cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8594
Views
5
Helpful
76
Replies

ASA 5505 Interface Communication

stephilewis
Level 1
Level 1

I have configured our ASA with an interface for the internal network (BeneNetwork) and our wireless solution (WLAN) everything is working OK the wireless clients receive all configurations from DHCP and can ping the the gateway address., but does not have communication to BeneNetwork.

Attached is my configuration for review,

Thank you,

ASA Version 8.2(2)
!
hostname remote
domain-name benetech.org
enable password sh3Lt8bNBi5BmLfG encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.20.100 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.240
!
interface Vlan3
description WLAN
nameif WLAN
security-level 100
ip address 172.16.30.100 255.255.255.0
!
interface Vlan4
description Benetech Network
nameif BeneNetwork
security-level 100
ip address 10.10.220.100 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 4
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
dns server-group DefaultDNS
domain-name benetech.org
same-security-traffic permit inter-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu WLAN 1500
mtu BeneNetwork 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any BeneNetwork
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (WLAN) 1 0.0.0.0 0.0.0.0
nat (BeneNetwork) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 10.10.220.23
dhcpd domain benetech.local
dhcpd auto_config outside
dhcpd option 3 ip 172.16.30.100
!
dhcpd address 172.16.30.150-172.16.30.200 WLAN
dhcpd enable WLAN
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c40d69de4ce1b0e912f403ec6902c2b2
: end

76 Replies 76

After all this hard work they decided to use this ASA for another project therefore I am configuring the other ASA to provide these services.  This is the .101 ASA, attached is the upgraded config reflecting my changes.  I learned a lot during this process and hope to learn more thank you Federico you were fantastic!

I hope after this round I will be able to do this in my sleep LOL!

Here is my config, in my logs I am receiving this







No translation group found for udp src WLAN:10.10.230.101/62067 dst inside:10.10.220.23/53

:

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.10.220.101 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xx.xx.xx.xx 255.255.255.240

!

interface Vlan3

description Wireless Network

nameif WLAN

security-level 99

ip address 10.10.230.100 255.255.255.0

!

interface Vlan22

description LAN Failover Interface

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

switchport access vlan 3

!

interface Ethernet0/7

switchport access vlan 3

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name benetech.org

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in extended permit tcp any host 66.201.46.85

access-list outside_access_in extended permit tcp any host 66.201.46.86

access-list outside_access_in extended permit gre any any

access-list outside_access_in extended permit tcp any interface outside eq smtp log debugging

access-list outside_access_in extended permit tcp any interface outside eq https

access-list outside_access_in extended permit tcp any interface outside eq pptp log warnings

access-list outside_access_in extended permit tcp any interface outside eq 99

access-list outside_access_in extended permit tcp any interface outside eq 722 log

access-list outside_access_in extended permit tcp any interface outside eq 822 log

access-list outside_access_in extended permit tcp any interface outside eq 922 log

access-list outside_access_in extended permit tcp any interface outside eq www inactive

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list outside_access_in extended permit tcp any interface outside eq ftp-data

access-list outside_access_in extended permit tcp any interface outside eq 622

access-list outside_access_in extended permit icmp any interface outside

access-list LAN_access_in extended permit ip any any

access-list inside_access_out extended deny tcp 10.10.220.128 255.255.255.128 any eq smtp log warnings

access-list inside_access_out extended deny udp any eq 4000 any log warnings

access-list inside_access_out extended permit ip any any

access-list WLAN extended permit ip any any

access-list WLAN_access_in extended permit ip any any

access-list WLAN_access_in extended permit udp any any

pager lines 24

logging enable

logging emblem

logging asdm-buffer-size 512

logging buffered informational

logging trap informational

logging asdm informational

logging mail informational

logging permit-hostdown

mtu inside 1500

mtu outside 1500

mtu WLAN 1500

no failover

failover lan unit primary

failover lan interface BFailover Vlan22

failover key *****

failover interface ip BFailover 172.1.1.1 255.255.255.0 standby 172.1.1.2

monitor-interface inside

monitor-interface outside

monitor-interface WLAN

icmp unreachable rate-limit 1 burst-size 1

icmp permit any WLAN

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (inside) 1 interface

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 822 10.10.220.21 822 netmask 255.255.255.255

static (inside,outside) tcp interface 722 10.10.220.18 722 netmask 255.255.255.255

static (inside,outside) tcp interface 922 10.10.220.29 922 netmask 255.255.255.255

static (inside,outside) tcp interface www 10.10.220.19 www netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.xx ftp-data 10.10.220.67 ftp-data netmask 255.255.255.255

static (inside,outside) tcp interface ftp 10.10.220.67 ftp netmask 255.255.255.255

static (inside,outside) tcp interface 622 10.10.220.21 622 netmask 255.255.255.255

static (inside,outside) tcp interface 99 10.10.220.24 99 netmask 255.255.255.255

static (inside,outside)xx.xx.xx.xx 10.10.220.4 netmask 255.255.255.255

static (inside,outside) xx.xx.xx.xx 10.10.220.23 netmask 255.255.255.255

static (WLAN,inside) 10.20.220.0 10.10.230.0 netmask 255.255.255.0

access-group inside_access_out out interface inside

access-group outside_access_in in interface outside

access-group WLAN_access_in in interface WLAN

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 10.10.220.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ca trustpoint newbroot

crl configure

telnet timeout 5

ssh timeout 5

ssh version 2

console timeout 0

dhcpd dns 10.10.220.23

dhcpd domain benetech.local

dhcpd auto_config outside

dhcpd option 3 ip 172.16.30.100

!

dhcpd address 10.10.230.101-10.10.230.150 WLAN

!

!

class-map inspection_default

match default-inspection-traffic

class-map pptp-port

match port tcp eq pptp

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map type inspect dns benetech_dns_map

description Remove 512 byte size restriction

parameters

  message-length maximum 1024

  no protocol-enforcement

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect pptp

policy-map pptp_policy

class pptp-port

  inspect pptp

!

service-policy global_policy global

service-policy pptp_policy interface outside

ntp server 69.25.96.13 source outside

ntp server 64.125.78.85 source outside

tftp-server inside 10.10.220.69 asa-5505-primary.conf

webvpn

csd image disk0:/securedesktop-asa-3.1.1.29-k9.pkg

csd enable

username scott password rj0sFMSN.wCXUz0C encrypted privilege 15

username ryan password esjVcPBkxKv5/kd4 encrypted privilege 15

smtp-server 10.10.220.50 10.10.220.12

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command uauth

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

Cryptochecksum:2c79861cb9b84ecbf21c620a2dab127c

: end

Jon,
Thank you ;-)
Stephen,
No problem, the idea is to help you out ;-)

The error:
No translation group found for udp src WLAN:10.10.230.101/62067 dst inside:10.10.220.23/53s

Seems to be that there's no NAT between those interfaces:


Try this:
static (inside,outside) 10.10.220.23 10.10.220.23

Let us know.

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: