05-07-2010 11:39 AM - edited 03-06-2019 10:59 AM
I have configured our ASA with an interface for the internal network (BeneNetwork) and our wireless solution (WLAN) everything is working OK the wireless clients receive all configurations from DHCP and can ping the the gateway address., but does not have communication to BeneNetwork.
Attached is my configuration for review,
Thank you,
ASA Version 8.2(2)
!
hostname remote
domain-name benetech.org
enable password sh3Lt8bNBi5BmLfG encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.20.100 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.240
!
interface Vlan3
description WLAN
nameif WLAN
security-level 100
ip address 172.16.30.100 255.255.255.0
!
interface Vlan4
description Benetech Network
nameif BeneNetwork
security-level 100
ip address 10.10.220.100 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 4
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
dns server-group DefaultDNS
domain-name benetech.org
same-security-traffic permit inter-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu WLAN 1500
mtu BeneNetwork 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any BeneNetwork
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (WLAN) 1 0.0.0.0 0.0.0.0
nat (BeneNetwork) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 10.10.220.23
dhcpd domain benetech.local
dhcpd auto_config outside
dhcpd option 3 ip 172.16.30.100
!
dhcpd address 172.16.30.150-172.16.30.200 WLAN
dhcpd enable WLAN
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c40d69de4ce1b0e912f403ec6902c2b2
: end
Solved! Go to Solution.
05-13-2010 08:52 PM
After all this hard work they decided to use this ASA for another project therefore I am configuring the other ASA to provide these services. This is the .101 ASA, attached is the upgraded config reflecting my changes. I learned a lot during this process and hope to learn more thank you Federico you were fantastic!
I hope after this round I will be able to do this in my sleep LOL!
Here is my config, in my logs I am receiving this
No translation group found for udp src WLAN:10.10.230.101/62067 dst inside:10.10.220.23/53 |
:
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.220.101 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.240
!
interface Vlan3
description Wireless Network
nameif WLAN
security-level 99
ip address 10.10.230.100 255.255.255.0
!
interface Vlan22
description LAN Failover Interface
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name benetech.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any host 66.201.46.85
access-list outside_access_in extended permit tcp any host 66.201.46.86
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit tcp any interface outside eq smtp log debugging
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq pptp log warnings
access-list outside_access_in extended permit tcp any interface outside eq 99
access-list outside_access_in extended permit tcp any interface outside eq 722 log
access-list outside_access_in extended permit tcp any interface outside eq 822 log
access-list outside_access_in extended permit tcp any interface outside eq 922 log
access-list outside_access_in extended permit tcp any interface outside eq www inactive
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list outside_access_in extended permit tcp any interface outside eq ftp-data
access-list outside_access_in extended permit tcp any interface outside eq 622
access-list outside_access_in extended permit icmp any interface outside
access-list LAN_access_in extended permit ip any any
access-list inside_access_out extended deny tcp 10.10.220.128 255.255.255.128 any eq smtp log warnings
access-list inside_access_out extended deny udp any eq 4000 any log warnings
access-list inside_access_out extended permit ip any any
access-list WLAN extended permit ip any any
access-list WLAN_access_in extended permit ip any any
access-list WLAN_access_in extended permit udp any any
pager lines 24
logging enable
logging emblem
logging asdm-buffer-size 512
logging buffered informational
logging trap informational
logging asdm informational
logging mail informational
logging permit-hostdown
mtu inside 1500
mtu outside 1500
mtu WLAN 1500
no failover
failover lan unit primary
failover lan interface BFailover Vlan22
failover key *****
failover interface ip BFailover 172.1.1.1 255.255.255.0 standby 172.1.1.2
monitor-interface inside
monitor-interface outside
monitor-interface WLAN
icmp unreachable rate-limit 1 burst-size 1
icmp permit any WLAN
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 822 10.10.220.21 822 netmask 255.255.255.255
static (inside,outside) tcp interface 722 10.10.220.18 722 netmask 255.255.255.255
static (inside,outside) tcp interface 922 10.10.220.29 922 netmask 255.255.255.255
static (inside,outside) tcp interface www 10.10.220.19 www netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.xx ftp-data 10.10.220.67 ftp-data netmask 255.255.255.255
static (inside,outside) tcp interface ftp 10.10.220.67 ftp netmask 255.255.255.255
static (inside,outside) tcp interface 622 10.10.220.21 622 netmask 255.255.255.255
static (inside,outside) tcp interface 99 10.10.220.24 99 netmask 255.255.255.255
static (inside,outside)xx.xx.xx.xx 10.10.220.4 netmask 255.255.255.255
static (inside,outside) xx.xx.xx.xx 10.10.220.23 netmask 255.255.255.255
static (WLAN,inside) 10.20.220.0 10.10.230.0 netmask 255.255.255.0
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group WLAN_access_in in interface WLAN
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.10.220.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ca trustpoint newbroot
crl configure
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns 10.10.220.23
dhcpd domain benetech.local
dhcpd auto_config outside
dhcpd option 3 ip 172.16.30.100
!
dhcpd address 10.10.230.101-10.10.230.150 WLAN
!
!
class-map inspection_default
match default-inspection-traffic
class-map pptp-port
match port tcp eq pptp
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect dns benetech_dns_map
description Remove 512 byte size restriction
parameters
message-length maximum 1024
no protocol-enforcement
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
policy-map pptp_policy
class pptp-port
inspect pptp
!
service-policy global_policy global
service-policy pptp_policy interface outside
ntp server 69.25.96.13 source outside
ntp server 64.125.78.85 source outside
tftp-server inside 10.10.220.69 asa-5505-primary.conf
webvpn
csd image disk0:/securedesktop-asa-3.1.1.29-k9.pkg
csd enable
username scott password rj0sFMSN.wCXUz0C encrypted privilege 15
username ryan password esjVcPBkxKv5/kd4 encrypted privilege 15
smtp-server 10.10.220.50 10.10.220.12
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:2c79861cb9b84ecbf21c620a2dab127c
: end
05-14-2010 07:14 AM
Jon,
Thank you ;-)
Stephen,
No problem, the idea is to help you out ;-)
The error:
No translation group found for udp src WLAN:10.10.230.101/62067 dst inside:10.10.220.23/53s
Seems to be that there's no NAT between those interfaces:
Try this:
static (inside,outside) 10.10.220.23 10.10.220.23
Let us know.
Federico.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: