09-29-2016 07:03 AM - edited 03-05-2019 07:10 AM
Hi all
I am looking to connect a Meraki router to a port on my ASA 5505 and need a little help with the configuration.
interface Ethernet0/2
description Meraki Wi-Fi
switchport access vlan 4
interface Vlan1
nameif Inside
security-level 100
ip address 20.53.166.249 255.255.255.0
!
interface Vlan2
nameif Outside
security-level 0
ip address 8.99.2.18 255.255.255.240
interface vlan 4
nameif inside
security level 100
ip address 20.53.219.1 255.255.255.0
Can someone give me an idea of the commands for the access list and NAT rule please?
Solved! Go to Solution.
09-29-2016 12:40 PM
I like the new name for vlan 4.
I am not sure what you are doing with access-list wifi_nat0_outbound. It sort of looks like a nat exemption in pre 8.3. But the title of the post suggests that you are running 8.4. Can you clarify?
Also not clear in the other access lists what those object groups represent and so hard to comment on them.
It is not clear in your explanation whether the corporate networks are in vlan 1. If they are then you would need to permit same security level inter interface.
HTH
Rick
09-29-2016 10:03 AM
If you can tell us what you want the traffic from the Meraki router to do we could offer you better advice. I assume that Meraki traffic would forward to the Internet but it is not clear whether Meraki should be able to access Inside on vlan 1.
It would also be helpful to know if your 5505 has the Base license or has the Plus license.
I would suggest that having interfaces named Inside and inside introduces some ambiguity and potential confusion. I would suggest that you find a different interface name for vlan 4.
HTH
Rick
09-29-2016 11:55 AM
Thanks for the response Richard, much appreciated. I've made the following change:
interface vlan 4
nameif wifi
security level 100
ip address 20.53.219.1 255.255.255.0
Then, I added the following:
access-list wifi_nat0_outbound line 1 extended permit ip 20.53.219.0 255.255.255.0 object-group All_Company_VPN_Networks
access-list wifi_access_in line 2 extended permit ip 20.53.219.0 255.255.255.0 object-group All_Company_VPN_Networks
access-list wifi_access_in line 4 extended permit tcp 20.53.219.0 255.255.255.0 any object-group WebServices
access-list wifi_access_in extended permit udp 20.53.219.0 255.255.255.0 any eq domain
I'm not sure about the following
route wifi 10.0.0.0 255.0.0.0 20.53.219.1
The purpose of the Meraki is purely for wifi connection to reach the Internet and corporate networks.
Would you appreciate if you could confirm the above looks ok.
Cheers
09-29-2016 12:40 PM
I like the new name for vlan 4.
I am not sure what you are doing with access-list wifi_nat0_outbound. It sort of looks like a nat exemption in pre 8.3. But the title of the post suggests that you are running 8.4. Can you clarify?
Also not clear in the other access lists what those object groups represent and so hard to comment on them.
It is not clear in your explanation whether the corporate networks are in vlan 1. If they are then you would need to permit same security level inter interface.
HTH
Rick
09-29-2016 01:07 PM
Thanks once again Richard, I'm not trying to be vague here but do appreciated your feedback.
Ok, I've amended the security level to 100 as the corporate networks are indeed in vlan1.
There was already a "access-list wifi_nat0_outbound" access list for the 20.53.166.0 (vlan1) network, so I added one for vlan4 subnet - is this not needed?
Many thanks
09-29-2016 01:21 PM
So how is this access list used?
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide