NAT Issues

[vbman213]

I am new to ASA administration.

I use a ASA 5505 as the core of my network. I just recently added a Linksys WRT54G router.

So my setup is as follows:

VLAN1: Inside (100) 192.168.0.1
VLAN2: Outside (0) xxx.xxx.xxx.xxx
VLAN3: IP Security Camera (90) 192.168.100.1
VLAN4: Wifi (80) 192.168.1.1

I am using the default firewall rules so anybody using wifi can not access my inside devices and security cameras.

The only thing that wifi should have access to is the outside (internet)

But I still need to from the inside to the wifi for administration reasons.

I'm not a routing professional so this is new for me.

Would I just create a static rule from inside to wifi?

I had a friend help me with the camera vlan and he set up a static rule from inside to camera. Without that static rule, I can not access the cameras from inside.

So using that logic, I just assumed that another static rule would permit me access to anything on wifi 192.168.2.x

Not the case... I tried an exempt rule and that worked? Why would a static rule not work?

 

[unclerico]

post a scrubbed config

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[vbman213]

: Saved
:
ASA Version 8.2(1)
!
hostname CoreFW
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.10.0 VPN01-network
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.248
!
interface Vlan3
nameif dmz
security-level 80
ip address 192.168.100.1 255.255.255.0

!
interface Vlan4
nameif wifi
security-level 70
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 4
!
interface Ethernet0/7
switchport access vlan 3

!

boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list bcc_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list bcc_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list bcc_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 VPN01-network 255.255.255.128
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 VPN01-network 255.255.255.128
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu wifi 1500
ip local pool VPNPool 192.168.10.10-192.168.10.100 mask 255.255.255.0
ip verify reverse-path interface outside
ip audit name Attack attack action alarm drop reset
ip audit name Info attack action alarm
ip audit interface outside Attack
ip audit attack action alarm drop reset

no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,dmz) 192.168.100.0 192.168.0.0 netmask 255.255.255.0
route outside 0.0.0.0 0.0.0.0 66.0.180.41 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5

ssh 192.168.0.0 255.255.255.0 inside
ssh 0.63.228.72 255.255.255.248 outside
ssh timeout 5
console timeout 0
dhcpd dns 66.0.214.14 207.230.75.34
dhcpd lease 43200
dhcpd domain bcc.local
!
dhcpd address 192.168.0.101-192.168.0.199 inside
dhcpd enable inside
!
dhcpd address 192.168.1.101-192.168.1.199 wifi
dhcpd enable wifi
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy bcc internal
group-policy bcc attributes
dns-server value 66.0.214.14 207.230.75.34
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value bcc_splitTunnelAcl
default-domain value bcc.local

username sandy password hGIma.uniTOo2clx encrypted privilege 0
username sandy attributes
vpn-group-policy bcc
service-type remote-access
username admin password BWYVzIli.IEQNFZZ encrypted privilege 15
username chris password gTVs7SPJe.kfQ8G2 encrypted privilege 15
username jackie password eU4hdFAO+96mPOPTDfiuQQ== nt-encrypted privilege 0
username jackie attributes
vpn-group-policy bcc
service-type remote-access
username jabianm password KiOykgt6IbELsjHa encrypted privilege 15
tunnel-group bcc type remote-access
tunnel-group bcc general-attributes
address-pool VPNPool
default-group-policy bcc
tunnel-group bcc ipsec-attributes
pre-shared-key *
tunnel-group bcc ppp-attributes
authentication ms-chap-v2
!
!
prompt hostname context
Cryptochecksum:3cc1d2f6897c0780a4b6f8f712e59542
: end

I also checked the log, I get a "Land Attack" warning if I use a Static NAT rule. I would appreciate an explanation of why a Exempt rule works over a Static rule and when to use one over the other. Also what exactly does a ACL do?