Routing to internet from different subnets on asa5520

Unanswered Question
Jul 6th, 2007

I am setting up a new asa 5520 and have no problems from the subnet that the subnet that the firewall is on. But from my wireless subnet I cannot reach the internet. I added a route from the wireless subnet to the gateway subnet and it doesn't connect.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Fri, 07/06/2007 - 07:20

So you have something like..

Internet - ASA - inside - inside router - wireless subnet

The wireless clients have a dg of the inside router and the inside router has a dg of inside ASA?

Do you have a route statement on the ASA for the wireless subnet?

route inside

Is the wireless subnet included in your nat statement?

nat (inside) 1

kmcilvaine Fri, 07/06/2007 - 08:01

I have a route statement for the wireless but I do not have a nat rule. Do I need a static nat rule to the subnet?

route inside <10.112.5.0> <255.255.255.0> <10.112.4.1>

acomiskey Fri, 07/06/2007 - 08:03

Post a "show run nat"

So 10.112.5.0 is the wireless subnet?

And 10.112.4.1 is inside router?

kmcilvaine Fri, 07/06/2007 - 08:15

ciscoasa(config)# show access-list Lan_nat_outbound

access-list Lan_nat_outbound; 1 elements

access-list Lan_nat_outbound line 1 extended permit ip any any (hitcnt=0) 0x5023

9b0a

acomiskey Fri, 07/06/2007 - 08:15

Also, can you ping the ASA from the wireless subnet? This would rule out a routing problem.

acomiskey Fri, 07/06/2007 - 08:23

That should work. Do you want to post a sanitized config from the ASA?

kmcilvaine Fri, 07/06/2007 - 08:40

ASA Version 7.2(2)19

!

hostname ciscoasa

domain-name xxxxxxx.com

enable password xxxxxxxxxx encrypted

names

dns-guard

!

interface GigabitEthernet0/0

nameif Wan

security-level 0

ip address 65.x.x.98 255.255.255.224

!

interface GigabitEthernet0/1

nameif Lan

security-level 100

ip address 11.x.x.0 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

nameif vpn

security-level 0

ip address 11.x.x.1 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd cxxcxccx encrypted

boot system disk0:/asa722-19-k8

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup Wan

dns server-group DefaultDNS

name-server 200.100.3.65

domain-name xxxxxxxx

access-list Wan_access_in_1 extended permit tcp host 200.100.15.36 host 65.000.2

15.000 eq 3268

access-list Wan_access_in_1 extended permit tcp any host 65.000.000.000 eq smtp

access-list Wan_access_in_1 extended permit tcp any host 65.000.000.101 eq https

access-list Wan_access_in_1 extended permit tcp host 66.000.00.4 host 65.000.000

.107 e

access-list Wan_access_in_1 extended permit tcp host 66.000.00.4 host 65.000.000

.107 eq https

access-list Wan_access_in_1 extended permit tcp host 66.000.00.4 host 65.000.000

.107 eq 1433

access-list Wan_access_in_1 extended permit tcp host 66.000.00.4 host 65.000.000

.107 eq 1414

kmcilvaine Fri, 07/06/2007 - 08:42

access-list Wan_access_in_1 extended permit tcp host 66.000.00.4 host 65.000.000

.107 eq 8088

access-list Wan_access_in_1 extended permit tcp host 66.000.000.4 host 65.00.000

.107 eq smtp

access-list Wan_access_in_1 extended permit tc

access-list Wan_access_in_1 extended permit tcp any host 65.000.000.104 eq https

access-list Wan_access_in_1 extended permit udp any host 65.000.000.108 eq 17335

access-list Wan_access_in_1 extended permit udp any host 65.000.000.108 eq 22334

access-list Wan_access_in_1 extended permit udp any host 65.000.000.108 eq 22335

access-list Wan_access_in_1 extended permit tcp any host 65.000.000.108 eq 5003

access-list Wan_access_in_1 extended permit udp any host 65.000.000.108 eq 5003

access-list Wan_access_in_1 extended permit tcp any host 65.000.000.102 eq lotus

notes

access-list Wan_access_in_1 extended permit tcp host 66.000.00.5 host 65.000.000

.107 eq www

access-list Wan_access_in_1 extended permit tcp host 66.000.00.5 host 65.000.000

.107 eq https

access-list Wan_access_in_1 extended permit tcp host 66.000.00.5 host 65.000.000

.107 eq 1433

access-list Wan_access_in_1 extended permit tcp host 66.000.00.5 host 65.000.000

.107 eq 1414

access-list Wan_access_in_1 extended permit tcp host 6

.107 eq 8088

access-list Wan_access_in_1 extended permit tcp host 66.000.00.5 host 65.000.000

.107 eq smtp

access-list Wan_access_in_1 extended permit tcp host 66.000.00.6 host 65.000.000

.107 eq www

access-list Wan_access_in_1 extended permit tcp host 66.000.00.6 host 65.000.000

.107 eq https

access-list Wan_access_in_1 extended permit tcp host 66.000.00.6 host 65.000.000

.107 eq 1433

kmcilvaine Fri, 07/06/2007 - 08:43

access-list Wan_access_in_1 extended permit tcp host 66.000.00.6 host 65.000.000

.107 eq 8088

access-list Wan_access_in_1 extended permit tcp host 66.000.00.6 host 65.000.000

.107 eq smtp

access-list Wan_access_in_1 extended permit tcp host 66.000.00.6 host 65.000.000

.107 eq 1414

access-list Wan_access_in_1 extended permit tcp host 66.000.00.7 host 65.000.000

.107 eq www

access-list Wan_access_in_1 extended permit tcp host 66.000.00.7 host 65.000.000

.107 eq https

access-list Wan_access_in_1 extended permit tcp host 66.000.00.7 host 65.000.000

.107 eq 1433

access-list Wan_access_in_1 extended permit tcp

.107 eq 8088

access-list Wan_access_in_1 extended permit tcp host 66.000.00.7 host 65.000.000

.107 eq smtp

access-list Wan_access_in_1 extended permit tcp host 66.000.00.7 host 65.000.000

.107 eq 1414

access-list Lan_nat_outbound extended permit ip

any any

pager lines 24

logging enable

logging asdm informational

mtu Wan 1500

mtu Lan 1500

mtu vpn 1500

mtu management 1500

ip local pool Poolip 10.000.00.51-10.000.00.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-52

no asdm history enable

arp timeout 14400

nat-control

global (Wan) 1 interface

nat (Lan) 1 access-list Lan_nat_outbound

static (Lan,Wan) 65.000.000.106 10.00.0.32 netmask 255.255.255.255

static (Lan,Wan) 65.000.000.101 10.000.0.47 netmask 255.255.255.255

static (Lan,Wan) 65.000.000.107 10.000.00.77 netmask 255.255.255.255

static (Lan,Wan) 65.000.000.104 10.000.0.53 netmask 255.255.255.255

static (Lan,Wan) 65.000.000.108 10.000.00.17 netmask 255.255.255.255

static (Lan,Wan) 65.000.000.102 10.000.00.2 netmask 255.255

kmcilvaine Fri, 07/06/2007 - 08:43

access-group Wan_access_in_1 in interface Wan

route Wan 0.0.0.0 0.0.0.0 65.000.000.97 1

route Lan 10.000.5.0 255.255.255.0 10.000.0.49 1

route Lan 10.000.00.0 255.255.255.0 10.000.0.49 1

route Lan 10.000.0.0 255.255.255.0 10.000.0.49 1

route Lan 10.000.00.0 255.255.255.0 10.000.00.49 1

route vpn 65.000.000.98 255.255.255.255 65.000.000.97 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server 00000 protocol ldap

aaa-server 0000 (Lan) host 10.000.0.32

timeout 5

ldap-scope onelevel

group-policy 00000 internal

group-policy 00000 attributes

wins-server value 10.000.0.50 10.000.00.16

dns-server value 10.000.00.50 10.000.000.16

vpn-tunnel-protocol IPSec

default-domain value 000000

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server c

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map vpn_dyn_map 20 set pfs

crypto dynamic-map vpn_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map vpn_map 65535 ipsec-isakmp dynamic vpn_dyn_map

crypto map vpn_map interface vpn

crypto isakmp enable vpn

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

tunnel-group 0000 type ipsec-ra

tunnel-group 000 general-attributes

address-pool Poolip

authentication-server-group 000000

default-group-policy 000000

tunnel-group cxcvcx ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh timeout 5

console timeout 0

Actions

This Discussion