cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
574
Views
0
Helpful
5
Replies
Highlighted
Beginner

Problem with Aironet IP redirection on ASA

Ok, so I have an aironet redirecting all traffic to the ASA, the problem is that I can ping websites, however I can not access the web page.

When I go through the ASA log here is what I get.

3          Sep 10 2012          09:52:58                    10.0.3.41          2120          10.0.1.254          80          TCP access denied by ACL from 10.0.3.41/2120 to Corp:10.0.1.254/80

Here are the incoming rules.

Corp (5 incoming rules)
1True10.70.0.0/24 10.0.1.0/24ipPermit0Default
2Trueany anyipPermit19110969Default
3Trueany anygrePermit0Default
4Trueany anyudp/domainPermit0Default
5Trueany anytcp/pptpPermit0Default
5 REPLIES 5
Highlighted
Beginner

Problem with Aironet IP redirection on ASA

Hi James,

Please post the config of your ASA in order for us to help further.

Regards,

Terence

Highlighted
Beginner

Re: Problem with Aironet IP redirection on ASA

Here is the running configuration

: Saved

: Written by enable_15 at 12:14:12.994 CDT Mon Sep 10 2012

!

ASA Version 8.4(2)

!

hostname ASA

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 10.7.1.0 ScottNet

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

!

interface Ethernet0/2

switchport access vlan 5

!

interface Ethernet0/3

switchport access vlan 5

!

interface Ethernet0/4

switchport access vlan 6

!

interface Ethernet0/5

!

interface Ethernet0/6

switchport access vlan 3

!

interface Ethernet0/7

switchport trunk allowed vlan 3,5,7,16

switchport mode trunk

!

interface Vlan2

backup interface Vlan16

nameif outside

security-level 0

ip address XXX.XXX.XXX.XXX 255.255.255.240

!

interface Vlan3

nameif Development

security-level 0

ip address 172.16.32.254 255.255.255.0

!

interface Vlan5

nameif Corp

security-level 100

ip address 10.0.1.254 255.255.252.0

!

interface Vlan6

nameif NED

security-level 100

ip address 10.60.0.254 255.255.255.0

!

interface Vlan16

nameif BACKUP

security-level 0

ip address 192.168.15.2 255.255.255.0

!

boot system disk0:/asa842-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

access-list outside_cryptomap extended permit ip 10.0.0.0 255.255.0.0 10.7.1.0 255.255.255.0

access-list inside_access_in extended permit ip 172.16.32.0 255.255.255.0 any inactive

access-list inside_access_in extended permit 53 any any inactive

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit object-group TCPUDP 172.16.32.0 255.255.255.0 host 10.0.1.221 eq domain

access-list Development_access_in extended permit 53 any any

access-list Development_access_in extended permit object-group TCPUDP any any

access-list Development_access_in extended permit ip any any

access-list Development_access_in extended deny tcp any any eq smtp

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list Corp_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.70.0.0 255.255.255.0

access-list Corp_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.70.0.0 255.255.255.0

access-list Corp_nat0_outbound extended permit ip 172.16.30.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list Corp_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.1.2.0 255.255.255.0

access-list Corp_nat0_outbound extended permit ip 10.70.0.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list Corp_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 object ScottNet

access-list Corp_access_in extended permit ip 10.70.0.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list Corp_access_in extended permit ip any any

access-list Corp_access_in extended permit gre any any

access-list Corp_access_in extended permit udp any any eq domain

access-list Corp_access_in extended permit tcp any any eq pptp

access-list outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.252.0 object CoryNet

access-list NED_access_in extended permit ip 10.0.1.0 255.255.255.0 10.70.0.0 255.255.255.0

access-list NED_access_in extended permit ip any any

access-list Backup_access_in extended permit ip any any

access-list outside_access_in extended permit tcp any host 10.0.1.221 object-group DM_INLINE_TCP_1

access-list outside_access_in extended permit tcp any host 10.0.1.144 object-group TMS_Services

access-list outside_access_in extended permit tcp any host 10.0.1.146 object-group TMS_Services

access-list outside_access_in extended permit gre any host 10.0.1.221

access-list outside_access_in extended permit tcp any host 10.0.1.161 object-group DM_INLINE_TCP_2

access-list outside_access_in extended permit udp any host 10.0.1.221 eq domain

access-list outside_access_in extended permit udp host XXX.XXX.XXX.XXX any eq tftp

access-list outside_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_1 eq 8005

access-list outside_access_in extended permit ip 172.16.30.0 255.255.255.0 any

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 10.0.1.151

access-list outside_access_in extended permit tcp any host 10.0.1.116 eq pptp

access-list outside_access_in extended permit gre any host 10.0.1.116

access-list outside_access_in extended permit tcp any host 10.0.1.116 object-group DM_INLINE_TCP_4

access-list outside_access_in extended permit tcp any host 10.0.1.41 eq 3389

access-list outside_access_in extended permit tcp any host 10.0.1.125 eq smtp

access-list outside_access_in extended permit icmp any any

pager lines 24

logging enable

logging asdm warnings

mtu outside 1500

mtu Development 1500

mtu Corp 1500

mtu NED 1500

mtu BACKUP 1500

ip local pool VPN-address-pool 10.0.2.20-10.0.2.50 mask 255.255.252.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645-206.bin

asdm location ScottNet 255.255.255.0 Corp

no asdm history enable

arp timeout 14400

!

access-group outside_access_in in interface outside

access-group Development_access_in in interface Development

access-group Corp_access_in in interface Corp

access-group NED_access_in in interface NED

route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.30 1 track 1

route BACKUP 0.0.0.0 0.0.0.0 192.168.15.1 254

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 10.0.3.0 255.255.255.0 Corp

http 10.0.1.0 255.255.255.0 Corp

http 172.16.32.0 255.255.255.0 Development

!

track 1 rtr 123 reachability

telnet 172.16.32.0 255.255.255.0 Development

telnet 10.0.0.0 255.255.252.0 Corp

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 172.16.32.15-172.16.32.100 Development

dhcpd dns 4.2.2.1 4.2.2.2 interface Development

dhcpd enable Development

!

dhcpd address 10.0.1.101-10.0.1.124 Corp

dhcpd dns 10.0.1.221 10.0.1.160 interface Corp

dhcpd wins 10.0.1.221 interface Corp

dhcpd option 66 ip 10.0.1.1 interface Corp

dhcpd option 150 ip 10.0.1.1 interface Corp

!

dhcpd dns 10.0.1.221 4.2.2.1 interface NED

dhcpd wins 10.0.1.221 interface NED

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect pptp

  inspect ip-options

Highlighted
Beginner

Problem with Aironet IP redirection on ASA

I take it that the 10.0.3.0 network is the WiFi network?

First thing first. It seems you don't have route for this network.

Please add a route for the mentioned network.

route corp 10.0.3.0 255.255.255.0 gateway of network

And you also need to parse through your config and clean it up a bit especially in your ACL.

HTH.

Terence

Highlighted
Beginner

Re: Problem with Aironet IP redirection on ASA

The corp network is 10.0.0.0/22 but unfortunately that isn't included in the running config.  When I remove the redirect everything works fine.  The problem is that it is hitting an acl when I set an ip redirect to the gateway 10.0.1.254

Re: Problem with Aironet IP redirection on ASA

Hello James,

Please remove the HTTP configuration and put it back.

clear configure http

http server enable

http 10.0.3.0 255.255.255.0 Corp

http 10.0.1.0 255.255.255.0 Corp

http 172.16.32.0 255.255.255.0 Development

Also remove the ACL as its not doing anything in here:

clear configure access-list  Corp_access_in

Let me know,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC