Solved: Thanks for the response

BHconsultants88 · ‎09-29-2016

Hi all

I am looking to connect a Meraki router to a port on my ASA 5505 and need a little help with the configuration.

interface Ethernet0/2

description Meraki Wi-Fi

switchport access vlan 4

interface Vlan1

nameif Inside

security-level 100

ip address 20.53.166.249 255.255.255.0

!

interface Vlan2

nameif Outside

security-level 0

ip address 8.99.2.18 255.255.255.240

interface vlan 4

nameif inside

security level 100

ip address 20.53.219.1 255.255.255.0

Can someone give me an idea of the commands for the access list and NAT rule please?

Richard Burts · ‎09-29-2016

I like the new name for vlan 4.

I am not sure what you are doing with access-list wifi_nat0_outbound. It sort of looks like a nat exemption in pre 8.3. But the title of the post suggests that you are running 8.4. Can you clarify?

Also not clear in the other access lists what those object groups represent and so hard to comment on them.

It is not clear in your explanation whether the corporate networks are in vlan 1. If they are then you would need to permit same security level inter interface.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎09-29-2016

If you can tell us what you want the traffic from the Meraki router to do we could offer you better advice. I assume that Meraki traffic would forward to the Internet but it is not clear whether Meraki should be able to access Inside on vlan 1.

It would also be helpful to know if your 5505 has the Base license or has the Plus license.

I would suggest that having interfaces named Inside and inside introduces some ambiguity and potential confusion. I would suggest that you find a different interface name for vlan 4.

HTH

Rick

HTH

Rick

BHconsultants88 · ‎09-29-2016

Thanks for the response Richard, much appreciated. I've made the following change:

interface vlan 4

nameif wifi

security level 100

ip address 20.53.219.1 255.255.255.0

Then, I added the following:

access-list wifi_nat0_outbound line 1 extended permit ip 20.53.219.0 255.255.255.0 object-group All_Company_VPN_Networks
access-list wifi_access_in line 2 extended permit ip 20.53.219.0 255.255.255.0 object-group All_Company_VPN_Networks
access-list wifi_access_in line 4 extended permit tcp 20.53.219.0 255.255.255.0 any object-group WebServices
access-list wifi_access_in extended permit udp 20.53.219.0 255.255.255.0 any eq domain

I'm not sure about the following

route wifi 10.0.0.0 255.0.0.0 20.53.219.1

The purpose of the Meraki is purely for wifi connection to reach the Internet and corporate networks.

Would you appreciate if you could confirm the above looks ok.

Cheers

Richard Burts · ‎09-29-2016

I like the new name for vlan 4.

I am not sure what you are doing with access-list wifi_nat0_outbound. It sort of looks like a nat exemption in pre 8.3. But the title of the post suggests that you are running 8.4. Can you clarify?

Also not clear in the other access lists what those object groups represent and so hard to comment on them.

It is not clear in your explanation whether the corporate networks are in vlan 1. If they are then you would need to permit same security level inter interface.

HTH

Rick

HTH

Rick

BHconsultants88 · ‎09-29-2016

Thanks once again Richard, I'm not trying to be vague here but do appreciated your feedback.

Ok, I've amended the security level to 100 as the corporate networks are indeed in vlan1.

There was already a "access-list wifi_nat0_outbound" access list for the 20.53.166.0 (vlan1) network, so I added one for vlan4 subnet - is this not needed?

Many thanks

Richard Burts · ‎09-29-2016

So how is this access list used?

HTH

Rick

HTH

Rick

ASA 5505 Configuration 8.4