09-25-2008 01:49 PM - edited 03-11-2019 06:49 AM
I am trying to setup a wireless guest access for a customer that has an asa 5520 v 8.0(I think) In any case we have everything working and the wireless is going out to the internet fine. The issue we are seeing is that when they try to access their websites from a the guest wireless, they get the external IP address and I am assuming because of antispoofing, it is not allowing the packet to come back in. Is there any way around this? I know in the Checkpoint you can set up a exclusion to do this.
09-26-2008 06:30 AM
when they try to access their websites from a the guest wireless"
I did not get this part.
On which interface is the webserver.
Is it on the same interface of f/w where the clinets are.
If so,you need to setup dns doctoring.
If it's on some interface other then internet,you would need to setup destination nat.
Regards,
Sushil
09-26-2008 06:58 AM
it has 4 interfaces in use, internet,internal,wireless guest, and dmz which is where the webs are. I am assuming that when the wireless traffic goes out the internet port and tries to come bacck in the antispoofing drops it. the destination nat thing sounds familiar. if you point me to a link or something it would be appreciated.
09-26-2008 07:01 AM
Let's say you are in dmz and want to access server on inside
you would need :
static (inside,dmz)
With this static,SYN packet rather then going to outside,will go directly to server on inside.
Above is called D-NAT.
Please rate if helpful.
Regards,
Sushil
09-26-2008 10:40 PM
Is this your scenario..?
webserver :- In DMZ
Clients : In Wireless guest (WG)with higher security level than DMZ)
So,if you wish to access dmz server using Public IP from clients in WG then you need DNAT
Static (dmz,wg)
nat(wg) 1 0 0
global (dmz) 1 interface
SERVER AND USER ARE IN DIFFERENT NETWORKS
INTERNET
|
|
|
PIX-----dmz----SERVER
|
WG (higher sec)
|
|
USER/client
We would access the server in DMZ, from client in WG, with the public IP by using the
concept called Destination NAT (DNAT)
static (dmz,WG)
It makes that public ip to virtually float on inside of the Pix.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note0918
6a0080094aee.shtml
Let me know if this helps !
09-27-2008 12:38 AM
Yes!! you are correct..
09-27-2008 08:13 AM
That sounds like something I had done in the past on a old pix I just couldn't remember it. So it would appear that is my only option then? The checkpoint had a option of specifying what to bypass with antispoofing I just could not find anything with a pix/ASA to do that. Also the DNS doctoring would do about the same thing I just wouldn't have to create all the NAT rules but rather create alias commands to convert the DNS. We have gotten around this somewhat by using the DMZ DNS servers for the wireless clients and allowing the wireless to access these servers by the DMZ addressing. The real issue is that they have hundereds of subdomains that are not on the DMZ DNS server but are only on the internet DNS server.
09-29-2008 08:03 AM
correct..as if now you have to live with the Antispoof/Stateful Inspection feature of the FW, though a feature request has been filed about disabling the ABR/statefulcheck
hth
Ashish !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide