04-03-2010 06:52 PM - edited 03-06-2019 10:27 AM
Here is my network
outside (0)
inside (100)
dmz (90)
wifi (80)
dmz-network 192.168.100.0/24
wifi-network 192.168.2.0/24
inside-network 192.168.0.0/24
I just implemented wifi within the last week. I did not configure this ASA originally.
The original configuration included this static rule to permit traffic from inside <-> dmz
static (inside,dmz) dmz-network inside-network netmask 255.255.255.0
and this works just fine.
When I implemented wifi, I just assumed that another static rule would be required to allow inside <-> wifi
static (inside,wifi) wifi-network inside-network netmask 255.255.255.0
this does not work. It causes a "Land Attack" when trying to connect from the inside -> wifi.
Now, I do not want wifi users to be able to access inside, so a bidirectional static nat rule is definitely not the answer, I'm just curious why a Static rule is not working in this case. I'm new to ASA's and I'm still learning.
This command works:
static (inside,wifi) inside-network inside-network netmask 255.255.255.0
This command does not work:
static (inside,wifi) wifi-network inside-network netmask 255.255.255.0
Why?
I went with a NAT Exempt rule:
access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 wifi-network 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
If I understand NAT Exemption, the above commands will only permit a connection that originated from inside, which is what I want. I do not want a connection between inside <-> wifi to be able to originate from wifi as this would be a huge security vulnerability in my setup.
Thanks
Edit:
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(1)
!
hostname CoreFW
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.100.0 dmz-network
name 192.168.0.0 inside-network
name xxx.xxx.xxx.0 outside-network
name 192.168.2.0 wifi-network
name 192.168.10.0 vpn01-network
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.248
!
interface Vlan3
nameif dmz
security-level 90
ip address 192.168.100.1 255.255.255.0
!
interface Vlan4
nameif wifi
security-level 80
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 4
!
interface Ethernet0/7
switchport access vlan 3
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list bcc_splitTunnelAcl standard permit inside-network 255.255.255.0
access-list bcc_splitTunnelAcl standard permit wifi-network 255.255.255.0
access-list bcc_splitTunnelAcl standard permit dmz-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 vpn01-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 wifi-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 dmz-network 255.255.255.0
access-list dmz_nat0_outbound extended permit ip dmz-network 255.255.255.0 vpn01-network 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu wifi 1500
ip local pool VPNPool01 192.168.10.10-192.168.10.100 mask 255.255.255.0
ip verify reverse-path interface outside
ip audit name Attack attack action alarm drop reset
ip audit name Info attack action alarm
ip audit interface outside Attack
ip audit attack action alarm drop reset
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (wifi) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 66.0.180.41 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http inside-network 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map wifi_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map wifi_map interface wifi
crypto isakmp enable outside
crypto isakmp enable wifi
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet inside-network 255.255.255.0 inside
telnet timeout 5
ssh inside-network 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
dhcpd lease 43200
dhcpd domain bcc.local
!
dhcpd address 192.168.0.101-192.168.0.199 inside
dhcpd enable inside
!
dhcpd address 192.168.2.101-192.168.2.199 wifi
dhcpd enable wifi
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
group-policy bcc internal
group-policy bcc attributes
dns-server value xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
vpn-tunnel-protocol IPSec svc
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value bcc_splitTunnelAcl
default-domain value bcc.local
username sandy password hGIma.uniTOo2clx encrypted privilege 0
username sandy attributes
vpn-group-policy bcc
service-type remote-access
username admin password BWYVzIli.IEQNFZZ encrypted privilege 15
username chris password gTVs7SPJe.kfQ8G2 encrypted privilege 15
username jackie password eU4hdFAO+96mPOPTDfiuQQ== nt-encrypted privilege 0
username jackie attributes
vpn-group-policy bcc
service-type remote-access
username jabianm password KiOykgt6IbELsjHa encrypted privilege 15
tunnel-group bcc type remote-access
tunnel-group bcc general-attributes
address-pool VPNPool01
default-group-policy bcc
tunnel-group bcc ipsec-attributes
pre-shared-key *
tunnel-group bcc ppp-attributes
authentication ms-chap-v2
!
!
prompt hostname context
Cryptochecksum:a66229465ff2bfba0651985615eff57d
: end
Message was edited by: Robert McDonald
Solved! Go to Solution.
04-03-2010 10:52 PM
Both this statement:
static (inside,wifi) inside-network inside-network netmask 255.255.255.0
OR/ this statement:
access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 wifi-network 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
achieves the same thing. Both statements work bidirectionally as far as the translation is concern, and it is configured for the higher security level towards the lower security level.
Traffic from high security to low security is allowed by default, so with either of the above statement, your inside network can initiate connection to your wifi network.
Traffic from low security to high security is not allowed by default. You would need either of the above statement PLUS access-list applied on wifi interface to be able to initiate connection from wifi towards inside network. If you just have either of the above statement with no access-list applied to wifi interface, you won't be able to initiate connection from wifi network towards inside network.
Hope that helps.
04-03-2010 10:52 PM
Both this statement:
static (inside,wifi) inside-network inside-network netmask 255.255.255.0
OR/ this statement:
access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 wifi-network 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
achieves the same thing. Both statements work bidirectionally as far as the translation is concern, and it is configured for the higher security level towards the lower security level.
Traffic from high security to low security is allowed by default, so with either of the above statement, your inside network can initiate connection to your wifi network.
Traffic from low security to high security is not allowed by default. You would need either of the above statement PLUS access-list applied on wifi interface to be able to initiate connection from wifi towards inside network. If you just have either of the above statement with no access-list applied to wifi interface, you won't be able to initiate connection from wifi network towards inside network.
Hope that helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: