Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

No internet access on new LAN eth0/2 1

Status
Not open for further replies.

ttrsux

IS-IT--Management
Jul 28, 2004
112
US
I have an ASA 5510 and just configured eth0/2 as 192.168.200.1 to expand my network -- I would like to just put all the wireless access points on this new network. I don't have much CLI experience but have been using ASDM for the last couple years and have managed to figure out how to do quite a bit just by looking at how other ASAs are configured while working.

Eth0/1 is 192.168.100.1 and currently on average only has ~5 IP addresses left in the DHCP pool.

I enabled bi-directional traffic using the following command:

static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

Now I can RDP to a computer on the 192.168.200.0 network from the 192.168.100.0, but from that 200.x computer I cannot get to the internet or ping the router on the 100.x network (192.168.100.1). I can connect to ALL OTHER COMPUTERS on the "main" network (192.168.100.0), I just can't ping the router on that network or get to the internet... so this whole LAN is useless unless it can get to the internet.

I tried:

static (inside-wlan,inside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0

...but still no luck.

What do I need to do to get internet on eth0/2?

Result of the command: "sh run"

: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name domain.com
enable
passwd
names
!
interface Ethernet0/0
description from Fiber
speed 100
duplex full
nameif newISP
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Ethernet0/1
description inside lan
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/2
description inside wlan network
nameif inside-wlan
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface Ethernet0/3
description From oldISP
speed 100
shutdown
nameif oldISP
security-level 1
ip address x.x.x.x 255.255.255.248
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address x.x.x.x 255.255.255.0
management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns domain-lookup newISP
dns domain-lookup inside
dns domain-lookup inside-wlan
dns server-group DefaultDNS
name-server DHCP-Relay-Server
name-server 192.168.100.2
domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 Connection_Profile_0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 my_subnet 255.255.255.0
access-list vpn_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list vpn_splitTunnelAcl standard permit Connection_Profile_0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 Connection_Profile_0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 Connection_Profile_0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 my_subnet 255.255.255.0
pager lines 10
mtu newISP 1500
mtu inside 1500
mtu inside-wlan 1500
mtu management 1500
ip verify reverse-path interface newISP
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
arp timeout 14400
global (newISP) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (inside-wlan,inside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0
access-group outside_access_in in interface newISP
route newISP 0.0.0.0 0.0.0.0 x.x.x.x 1
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sip
inspect tftp
inspect http
inspect icmp
inspect icmp error
inspect ip-options
!
: end
 
The second [tt]static()[/tt] you added is not valid. You are missing a translation from [tt]inside-wlan[/tt] to the Internet.
Something like: [pre]nat (inside-wlan) 1 0.0.0.0 0.0.0.0[/pre]
As for pinging, you cannot ping the ASA interfaces without allowing that explicitely, for example: [pre]icmp permit any inside[/pre]
I would discourage from allowing that on the outside/DMZ interfaces though.
 
Wow! Thanks for the quick reply iggsterman. Should I remove the second static line then, or leave it and add the nat line?

I can ping the gateway from the 192.168.100.1 network. From what I understand if I make the security level the same on eth0/2 (100, just like eth0/1), it's technically not a DMZ but just a second LAN?

Thanks again for your reply!!
 
YOU THE MAN iggsterman. IT WORKED! My palms are sweating, it's been MONTHS! Many, many thanks! :D
 
Glad it worked. To answer your question, making interfaces same security will only allow traffic between them IF [tt]nat-control[/tt] is off, then you won't need any translation rules. I personally do not like implicit allowances on a security device. It is always better to have the "deny all unless explicitly allowed" approach. But that's me.
 
Last question. I just want to clarify what "nat (inside-wlan) 1 0.0.0.0 0.0.0.0" actually did. Is it basically creating a default route for that interface, and does 1 represent the "pool ID"?

Many thanks again. I have been posting on Cisco forums for months but I just get drive-by "try this...., try that..." (I feel only to increase their "points") and no one sticks around.
 
No, this is not creating any routes. When your traffic wants to leave the [tt]inside-wlan[/tt] interface for some site outside your (only) matching route will be [pre]route newISP 0.0.0.0 0.0.0.0 x.x.x.x 1[/pre] This is when the NAT (PAT actually) rule will apply and translate your internal IP addresses to the address specified by global 1, which in your case is that of the interface itself.

Good luck.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top