Cisco 5505 acces list

Answered Question
Oct 30th, 2013
User Badges:

I currently have a Cisco ASA plugged into a single AP. This plugs into the POE port of the ASA.


the wireless point has 2 ssid's ( vlans ) 1 and 10


both side are trunked to allow the vlans.


vlan 1 is on 192.168.70.0 /24 ( production ) inisde interface

vlan 10 is on 172.16.0.0 /24 ( guest )


The Cisco ASA is acting as the DHCP server for both vlans.


we wanted people on the guest network and the production network seperate which is working good.


now we have a printer on 192.168.70.20 which the guest users will need to access.


I have tried setting up an ACL on the ASA but no luck.


Please see attached ACL list ( these are the default ) nothing has been changed.


can somone point me in the direction to get this working?


I have checked the logs when running a ping to the print from the 172.16 networkto the printer  and seeing the attached NAT error

Correct Answer by Julio Carvajal about 3 years 9 months ago

Hello,


The NAT exempt is another option as well instead of the Identity NAT.


I modify the ACL to make it more restrictive but sure you can leave it with the permit IP any any (as long as you do not have ambiguity on the NAT statements u will be safe there)


If there is no other question please mark it as answered; otherwise let me know



Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jouni Forss Wed, 10/30/2013 - 03:50
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Your probably have Dynamic PAT configured for both "inside" and "guest" when connecting to "outside" and dont have the proper NAT for traffic between these "inside" and "guest". To give the proper configurations needed would have to see the CLI format configurations.


Also, please follow up on your previous threads that you have opened with the solution and rate/mark correct reply if you have gotten helpfull information. There was one related to connecting the AP to the ASA5505 for example.


- Jouni

James Hoggard Wed, 10/30/2013 - 05:39
User Badges:

Thanks. I have attached the config. so i need an access list from inside to guest?


i only want people on the guest network 172.16.0.0 to access just 192.168.70.20 and nothing else.


I will go back to the older post and update the information.

Julio Carvajal Wed, 10/30/2013 - 07:20
User Badges:
  • Purple, 4500 points or more

Hello James,


The ACL should look like


access-list Guest_access_in permit ip any host 192.168.70.20

access-list Guest_access_in deny ip any 192.168.70.0 255.255.255.0

access-list Guest_access_in extended permit ip any any


And the Nat

static (Guest,Inside) 172.16.0.0 172.16.0.0 netmask 255.255.255.0

static (inside,guest) 192.168.70.0 192.168.70.0 netmask 255.255.255.0



Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

James Hoggard Wed, 10/30/2013 - 07:57
User Badges:

all i did was an exempt nat rule on the inside interface with the source address of the printer 192.168.70.20 to destination guest network, and this has worked. did this on the adsm and selected NAT Exempt outbound traffic from interface inside to low secuirty interfaces.


can only ping the printer from thee guest network and nothing else.

Correct Answer
Julio Carvajal Wed, 10/30/2013 - 08:00
User Badges:
  • Purple, 4500 points or more

Hello,


The NAT exempt is another option as well instead of the Identity NAT.


I modify the ACL to make it more restrictive but sure you can leave it with the permit IP any any (as long as you do not have ambiguity on the NAT statements u will be safe there)


If there is no other question please mark it as answered; otherwise let me know



Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

James Hoggard Wed, 10/30/2013 - 08:04
User Badges:

access-list inside_nat0_outbound extended permit ip host printer 172.16.0.0 255.255.255.0

James Hoggard Thu, 10/31/2013 - 02:05
User Badges:

Hi Jcarvaja,


All is still working well. I'm used to working on routers new to this ASA stuff. so please excuse my questions if there abit

obvious to you.normally when you do inter-vlan rotuing you need a layer 3 device.


I'm just confused to how a NAT command will let you route between differentsubnets ( vlans ) ??


Thanks


p.s followed

Jouni Forss Thu, 10/31/2013 - 02:12
User Badges:
  • Super Bronze, 10000 points or more

Hi,


The reason why we need separate Identity NAT configurations between the local Vlans is because without them the traffic would most likely match the Dynamic PAT rules (the "nat" statements) and therefore the NAT checks on the ASA would fail.


By adding the Identity NAT configurations with "static" command is meant to override the Dynamic PAT configuration and enable the 2 Vlans communicate with their original IP addresses (what Identity NAT essentially means)


The requirement for this NAT is partly due to how the software level you use handles NAT.


With newer 8.3 (and above) software levels where the NAT was redone you wouldnt need any NAT configurations between your local interfaces which makes for a lot clearer NAT configuration on the firewall


- Jouni

Actions

This Discussion