Routing to internet from different subnets on asa5520

Unanswered Question
Jul 6th, 2007
User Badges:

I am setting up a new asa 5520 and have no problems from the subnet that the subnet that the firewall is on. But from my wireless subnet I cannot reach the internet. I added a route from the wireless subnet to the gateway subnet and it doesn't connect.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Fri, 07/06/2007 - 07:20
User Badges:
  • Green, 3000 points or more

So you have something like..


Internet - ASA - inside - inside router - wireless subnet


The wireless clients have a dg of the inside router and the inside router has a dg of inside ASA?


Do you have a route statement on the ASA for the wireless subnet?


route inside


Is the wireless subnet included in your nat statement?


nat (inside) 1

kmcilvaine Fri, 07/06/2007 - 08:01
User Badges:

I have a route statement for the wireless but I do not have a nat rule. Do I need a static nat rule to the subnet?


route inside <10.112.5.0> <255.255.255.0> <10.112.4.1>


acomiskey Fri, 07/06/2007 - 08:03
User Badges:
  • Green, 3000 points or more

Post a "show run nat"


So 10.112.5.0 is the wireless subnet?


And 10.112.4.1 is inside router?

kmcilvaine Fri, 07/06/2007 - 08:12
User Badges:

ciscoasa# sh run nat

nat (Lan) 1 access-list Lan_nat_outbound

acomiskey Fri, 07/06/2007 - 08:13
User Badges:
  • Green, 3000 points or more

Ok, how about a "show access-list Lan_nat_outbound"

kmcilvaine Fri, 07/06/2007 - 08:15
User Badges:

ciscoasa(config)# show access-list Lan_nat_outbound

access-list Lan_nat_outbound; 1 elements

access-list Lan_nat_outbound line 1 extended permit ip any any (hitcnt=0) 0x5023

9b0a

acomiskey Fri, 07/06/2007 - 08:15
User Badges:
  • Green, 3000 points or more

Also, can you ping the ASA from the wireless subnet? This would rule out a routing problem.

acomiskey Fri, 07/06/2007 - 08:23
User Badges:
  • Green, 3000 points or more

That should work. Do you want to post a sanitized config from the ASA?

kmcilvaine Fri, 07/06/2007 - 08:40
User Badges:

ASA Version 7.2(2)19

!

hostname ciscoasa

domain-name xxxxxxx.com

enable password xxxxxxxxxx encrypted

names

dns-guard

!

interface GigabitEthernet0/0

nameif Wan

security-level 0

ip address 65.x.x.98 255.255.255.224

!

interface GigabitEthernet0/1

nameif Lan

security-level 100

ip address 11.x.x.0 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

nameif vpn

security-level 0

ip address 11.x.x.1 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd cxxcxccx encrypted

boot system disk0:/asa722-19-k8

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup Wan

dns server-group DefaultDNS

name-server 200.100.3.65

domain-name xxxxxxxx

access-list Wan_access_in_1 extended permit tcp host 200.100.15.36 host 65.000.2

15.000 eq 3268

access-list Wan_access_in_1 extended permit tcp any host 65.000.000.000 eq smtp


access-list Wan_access_in_1 extended permit tcp any host 65.000.000.101 eq https


access-list Wan_access_in_1 extended permit tcp host 66.000.00.4 host 65.000.000

.107 e

access-list Wan_access_in_1 extended permit tcp host 66.000.00.4 host 65.000.000

.107 eq https

access-list Wan_access_in_1 extended permit tcp host 66.000.00.4 host 65.000.000

.107 eq 1433

access-list Wan_access_in_1 extended permit tcp host 66.000.00.4 host 65.000.000

.107 eq 1414


kmcilvaine Fri, 07/06/2007 - 08:42
User Badges:

access-list Wan_access_in_1 extended permit tcp host 66.000.00.4 host 65.000.000

.107 eq 8088

access-list Wan_access_in_1 extended permit tcp host 66.000.000.4 host 65.00.000

.107 eq smtp

access-list Wan_access_in_1 extended permit tc

access-list Wan_access_in_1 extended permit tcp any host 65.000.000.104 eq https


access-list Wan_access_in_1 extended permit udp any host 65.000.000.108 eq 17335


access-list Wan_access_in_1 extended permit udp any host 65.000.000.108 eq 22334


access-list Wan_access_in_1 extended permit udp any host 65.000.000.108 eq 22335


access-list Wan_access_in_1 extended permit tcp any host 65.000.000.108 eq 5003


access-list Wan_access_in_1 extended permit udp any host 65.000.000.108 eq 5003


access-list Wan_access_in_1 extended permit tcp any host 65.000.000.102 eq lotus

notes

access-list Wan_access_in_1 extended permit tcp host 66.000.00.5 host 65.000.000

.107 eq www

access-list Wan_access_in_1 extended permit tcp host 66.000.00.5 host 65.000.000

.107 eq https

access-list Wan_access_in_1 extended permit tcp host 66.000.00.5 host 65.000.000

.107 eq 1433

access-list Wan_access_in_1 extended permit tcp host 66.000.00.5 host 65.000.000

.107 eq 1414

access-list Wan_access_in_1 extended permit tcp host 6

.107 eq 8088

access-list Wan_access_in_1 extended permit tcp host 66.000.00.5 host 65.000.000

.107 eq smtp

access-list Wan_access_in_1 extended permit tcp host 66.000.00.6 host 65.000.000

.107 eq www

access-list Wan_access_in_1 extended permit tcp host 66.000.00.6 host 65.000.000

.107 eq https

access-list Wan_access_in_1 extended permit tcp host 66.000.00.6 host 65.000.000

.107 eq 1433


kmcilvaine Fri, 07/06/2007 - 08:43
User Badges:

access-list Wan_access_in_1 extended permit tcp host 66.000.00.6 host 65.000.000

.107 eq 8088

access-list Wan_access_in_1 extended permit tcp host 66.000.00.6 host 65.000.000

.107 eq smtp

access-list Wan_access_in_1 extended permit tcp host 66.000.00.6 host 65.000.000

.107 eq 1414

access-list Wan_access_in_1 extended permit tcp host 66.000.00.7 host 65.000.000

.107 eq www

access-list Wan_access_in_1 extended permit tcp host 66.000.00.7 host 65.000.000

.107 eq https

access-list Wan_access_in_1 extended permit tcp host 66.000.00.7 host 65.000.000

.107 eq 1433

access-list Wan_access_in_1 extended permit tcp

.107 eq 8088

access-list Wan_access_in_1 extended permit tcp host 66.000.00.7 host 65.000.000

.107 eq smtp

access-list Wan_access_in_1 extended permit tcp host 66.000.00.7 host 65.000.000

.107 eq 1414

access-list Lan_nat_outbound extended permit ip

any any

pager lines 24

logging enable

logging asdm informational

mtu Wan 1500

mtu Lan 1500

mtu vpn 1500

mtu management 1500

ip local pool Poolip 10.000.00.51-10.000.00.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-52

no asdm history enable

arp timeout 14400

nat-control

global (Wan) 1 interface

nat (Lan) 1 access-list Lan_nat_outbound

static (Lan,Wan) 65.000.000.106 10.00.0.32 netmask 255.255.255.255

static (Lan,Wan) 65.000.000.101 10.000.0.47 netmask 255.255.255.255

static (Lan,Wan) 65.000.000.107 10.000.00.77 netmask 255.255.255.255

static (Lan,Wan) 65.000.000.104 10.000.0.53 netmask 255.255.255.255

static (Lan,Wan) 65.000.000.108 10.000.00.17 netmask 255.255.255.255

static (Lan,Wan) 65.000.000.102 10.000.00.2 netmask 255.255


kmcilvaine Fri, 07/06/2007 - 08:43
User Badges:

access-group Wan_access_in_1 in interface Wan

route Wan 0.0.0.0 0.0.0.0 65.000.000.97 1

route Lan 10.000.5.0 255.255.255.0 10.000.0.49 1

route Lan 10.000.00.0 255.255.255.0 10.000.0.49 1

route Lan 10.000.0.0 255.255.255.0 10.000.0.49 1

route Lan 10.000.00.0 255.255.255.0 10.000.00.49 1

route vpn 65.000.000.98 255.255.255.255 65.000.000.97 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server 00000 protocol ldap

aaa-server 0000 (Lan) host 10.000.0.32

timeout 5

ldap-scope onelevel

group-policy 00000 internal

group-policy 00000 attributes

wins-server value 10.000.0.50 10.000.00.16

dns-server value 10.000.00.50 10.000.000.16

vpn-tunnel-protocol IPSec

default-domain value 000000

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server c

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map vpn_dyn_map 20 set pfs

crypto dynamic-map vpn_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map vpn_map 65535 ipsec-isakmp dynamic vpn_dyn_map

crypto map vpn_map interface vpn

crypto isakmp enable vpn

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

tunnel-group 0000 type ipsec-ra

tunnel-group 000 general-attributes

address-pool Poolip

authentication-server-group 000000

default-group-policy 000000

tunnel-group cxcvcx ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh timeout 5

console timeout 0

Actions

This Discussion