After some changes here is what I am receiving:

Built inbound UDP connection 4325 for WLAN:172.16.30.171/53558 (172.16.30.171/53558) to BeneNetwork:10.10.220.23/53 (10.10.220.23/53)

Teardown UDP connection 4271 for WLAN:172.16.30.171/62768 to BeneNetwork:10.10.220.23/53 duration 0:02:03 bytes 76

Built inbound UDP connection 4325 for WLAN:172.16.30.171/53558 (172.16.30.171/53558) to BeneNetwork:10.10.220.23/53 (10.10.220.23/53)

Teardown UDP connection 4271 for WLAN:172.16.30.171/62768 to BeneNetwork:10.10.220.23/53 duration 0:02:03 bytes 76

Packet Tracer Results

Result:
input-interface: WLAN
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Result:
input-interface: BeneNetwork
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Stephen,

There seems to be an ACL dropping the packets (which I don't see from your original configuration).

Can you post:

sh run access-list

sh run access-group

Federico.

Yes I found out that the ASA has a built-in implicit rule which deny's all traffic, you then need to create ACL's to create passage past the implicit rule.  I am having trouble doing this.  Any suggestions?

This what I get with the sh run access-list, the sh run access-group returns nothing.

access-list WLAN_nat0_outbound extended permit ip any any

Thank you  Sir,

Stephen

Stephen,

In theory since you have both interfaces we are dealing with, configured with the same security level (level 100), there's no need for an ACL to permit the traffic to flow.

However, the packet-tracer seems to report an ACL dropping problem.

What if you enable ACLs to permit the traffic.

i.e.

access-list WLAN permit ip any any

access-list Benetech permit ip any any

access-group WLAN in interface WLAN

access-group Benetech in interface Benetech

Obviously, the above ACLs are a security gap, I just want to see if by permitting all traffic explicity with the ACLs, we get a different result from the packet tracer.

Federico.

I added the lines you suggested IP packets are still being droped

here is my current configuration:

ASA Version 8.2(2)
!
hostname remote
domain-name benetech.org
enable password sh3Lt8bNBi5BmLfG encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan2
nameif outside
security-level 0
ip address 66.201.46.94 255.255.255.240
!
interface Vlan3
description WLAN
nameif WLAN
security-level 100
ip address 172.16.30.100 255.255.255.0
!
interface Vlan4
description Benetech Network
nameif BeneNetwork
security-level 100
ip address 10.10.220.100 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 4
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
dns server-group DefaultDNS
domain-name benetech.org
same-security-traffic permit inter-interface
access-list WLAN extended permit ip any any
access-list BeneNetwork extended permit ip any any
access-list WLAN_nat0_outbound extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu WLAN 1500
mtu BeneNetwork 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any WLAN
icmp permit any BeneNetwork
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (WLAN) 0 access-list WLAN_nat0_outbound
nat (WLAN) 1 0.0.0.0 0.0.0.0
static (WLAN,BeneNetwork) 172.16.30.0 172.16.30.0 netmask 255.255.255.0
access-group WLAN in interface WLAN
access-group BeneNetwork in interface BeneNetwork
route outside 0.0.0.0 0.0.0.0 66.201.46.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.220.0 255.255.255.0 BeneNetwork
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 10.10.220.23
dhcpd domain benetech.local
dhcpd auto_config outside
dhcpd option 3 ip 172.16.30.100
!
dhcpd address 172.16.30.150-172.16.30.200 WLAN
dhcpd enable WLAN
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b63aa441f064846d661588820dfdb228

here is the result of a packet trace:

packet-tracer input WLAN tcp 172.16.30.100 53 10.10.220.23 53

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.10.220.0     255.255.255.0   BeneNetwork

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xd8a8b300, priority=500, domain=permit, deny=true
        hits=4, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=172.16.30.100, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: WLAN
input-status: up
input-line-status: up
output-interface: BeneNetwork
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Stephen,

I would do this:

interface Vlan4
security level 99

no access-list WLAN_nat0_outbound extended permit ip any any

no nat (WLAN) 0 access-list WLAN_nat0_outbound
no nat (WLAN) 1 0.0.0.0 0.0.0.0

With the changes above, we're going to have only this configuration:

interface Vlan3
description WLAN
nameif WLAN
security-level 100
ip address 172.16.30.100 255.255.255.0

interface Vlan4
description Benetech Network
nameif BeneNetwork
security-level 99
ip address 10.10.220.100 255.255.255.0

static (WLAN,BeneNetwork) 172.16.30.0 172.16.30.0 netmask 255.255.255.0

access-list WLAN extended permit ip any any
access-list BeneNetwork extended permit ip any any

access-group WLAN in interface WLAN
access-group BeneNetwork in interface BeneNetwork

Try communication between the networks.

Federico.

Still having dropped packets, from the wireless client I can ping the gateway IP address 172.16.30.100 but not anything past there.

Post this commands after the last changes:

sh run int vlan 3
sh run int vlan 4
sh run nat
sh run static
sh run global
sh run access-list
sh run access-group

Federico.

Thank you for your help with this issue, here what you have requested.

interface Vlan3

description WLAN

nameif WLAN

security-level 100

ip address 172.16.30.100 255.255.255.0

interface Vlan4

description Benetech Network

nameif BeneNetwork

security-level 99

ip address 10.10.220.100 255.255.255.0

sh run nat – returns nothing

static (WLAN,BeneNetwork) 172.16.30.0 172.16.30.0 netmask 255.255.255.0

global (outside) 1 interface

access-list WLAN extended permit ip any any

access-list BeneNetwork extended permit ip any any

access-group BeneNetwork in interface BeneNetwork

Ok,

You should be able from a device off the WLAN interface to communicate with a device off the Benetech interface.
If it does not work, let me know the source IP and the destination IP of the connection you're trying.

Federico.

No I cannot, the IP of the laptop is 172.16.30.190 the IP I am attempting to connect to is 10.10.220.23.  I can ping the gateway 172.16.30.100 but not anything else past this IP.