Solved: Cisco 5505 acces list

James Hoggard · ‎10-30-2013

I currently have a Cisco ASA plugged into a single AP. This plugs into the POE port of the ASA.

the wireless point has 2 ssid's ( vlans ) 1 and 10

both side are trunked to allow the vlans.

vlan 1 is on 192.168.70.0 /24 ( production ) inisde interface

vlan 10 is on 172.16.0.0 /24 ( guest )

The Cisco ASA is acting as the DHCP server for both vlans.

we wanted people on the guest network and the production network seperate which is working good.

now we have a printer on 192.168.70.20 which the guest users will need to access.

I have tried setting up an ACL on the ASA but no luck.

Please see attached ACL list ( these are the default ) nothing has been changed.

can somone point me in the direction to get this working?

I have checked the logs when running a ping to the print from the 172.16 networkto the printer and seeing the attached NAT error

Julio Carvajal · ‎10-30-2013

Hello,

The NAT exempt is another option as well instead of the Identity NAT.

I modify the ACL to make it more restrictive but sure you can leave it with the permit IP any any (as long as you do not have ambiguity on the NAT statements u will be safe there)

If there is no other question please mark it as answered; otherwise let me know

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Jouni Forss · ‎10-30-2013

Hi,

Your probably have Dynamic PAT configured for both "inside" and "guest" when connecting to "outside" and dont have the proper NAT for traffic between these "inside" and "guest". To give the proper configurations needed would have to see the CLI format configurations.

Also, please follow up on your previous threads that you have opened with the solution and rate/mark correct reply if you have gotten helpfull information. There was one related to connecting the AP to the ASA5505 for example.

- Jouni

James Hoggard · ‎10-30-2013

Thanks. I have attached the config. so i need an access list from inside to guest?

i only want people on the guest network 172.16.0.0 to access just 192.168.70.20 and nothing else.

I will go back to the older post and update the information.

Julio Carvajal · ‎10-30-2013

Hello James,

The ACL should look like

access-list Guest_access_in permit ip any host 192.168.70.20

access-list Guest_access_in deny ip any 192.168.70.0 255.255.255.0

access-list Guest_access_in extended permit ip any any

And the Nat

static (Guest,Inside) 172.16.0.0 172.16.0.0 netmask 255.255.255.0

static (inside,guest) 192.168.70.0 192.168.70.0 netmask 255.255.255.0

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

James Hoggard · ‎10-30-2013

all i did was an exempt nat rule on the inside interface with the source address of the printer 192.168.70.20 to destination guest network, and this has worked. did this on the adsm and selected NAT Exempt outbound traffic from interface inside to low secuirty interfaces.

can only ping the printer from thee guest network and nothing else.

Julio Carvajal · ‎10-30-2013

Hello,

The NAT exempt is another option as well instead of the Identity NAT.

I modify the ACL to make it more restrictive but sure you can leave it with the permit IP any any (as long as you do not have ambiguity on the NAT statements u will be safe there)

If there is no other question please mark it as answered; otherwise let me know

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

James Hoggard · ‎10-30-2013

access-list inside_nat0_outbound extended permit ip host printer 172.16.0.0 255.255.255.0

James Hoggard · ‎10-30-2013

Thanks for the explanation. Now makes good sense

Julio Carvajal · ‎10-30-2013

Hello James,

My pleasure to help

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

James Hoggard · ‎10-31-2013

Hi Jcarvaja,

All is still working well. I'm used to working on routers new to this ASA stuff. so please excuse my questions if there abit

obvious to you.normally when you do inter-vlan rotuing you need a layer 3 device.

I'm just confused to how a NAT command will let you route between differentsubnets ( vlans ) ??

Thanks

p.s followed

Jouni Forss · ‎10-31-2013

Hi,

The reason why we need separate Identity NAT configurations between the local Vlans is because without them the traffic would most likely match the Dynamic PAT rules (the "nat" statements) and therefore the NAT checks on the ASA would fail.

By adding the Identity NAT configurations with "static" command is meant to override the Dynamic PAT configuration and enable the 2 Vlans communicate with their original IP addresses (what Identity NAT essentially means)

The requirement for this NAT is partly due to how the software level you use handles NAT.

With newer 8.3 (and above) software levels where the NAT was redone you wouldnt need any NAT configurations between your local interfaces which makes for a lot clearer NAT configuration on the firewall

- Jouni