255.255.255.0 10.70.0.0 255.255.255.0
access-list NED_access_in extended permit ip any any
access-list Backup_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host 10.0.1.221 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host 10.0.1.144 object-group TMS_Services
access-list outside_access_in extended permit tcp any host 10.0.1.146 object-group TMS_Services
access-list outside_access_in extended permit gre any host 10.0.1.221
access-list outside_access_in extended permit tcp any host 10.0.1.161 object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit udp any host 10.0.1.221 eq domain
access-list outside_access_in extended permit udp host XXX.XXX.XXX.XXX any eq tftp
access-list outside_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_1 eq 8005
access-list outside_access_in extended permit ip 172.16.30.0 255.255.255.0 any
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 10.0.1.151
access-list outside_access_in extended permit tcp any host 10.0.1.116 eq pptp
access-list outside_access_in extended permit gre any host 10.0.1.116
access-list outside_access_in extended permit tcp any host 10.0.1.116 object-group DM_INLINE_TCP_4
access-list outside_access_in extended permit tcp any host 10.0.1.41 eq 3389
access-list outside_access_in extended permit tcp any host 10.0.1.125 eq smtp
access-list outside_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm warnings
mtu outside 1500
mtu Development 1500
mtu Corp 1500
mtu NED 1500
mtu BACKUP 1500
ip local pool VPN-address-pool 10.0.2.20-10.0.2.50 mask 255.255.252.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-206.bin
asdm location ScottNet 255.255.255.0 Corp
no asdm history enable
arp timeout 14400
!
access-group outside_access_in in interface outside
access-group Development_access_in in interface Development
access-group Corp_access_in in interface Corp
access-group NED_access_in in interface NED
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.30 1 track 1
route BACKUP 0.0.0.0 0.0.0.0 192.168.15.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.0.3.0 255.255.255.0 Corp
http 10.0.1.0 255.255.255.0 Corp
http 172.16.32.0 255.255.255.0 Development
!
track 1 rtr 123 reachability
telnet 172.16.32.0 255.255.255.0 Development
telnet 10.0.0.0 255.255.252.0 Corp
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 172.16.32.15-172.16.32.100 Development
dhcpd dns 4.2.2.1 4.2.2.2 interface Development
dhcpd enable Development
!
dhcpd address 10.0.1.101-10.0.1.124 Corp
dhcpd dns 10.0.1.221 10.0.1.160 interface Corp
dhcpd wins 10.0.1.221 interface Corp
dhcpd option 66 ip 10.0.1.1 interface Corp
dhcpd option 150 ip 10.0.1.1 interface Corp
!
dhcpd dns 10.0.1.221 4.2.2.1 interface NED
dhcpd wins 10.0.1.221 interface NED
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect ip-options
09-10-2012 10:43 AM
I take it that the 10.0.3.0 network is the WiFi network?
First thing first. It seems you don't have route for this network.
Please add a route for the mentioned network.
route corp 10.0.3.0 255.255.255.0 gateway of network
And you also need to parse through your config and clean it up a bit especially in your ACL.
HTH.
Terence
09-11-2012 01:35 PM
The corp network is 10.0.0.0/22 but unfortunately that isn't included in the running config. When I remove the redirect everything works fine. The problem is that it is hitting an acl when I set an ip redirect to the gateway 10.0.1.254
09-11-2012 02:03 PM
Hello James,
Please remove the HTTP configuration and put it back.
clear configure http
http server enable
http 10.0.3.0 255.255.255.0 Corp
http 10.0.1.0 255.255.255.0 Corp
http 172.16.32.0 255.255.255.0 Development
Also remove the ACL as its not doing anything in here:
clear configure access-list Corp_access_in
Let me know,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: