cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8593
Views
5
Helpful
76
Replies

ASA 5505 Interface Communication

stephilewis
Level 1
Level 1

I have configured our ASA with an interface for the internal network (BeneNetwork) and our wireless solution (WLAN) everything is working OK the wireless clients receive all configurations from DHCP and can ping the the gateway address., but does not have communication to BeneNetwork.

Attached is my configuration for review,

Thank you,

ASA Version 8.2(2)
!
hostname remote
domain-name benetech.org
enable password sh3Lt8bNBi5BmLfG encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.20.100 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.240
!
interface Vlan3
description WLAN
nameif WLAN
security-level 100
ip address 172.16.30.100 255.255.255.0
!
interface Vlan4
description Benetech Network
nameif BeneNetwork
security-level 100
ip address 10.10.220.100 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 4
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
dns server-group DefaultDNS
domain-name benetech.org
same-security-traffic permit inter-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu WLAN 1500
mtu BeneNetwork 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any BeneNetwork
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (WLAN) 1 0.0.0.0 0.0.0.0
nat (BeneNetwork) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 10.10.220.23
dhcpd domain benetech.local
dhcpd auto_config outside
dhcpd option 3 ip 172.16.30.100
!
dhcpd address 172.16.30.150-172.16.30.200 WLAN
dhcpd enable WLAN
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c40d69de4ce1b0e912f403ec6902c2b2
: end

2 Accepted Solutions

Accepted Solutions

Stephen,

Could you please try this:

static (inside,inside) 10.10.220.0 10.10.220.0 netmask 255.255.255.0

Federico.

View solution in original post

Stephen,

I'm very glad to hear that is working now.

Please rate the post if you find it helpful (this was the longest one I remembered ;-))

Federico.

View solution in original post

76 Replies 76

Stephen,

Add the following command to test the communication between the WLAN and Benetech network.

static (WLAN,Benetech) 172.16.30.0 172.16.30.0 netmask 255.255.255.0

There's no need for ACLs since both interfaces have the same security level.

Federico.

I used this static (WLAN,BeneNetwork) 172.16.30.0 172.16.30.0 netmask 255.255.255.0 with no success.

Before I make any changes should this be formatted as static (WLAN,BeneNetwork) 172.16.30.0 10.10.220.0 netmask 255.255.255.0

Stephen,

You should not change the static.

Can you please verify that the devices on the 172.16.30.0/24 and 10.10.220.100/24 have their default gateway the ASA?

172.16.30.100 and 10.10.200.100

Federico.

All devices on the 10.10.220.0 network is using another device for gateway the address is 10.10.220.101 both devices are connected to the same LAN segment.  I can ping 10.10.220.100 from BeneNetwork but not from WLAN.

The WLAN clients are using 172.16.30.100 for their gateway.

Stephen,

The 10.10.220.101 device is a router?

This device should have a route to 172.16.30.0/24 pointing to the 10.10.220.100 (ASA), or a default gateway pointing to the ASA.

Please confirm this.

Federico.

its another asa they wanted to separated the devices, i will try the route.  is this so the 10.10.220.0 network knows where to return communication?

Exactly.

Federico.

heres what i put in the other asa route 172.16.30.0 255.255.255.0 10.10.220.100 1

still having issues

The Wireless clients have 172.16.30.100 as their default gateway.
The Benetech clients have 10.10.220.101 as their default gateway, but you added a route to the WLAN to 10.10.220.100
So, the routing is correct.

You also have this command:
static (WLAN,Benetech) 172.16.30.0 172.16.30.0 netmask 255.255.255.0
So, the WLAN clients will not be NATed when talking to the Benetech devices.

You have the:
same-security-traffic permit inter-interface
To allow communication between interfaces with the same security level (as this is the case)

One good test that you can do is the following:
If you have access to the GUI interface, perform a Packet Tracer test, it will show exactly where is the communication failing.
You can do this from the CLI as well with the packet-tracer command.

Another important thing:

Since 10.10.200.101 is another ASA (you need to make sure that on that ASA, this communication is permitted)

Federico.

From the ASA with the WLAN attached from cli I can

ping any node on the benetech network I.E. (10.10.220.23) from the WLAN clients I can ping 172.16.30.100 but not the inside interface or the benetech interface which is a port on the same device.

I will try a packet-tracer and see what I receive.

Stephen,

From what you mentioned its already working.

The ASAs have this rule:

You can only PING the interface of the ASA which is where traffic is coming from.

This means that the WLAN clients can only PING the WLAN interface.

The Benetech clients can only PING the Benetech interface.

You can never PING any other interface of the ASA (besides the interface where the traffic goes into).

Try the communication between devices on the interfaces and make sure they work.

Otherwise let's take a look at the Packet Tracer.

Federico.

Sir, here is the error I am receiving:

Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src WLAN:172.16.30.167/63541 dst BeneNetwork:10.10.220.23/53 denied due to NAT reverse path failure

This happens when the return path of the connection is not the same path that the request.

Asymmetric connections are not supported on the ASA. Let's see why you're getting an asymmetric behavior...

Could you post a simple drawing of your topology to understand it better?

Federico.

Our ASA .101 interface 0/0 is the outside interface, 0/4 is the inside interface and addressed 10.10.220.101 all nodes on the benetech network connect to this device with the gateway for the clients set at 10.10.220.101.

ASA .100 interface 0/0 is the outside interface, 0/1 is the benetech network and connected directly to the switch just as the other ASA, 0/6,7 is the WLAN interface with the clients gateway set at 172.16.30.100,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco