Well, I have run into a very frustrating problem here, I have 3 subinterfaces on the E0/2 interface, the first one, the VOICE insterface, I can ping through and everything, 10.15.120.x, no problem I see the debugs both ends. However, I have another VLAN, 47, setup the same way, I have a WLC 4402 on this vlan, It seems none of the traffic for this subnet is hitting the ASA, I see no ICMP responses, but I can ping the WLC, nothing else on that VLAN though. Very frustrating. If I try to ping something on 10.1.3.x which I have routed via a static route on the ASA to the router on e0/2.2, I dont even see it hit the ASA.

interface Ethernet0/2.2

vlan 2

nameif Cisco-Voice

security-level 100

ip address 10.15.124.254 255.255.255.0

!

interface Ethernet0/2.47

vlan 47

nameif WLC-Management

security-level 100

ip address 10.10.47.254 255.255.255.0

access-list Nat2Voip extended permit ip 10.10.48.0 255.255.252.0 10.0.0.0 255.0.0.0

access-list Nat2WLC extended permit ip 10.10.48.0 255.255.252.0 10.10.47.0

255.255.255.0

global (outside) 1 interface

global (Cisco-Voice) 2 interface

global (WLC-Management) 3 interface

nat (inside) 2 access-list Nat2Voip

nat (inside) 3 access-list Nat2WLC

nat (inside) 1 10.10.48.0 255.255.252.0

nat (Guest) 1 192.168.168.0 255.255.255.0

route inside 10.1.3.0 255.255.255.0 10.15.124.1 1

S 10.1.3.0 255.255.255.0 [1/0] via 10.15.124.1, inside

C 10.10.47.0 255.255.255.0 is directly connected, WLC-Management

C 10.10.48.0 255.255.252.0 is directly connected, inside

C 10.15.124.0 255.255.255.0 is directly connected, Cisco-Voice

ICMP echo request from inside:10.10.48.10 to Cisco-Voice:10.15.124.1 ID=512 seq=10752 len=32

ICMP echo request translating inside:10.10.48.10/512 to Cisco-Voice:10.15.124.254/23852

ICMP echo reply from Cisco-Voice:10.15.124.1 to inside:10.15.124.254 ID=23852 seq=10752 len=32

ICMP echo reply untranslating Cisco-Voice:10.15.124.254/23852 to inside:10.10.48.10/512

There is a 3750 switch stack in between all this, the router and ASA is trunked into it. Could this be the switch causing this? For some reason the ASDM fails to launch as well. I get unnconnected sockets not implemented.

:banging head:

It is always the simplest things. Changing the ACL seemed to work I can ping 10.10.47.1 now. I can pull up the WLC interface now. Thanks, too many days on this project have clouded my mind. Now to get the AP's working with guest access and I can install all this stuff on Friday! :)

Thanks again.

Edit, I reduced the security levels to 50 on those interfaces and they are working as they should now, damned ACL's get me every time. :)

"Edit, I reduced the security levels to 50 on those interfaces and they are working as they should now, damned ACL's get me every time. :)"

It's always something. For me on a pix/asa i setup the NAT, acl's etc.. fine every time and then forget about routes and spend a good half an hour rechecking statics/acls :-)

Glad you got it working.

Jon

If the packet is in the default inspection, would you still need to permit the return icmp packet inbound on the outside interface? And if so, would you only need to allow the echo-reply and not echo?

Thanks,

John

John

"If the packet is in the default inspection, would you still need to permit the return icmp packet inbound on the outside interface?"

No you wouldn't, the above would be enough. But bear in mind that prior to v7.x code you didn't have this capability so you would need to allow the echo-reply back in with an acl.

Jon

So the inspects on the ASA work like CBAC on a router.

Well yes kind of.

The tcp inspect in CBAC is equivalent to the generic stateful firewall ie. TCP and UDP connections although strictly speaking the UDP connections don't have state so the firewall uses timers.

The more detailed inspects on CBAC and on the ASA have additional logic that allows them to "understand" part of the actual application protocol. Not all of it but enough to securely allow it through a firewall.

Just for your reference prior to v7.x the inspect features on pix firewalls were referred to as "fixups".

Jon