06-15-2014 06:05 PM - edited 03-07-2019 07:44 PM
I have an ASA 5510 and just configured eth0/2 as 192.168.200.1 to expand my network.
Eth0/1 is 192.168.100.1.
I enabled bi-directional traffic using the following command:
static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
Now I can RDP to a computer on the 192.168.200.0 network, but from that computer I cannot get to the internet or ping the router on the 100.x network (192.168.100.1). I can connect to ALL OTHER COMPUTERS on the "main" network (192.168.100.0), I just can't ping the router on that network or get to the internet.
I tried:
static (inside-wlan,inside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0
...but still no luck.
What do I need to do to get internet on eth0/2? Also, what's the name of what I'm trying to do because I am finding it very difficult to search online for what I thought would be commonplace.
Enabling internet on eth 0/2 will let me set up all the WAPs on it and free up almost half the scope from iThings, droids, and laptop wifi.
:(
Additional info:
ASA Version 8.2(2)
ASDM Version 6.2(1)
Firewall mode: Routed
License: Security Plus
Thanks!
06-15-2014 07:15 PM
Since you are using private IP range, most likely you are NATing 192.168.100.0/24 network to get to Internet. You also need to configure 192.168.200.0/24 the same.
What is your NAT config?
Can you post "sh run"?
HTH
06-15-2014 08:07 PM
Hi Reza. That sounds about right. Here's the config:
Result of the command: "sh run"
: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name domain.com
enable
passwd
names
!
interface Ethernet0/0
description from Fiber
speed 100
duplex full
nameif newISP
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Ethernet0/1
description inside lan
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/2
description inside wlan network
nameif inside-wlan
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface Ethernet0/3
description From oldISP
speed 100
shutdown
nameif oldISP
security-level 1
ip address x.x.x.x 255.255.255.248
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address x.x.x.x 255.255.255.0
management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns domain-lookup newISP
dns domain-lookup inside
dns domain-lookup inside-wlan
dns server-group DefaultDNS
name-server DHCP-Relay-Server
name-server 192.168.100.2
domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 Connection_Profile_0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 my_subnet 255.255.255.0
access-list vpn_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list vpn_splitTunnelAcl standard permit Connection_Profile_0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 Connection_Profile_0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 Connection_Profile_0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 my_subnet 255.255.255.0
pager lines 10
mtu newISP 1500
mtu inside 1500
mtu inside-wlan 1500
mtu management 1500
ip verify reverse-path interface newISP
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
arp timeout 14400
global (newISP) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
access-group outside_access_in in interface newISP
route newISP 0.0.0.0 0.0.0.0 x.x.x.x 1
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sip
inspect tftp
inspect http
inspect icmp
inspect icmp error
inspect ip-options
!
: end
06-15-2014 08:20 PM
ok,
static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
Above line is for 192.168.100.0/24 subnet
add the same for 192.168.200.0/24 subnet
also, these statements are only for 100 subnet do the same for 200 and test
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 Connection_Profile_0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 my_subnet 255.255.255.0
access-list vpn_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list vpn_splitTunnelAcl standard permit Connection_Profile_0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 Connection_Profile_0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 my_subnet 255.255.255.0
06-15-2014 08:38 PM
Awesome. Would I reverse the interfaces?
i.e. static (inside-wlan,inside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0
-or should it be-
static (inside,inside-wlan) 192.168.200.0 192.168.200.0 netmask 255.255.255.0
Thanks!
06-27-2014 11:26 AM
It should look like this:
static (inside,inside-wlan) 192.168.200.0 netmask 255.255.255.0
06-17-2014 09:10 AM
Hi Reza, I added:
static (inside,inside-wlan) 192.168.200.0 192.168.200.0 netmask 255.255.255.0
But that didn't do anything. Communication seems to be working fine between the two networks; just can't get out to the internet from 192.168.200.x.
Any ideas? Please be as detailed as possible as I am somewhat new to this. I have read the manual about this but if you're not an expert, it's somewhat difficult to come up with a solution to a specific scenario.
Thanks anyone, for any input!
06-20-2014 07:48 AM
Hellooooooooo? Not another suggestion-and-run!?!?! :( Seems to be a theme on this Cisco support forum. Sigh....
06-24-2014 11:04 PM
Well, I added:
static (inside-wlan,inside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0
...and still no luck.
So I've got:
static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (inside-wlan,inside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0
Anyone know how to get internet access for the 200 network? I already have bi-directional communication between 100.x and 200.x networks.
Sincerely,
-Officially lost
06-26-2014 08:23 PM
06-27-2014 09:52 AM
In case anyone is having the same problem is me, here is the fix:
nat (inside-wlan) 1 0.0.0.0 0.0.0.0
...can someone with more points than me mark this as answered?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: