I have an ASA 5510 and just configured eth0/2 as 192.168.200.1 to expand my network -- I would like to just put all the wireless access points on this new network. I don't have much CLI experience but have been using ASDM for the last couple years and have managed to figure out how to do quite a bit just by looking at how other ASAs are configured while working.
Eth0/1 is 192.168.100.1 and currently on average only has ~5 IP addresses left in the DHCP pool.
I enabled bi-directional traffic using the following command:
static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
Now I can RDP to a computer on the 192.168.200.0 network from the 192.168.100.0, but from that 200.x computer I cannot get to the internet or ping the router on the 100.x network (192.168.100.1). I can connect to ALL OTHER COMPUTERS on the "main" network (192.168.100.0), I just can't ping the router on that network or get to the internet... so this whole LAN is useless unless it can get to the internet.
I tried:
static (inside-wlan,inside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0
...but still no luck.
What do I need to do to get internet on eth0/2?
Result of the command: "sh run"
: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name domain.com
enable
passwd
names
!
interface Ethernet0/0
description from Fiber
speed 100
duplex full
nameif newISP
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Ethernet0/1
description inside lan
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/2
description inside wlan network
nameif inside-wlan
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface Ethernet0/3
description From oldISP
speed 100
shutdown
nameif oldISP
security-level 1
ip address x.x.x.x 255.255.255.248
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address x.x.x.x 255.255.255.0
management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns domain-lookup newISP
dns domain-lookup inside
dns domain-lookup inside-wlan
dns server-group DefaultDNS
name-server DHCP-Relay-Server
name-server 192.168.100.2
domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 Connection_Profile_0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 my_subnet 255.255.255.0
access-list vpn_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list vpn_splitTunnelAcl standard permit Connection_Profile_0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 Connection_Profile_0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 Connection_Profile_0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 my_subnet 255.255.255.0
pager lines 10
mtu newISP 1500
mtu inside 1500
mtu inside-wlan 1500
mtu management 1500
ip verify reverse-path interface newISP
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
arp timeout 14400
global (newISP) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (inside-wlan,inside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0
access-group outside_access_in in interface newISP
route newISP 0.0.0.0 0.0.0.0 x.x.x.x 1
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sip
inspect tftp
inspect http
inspect icmp
inspect icmp error
inspect ip-options
!
: end
Eth0/1 is 192.168.100.1 and currently on average only has ~5 IP addresses left in the DHCP pool.
I enabled bi-directional traffic using the following command:
static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
Now I can RDP to a computer on the 192.168.200.0 network from the 192.168.100.0, but from that 200.x computer I cannot get to the internet or ping the router on the 100.x network (192.168.100.1). I can connect to ALL OTHER COMPUTERS on the "main" network (192.168.100.0), I just can't ping the router on that network or get to the internet... so this whole LAN is useless unless it can get to the internet.
I tried:
static (inside-wlan,inside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0
...but still no luck.
What do I need to do to get internet on eth0/2?
Result of the command: "sh run"
: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name domain.com
enable
passwd
names
!
interface Ethernet0/0
description from Fiber
speed 100
duplex full
nameif newISP
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Ethernet0/1
description inside lan
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/2
description inside wlan network
nameif inside-wlan
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface Ethernet0/3
description From oldISP
speed 100
shutdown
nameif oldISP
security-level 1
ip address x.x.x.x 255.255.255.248
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address x.x.x.x 255.255.255.0
management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns domain-lookup newISP
dns domain-lookup inside
dns domain-lookup inside-wlan
dns server-group DefaultDNS
name-server DHCP-Relay-Server
name-server 192.168.100.2
domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 Connection_Profile_0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 my_subnet 255.255.255.0
access-list vpn_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list vpn_splitTunnelAcl standard permit Connection_Profile_0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 Connection_Profile_0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 Connection_Profile_0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 my_subnet 255.255.255.0
pager lines 10
mtu newISP 1500
mtu inside 1500
mtu inside-wlan 1500
mtu management 1500
ip verify reverse-path interface newISP
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
arp timeout 14400
global (newISP) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (inside-wlan,inside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0
access-group outside_access_in in interface newISP
route newISP 0.0.0.0 0.0.0.0 x.x.x.x 1
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sip
inspect tftp
inspect http
inspect icmp
inspect icmp error
inspect ip-options
!
: end