11-15-2011 06:02 AM - edited 03-11-2019 02:50 PM
I am trying to set up a DMZ on my Cisco ASA 5505, so that the wireless clients are connected behind the DMZ, the LAN clients are connected behind the inside interface and both groups of clients can get to the Internet. I have been able to configure the ASA for both wireless and LAN, but the wireless clients still cannot get to the Internet. The LAN clients can get to the Internet. I do not want the wireless clients and the LAN clients to be able to be able to communicate with each other. What commands do I need to run in order to allow the wireless clients to access the Internet? Thanks for your help.
Chris
11-15-2011 06:11 AM
I forgot to mention that I have version 8.4 on the ASA. Thnaks!
11-15-2011 06:15 AM
On inside interface you can put ACL which will block inside to dmz communication. If you dont PAT dmz subnet on ASA client will not be able to reach internet.
Thanks
Ajay
11-15-2011 06:18 AM
Thanks for the reply. How do I PAT the dmz subnet? I must not have already done this. Thanks.
11-15-2011 06:28 AM
Here is sample example - consider you dmz network 192.168.2.0/24
Example-1 - If you want to PAT on outside IP.
1.
hostname(config)# object network my-inside-net
2.
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
3.
hostname(config-network-object)# nat (dmz,outside) dynamic interface
Example 2- If you want to use one IP address-
1.
hostname(config)# object network my-inside-net
2.
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
3.
hostname(config-network-object)# nat (dmz,outside) dynamic 2.2.2.2
Example 3 - if you want to use NAT Pool-
1.
hostname(config)# object network my-range-obj
2.
hostname(config-network-object)# range 2.2.2.1 2.2.2.10
3.
hostname(config)# object network my-inside-net
4.
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
5.
hostname(config-network-object)# nat (dmz,outside) dynamic my-range-obj
For blocking traffic it would be simple rule Inside level 100 and Dmz suppose 50 so 100 to 50 will be allowed and can be blocked with help of ACL.
11-15-2011 01:26 PM
11-15-2011 07:17 PM
Hello Christopher,
So first of all you have redundant commands on the nat because the obj-DMZ is also 192.168.3.0 so you can delete one of the following nat statements I will place in this post, this in order to have a more organized configuration.
object network obj_DMZ
nat (DMZ,outside) dynamic interface
object network obj-192.168.3.0
nat (DMZ,outside) dynamic interface
Now regaring the issue the Wireless clients belong to the 192.168.3.0 network so they should be able to go to the outside because;
1-You have the required nat statement in order to translate their private ip into a routable ip
2-You do not have an acl on the dmz interface blocking this connection.
So my next question would be are you able to go to the internet using an ip address instead of a domain name?
Please rate helpful test.
Regards,
Julio
11-17-2011 01:09 PM
That is one of the first things I tried. I am always getting request timed out. Why do I need an access-list to allow traffic out to the Internet?
11-17-2011 01:26 PM
I have deleted the duplicate statement from above and added access-list (DMZ, outside) source static obj_DMZ obj_DMZ destination static obj_DMZ obj_DMZ, but the wireless clients still cannot get to the Internet.
11-17-2011 01:46 PM
Hello Chris,
You do not need an ACL,thats on my last note, now what happens if you add this into a browser:
Regards,
Julio
12-02-2011 01:24 PM
It does not go to the website, nor can I ping 4.2.2.2.
Thanks,
Chris
12-02-2011 03:30 PM
Hello,
Really extrange behavior, you have a plus license right??
Now lets do some captures to see whats going on
access-list capdmz permit tcp host 192.168.13.2 any eq 80
access-list capdmz permit tcp any eq 80 host 192.168.13.2
access-list capout permit tcp host xxxxxxx any eq 80
access-list capout permit tcp any eq 80 host xxxxxxxx
capture capdmz access-list capdmz interface dmz
capture capout access-list capout interface outside
Note: the xxxx are going to be the outside interface ip address.
Now I want you to try to browse to a web site from 192.168.13.2
And then do a show capture:
sh capture capdmz
sh capture capout
Please rate helpful posts.
Julio
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: