Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
321
Views
0
Helpful
2
Replies

Access LAN Services from Other Interface

Danny Cooke
Level 1
Level 1

‎07-25-2013 01:29 AM - edited ‎03-11-2019 07:16 PM

Hi All

I really can't get my head around this - I don't know if I'm NATting it wrong or if what I'm attempting just wont work. I'm using ASA 7.1 and Cisco 4500 Switches on my LAN

On my LAN I have a Domain Controller (172.16.5.14) and and Exchange Box (172.16.5.222). The Exchange box has 1 NIC and 3 addresses, 1 for SMTP and 1 each for 2 seperate IIS OWA Sites (1 is a Public Folder, the other is OWA)

I have my Wireless network behind another interface on my ASA (Security Level 90). I need users on the Wi-Fi (192.168.10.x) to be able to access DNS on my DC and OWA on my Exchange box. My DNS on the DC points all OWA traffic to the LAN address of the Exchange box. I know I could do it by routing traffic from the WiFi to the LAN via the Switch but then what's the point of firewalling if I'm going to bypass it?

I also have a DMZ network that accesses internal services (such as IIS on the DMZ to SQL on the LAN) which is working fine so I can't understand what I'm doing wrong

Thanks

Danny

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎07-25-2013 04:20 AM

Hi,

If I remember correctly you had 9.1 or some other new software running on the ASA when you previously asked about some Static PAT configurations here on CSC.

So I guess the software level you mention is for the ASDM.

I would probably start by checking what the "packet-tracer" command would say about a connection coming from the wireless network to these IP addresses and the services needed.

packet-tracer

This would tell us what the ASA would do to the packet arriving on its interface.

- Jouni

0 Helpful

Danny Cooke
Level 1
Level 1
In response to Jouni Forss

‎07-25-2013 04:28 AM

Hi Jouni

Yes, you are correct - I was rushing to type things out

Output from Packet-Tracer

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (Wireless_LAN,Legacy_LAN) source static Wireless_LAN-network Wireless_LAN-network destination static SERVER22_LAN_OWA

SERVER22_LAN_OWA net-to-net

Additional Information:

NAT divert to egress interface Legacy_LAN

Untranslate 172.16.5.222/443 to 172.16.5.222/443

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group Wireless_LAN_access_in in interface Wireless_LAN

access-list Wireless_LAN_access_in extended permit object-group DM_INLINE_SERVICE_7 object Wireless_LAN-network object-

group DM_INLINE_NETWORK_13

object-group service DM_INLINE_SERVICE_7

service-object tcp-udp destination eq domain

service-object tcp destination eq www

service-object tcp destination eq https

object-group network DM_INLINE_NETWORK_13

network-object object SERVER22_LAN_OWA

network-object object SERVER15_LAN

network-object object SERVER14_LAN

Additional Information:

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (Wireless_LAN,Legacy_LAN) source static Wireless_LAN-network Wireless_LAN-network destination static SERVER22_LAN_OWA

SERVER22_LAN_OWA net-to-net

Additional Information:

Static translate 192.168.10.62/41298 to 192.168.10.62/41298

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FILTER

Subtype: filter-url

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type:

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FILTER

Subtype: filter-https

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (Wireless_LAN,Legacy_LAN) source static Wireless_LAN-network Wireless_LAN-network destination static SERVER22_LAN_OWA

SERVER22_LAN_OWA net-to-net

Additional Information:

Phase: 11

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Phase: 12

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 13

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 14

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Phase: 15

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 32433132, packet dispatched to next module

Result:

input-interface: Wireless_LAN

input-status: up

input-line-status: up

output-interface: Legacy_LAN

output-status: up

output-line-status: up

Action: allow

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card