07-06-2007 07:16 AM - edited 03-11-2019 03:41 AM
I am setting up a new asa 5520 and have no problems from the subnet that the subnet that the firewall is on. But from my wireless subnet I cannot reach the internet. I added a route from the wireless subnet to the gateway subnet and it doesn't connect.
07-06-2007 07:20 AM
So you have something like..
Internet - ASA - inside - inside router - wireless subnet
The wireless clients have a dg of the inside router and the inside router has a dg of inside ASA?
Do you have a route statement on the ASA for the wireless subnet?
route inside
Is the wireless subnet included in your nat statement?
nat (inside) 1
07-06-2007 08:01 AM
I have a route statement for the wireless but I do not have a nat rule. Do I need a static nat rule to the subnet?
route inside <10.112.5.0> <255.255.255.0> <10.112.4.1>
07-06-2007 08:03 AM
Post a "show run nat"
So 10.112.5.0 is the wireless subnet?
And 10.112.4.1 is inside router?
07-06-2007 08:12 AM
ciscoasa# sh run nat
nat (Lan) 1 access-list Lan_nat_outbound
07-06-2007 08:13 AM
Ok, how about a "show access-list Lan_nat_outbound"
07-06-2007 08:15 AM
ciscoasa(config)# show access-list Lan_nat_outbound
access-list Lan_nat_outbound; 1 elements
access-list Lan_nat_outbound line 1 extended permit ip any any (hitcnt=0) 0x5023
9b0a
07-06-2007 08:15 AM
Also, can you ping the ASA from the wireless subnet? This would rule out a routing problem.
07-06-2007 08:19 AM
yes
07-06-2007 08:23 AM
That should work. Do you want to post a sanitized config from the ASA?
07-06-2007 08:40 AM
ASA Version 7.2(2)19
!
hostname ciscoasa
domain-name xxxxxxx.com
enable password xxxxxxxxxx encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif Wan
security-level 0
ip address 65.x.x.98 255.255.255.224
!
interface GigabitEthernet0/1
nameif Lan
security-level 100
ip address 11.x.x.0 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
nameif vpn
security-level 0
ip address 11.x.x.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd cxxcxccx encrypted
boot system disk0:/asa722-19-k8
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Wan
dns server-group DefaultDNS
name-server 200.100.3.65
domain-name xxxxxxxx
access-list Wan_access_in_1 extended permit tcp host 200.100.15.36 host 65.000.2
15.000 eq 3268
access-list Wan_access_in_1 extended permit tcp any host 65.000.000.000 eq smtp
access-list Wan_access_in_1 extended permit tcp any host 65.000.000.101 eq https
access-list Wan_access_in_1 extended permit tcp host 66.000.00.4 host 65.000.000
.107 e
access-list Wan_access_in_1 extended permit tcp host 66.000.00.4 host 65.000.000
.107 eq https
access-list Wan_access_in_1 extended permit tcp host 66.000.00.4 host 65.000.000
.107 eq 1433
access-list Wan_access_in_1 extended permit tcp host 66.000.00.4 host 65.000.000
.107 eq 1414
07-06-2007 08:42 AM
access-list Wan_access_in_1 extended permit tcp host 66.000.00.4 host 65.000.000
.107 eq 8088
access-list Wan_access_in_1 extended permit tcp host 66.000.000.4 host 65.00.000
.107 eq smtp
access-list Wan_access_in_1 extended permit tc
access-list Wan_access_in_1 extended permit tcp any host 65.000.000.104 eq https
access-list Wan_access_in_1 extended permit udp any host 65.000.000.108 eq 17335
access-list Wan_access_in_1 extended permit udp any host 65.000.000.108 eq 22334
access-list Wan_access_in_1 extended permit udp any host 65.000.000.108 eq 22335
access-list Wan_access_in_1 extended permit tcp any host 65.000.000.108 eq 5003
access-list Wan_access_in_1 extended permit udp any host 65.000.000.108 eq 5003
access-list Wan_access_in_1 extended permit tcp any host 65.000.000.102 eq lotus
notes
access-list Wan_access_in_1 extended permit tcp host 66.000.00.5 host 65.000.000
.107 eq www
access-list Wan_access_in_1 extended permit tcp host 66.000.00.5 host 65.000.000
.107 eq https
access-list Wan_access_in_1 extended permit tcp host 66.000.00.5 host 65.000.000
.107 eq 1433
access-list Wan_access_in_1 extended permit tcp host 66.000.00.5 host 65.000.000
.107 eq 1414
access-list Wan_access_in_1 extended permit tcp host 6
.107 eq 8088
access-list Wan_access_in_1 extended permit tcp host 66.000.00.5 host 65.000.000
.107 eq smtp
access-list Wan_access_in_1 extended permit tcp host 66.000.00.6 host 65.000.000
.107 eq www
access-list Wan_access_in_1 extended permit tcp host 66.000.00.6 host 65.000.000
.107 eq https
access-list Wan_access_in_1 extended permit tcp host 66.000.00.6 host 65.000.000
.107 eq 1433
07-06-2007 08:43 AM
access-list Wan_access_in_1 extended permit tcp host 66.000.00.6 host 65.000.000
.107 eq 8088
access-list Wan_access_in_1 extended permit tcp host 66.000.00.6 host 65.000.000
.107 eq smtp
access-list Wan_access_in_1 extended permit tcp host 66.000.00.6 host 65.000.000
.107 eq 1414
access-list Wan_access_in_1 extended permit tcp host 66.000.00.7 host 65.000.000
.107 eq www
access-list Wan_access_in_1 extended permit tcp host 66.000.00.7 host 65.000.000
.107 eq https
access-list Wan_access_in_1 extended permit tcp host 66.000.00.7 host 65.000.000
.107 eq 1433
access-list Wan_access_in_1 extended permit tcp
.107 eq 8088
access-list Wan_access_in_1 extended permit tcp host 66.000.00.7 host 65.000.000
.107 eq smtp
access-list Wan_access_in_1 extended permit tcp host 66.000.00.7 host 65.000.000
.107 eq 1414
access-list Lan_nat_outbound extended permit ip
any any
pager lines 24
logging enable
logging asdm informational
mtu Wan 1500
mtu Lan 1500
mtu vpn 1500
mtu management 1500
ip local pool Poolip 10.000.00.51-10.000.00.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-52
no asdm history enable
arp timeout 14400
nat-control
global (Wan) 1 interface
nat (Lan) 1 access-list Lan_nat_outbound
static (Lan,Wan) 65.000.000.106 10.00.0.32 netmask 255.255.255.255
static (Lan,Wan) 65.000.000.101 10.000.0.47 netmask 255.255.255.255
static (Lan,Wan) 65.000.000.107 10.000.00.77 netmask 255.255.255.255
static (Lan,Wan) 65.000.000.104 10.000.0.53 netmask 255.255.255.255
static (Lan,Wan) 65.000.000.108 10.000.00.17 netmask 255.255.255.255
static (Lan,Wan) 65.000.000.102 10.000.00.2 netmask 255.255
07-06-2007 08:43 AM
access-group Wan_access_in_1 in interface Wan
route Wan 0.0.0.0 0.0.0.0 65.000.000.97 1
route Lan 10.000.5.0 255.255.255.0 10.000.0.49 1
route Lan 10.000.00.0 255.255.255.0 10.000.0.49 1
route Lan 10.000.0.0 255.255.255.0 10.000.0.49 1
route Lan 10.000.00.0 255.255.255.0 10.000.00.49 1
route vpn 65.000.000.98 255.255.255.255 65.000.000.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server 00000 protocol ldap
aaa-server 0000 (Lan) host 10.000.0.32
timeout 5
ldap-scope onelevel
group-policy 00000 internal
group-policy 00000 attributes
wins-server value 10.000.0.50 10.000.00.16
dns-server value 10.000.00.50 10.000.000.16
vpn-tunnel-protocol IPSec
default-domain value 000000
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server c
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map vpn_dyn_map 20 set pfs
crypto dynamic-map vpn_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map vpn_map 65535 ipsec-isakmp dynamic vpn_dyn_map
crypto map vpn_map interface vpn
crypto isakmp enable vpn
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 0000 type ipsec-ra
tunnel-group 000 general-attributes
address-pool Poolip
authentication-server-group 000000
default-group-policy 000000
tunnel-group cxcvcx ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: