How to allow wireless network to access other networks of an ASA5510. 2

[ozguyal]

We have an ASA5510 which we have configured with the 4 interfaces as follows:
ethernet0/0 Internal
ethernet0/1 DMZ0
ethernet0/2 WLAN0
ethernet0/3 WAN

I've assigned the WLAN interface a security level of 75, the internal interface a value of 100, and the DMZ0 a value of 50.

I have also configured specific rules to allow the WLAN0 network to access the DMZ and Internal networks.

No matter what i do (via the ASDM 6.0 UI) I can't seem to access any device from any of the other interfaces (including WAN) from the WLAN0 interface.

I've managed security devices for years, but mostly checkpoint, iptables and Sonicwall devices. I am not Cisco trained, but have configured and managed many Cisco switches. As a result I use the ASDM software and not the command line to configure rules and configurations.

Any advice?

Thanks in advance,

Alan

 

[unclerico]

please post your scrubbed config.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[ozguyal]

Here is the config.

The wlan0 network is our wireless network where users authenticate via our Cisco Aironet (WPA2 with pre-shared key).

We can authenticate, get a DHCP address, and can ping the 192.168.85.1 gateway, but we cannot access access anything else.

Thanks in advance for any advice you can give.

I'll avoid the caps in future. Maybe that's why it's not working......

Alan

 

[ozguyal]

Sorry,

here's the cnfig attached.

 

[unclerico]

This is the extent of your ACL:

access-list wlan0_access_in remark allow openfiler01 DNS replies to wireless LAN clients
access-list wlan0_access_in extended permit object-group TCPUDP host openfiler01_dns_dmz wlan0_network 255.255.255.0 eq domain log warnings 
access-list wlan0_access_in extended permit object-group TCPUDP any host openfiler01_dns_dmz eq domain log warnings

There is an implied deny ip any any at the bottom of every access-list. You could remove the first ACE in this ACL and you'd still have DNS resolution working fine. You'll need to add one or more ACE's to this ACL to permit, say web traffic, from the WLAN0 to the Internet. As it is now the only thing permitted inbound from your Wireless clients is DNS.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Supergrrover]

First off kill these lines -
route Internal 192.168.83.0 255.255.255.0 192.168.83.1 1
route DMZ0 192.168.84.0 255.255.255.0 192.168.84.1 1
route wlan0 wlan0_network 255.255.255.0 192.168.85.1 1

You don't need to put in routes for directly attached networks.

Now take off the WLAN acl -
access-group wlan0_access_in in interface wlan0

See if you can get to the internet? DMZ?

now add
access-list nonat extended permit ip 192.168.85.0 255.255.255.0 192.168.84.0 255.255.255.0

Can you get to the DMZ now?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[ozguyal]

Thanks for your advice unclerico and Supergrrover. All is now working, but I do have some concerns.

I did a massive cleanup of the rules, removing all the test rules, and cleaning up a lot of the NAT rules.

I found that we had not defined a dynamic NAT rule to the wlan0 group which immediately brought some benefits.

With that in place some connectivity started working fine, but others did not.

To get everything working we had to do something that does not seem right to me at all. In the GUI we had to add a rule for each group allowing "any any all". I think this is the line in the config for the wireless network:

access-list wlan0_access_in extended permit ip any any

To my non-cisco experienced eye, it seems that this rule allows any internal or external device to connect to each network via any service. It obviously does not do that as we have tested access, but it confuses me as to why it has to be there.

I have attached the new config file for your review and valued advice.

How do I enable history? as I want to see a few days of logs if possible. Will this slow down the firewall? If I upgrade the RAM will performance improve further?

Thanks,

Alan

PS What are the latest ASA & ASDM versions? We do not have a subscription with Cisco, and I'm wondering if the latest versions add some great functionality, or improve performance and stability.

 

[ozguyal]

I spoke to soon. Our inbound VPN is broken and I'm not sure which line change caused it.

Users cannot authenticate, and the firewall shows a "Memory allocation error" message in the logs.

 

[unclerico]

what is your memory utilization at currently (show memory)??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[ozguyal]

memory consumption is ussually around 200 Meg, but we do not have history enabled (which I would like to run but don't know how to configure it). Should we bump up the memmory? Is there an issue or risk with doing so?

The system is running fine now. We rebooted the firewall to rectify the "memory allocaton error" error, and all of a sudden no-one on the internal network could access any other network or the oustide world. In bound access was not affected.

After some investigation we found that no-one had a gateway assigned on their systems, and lo and behold we saw that no gateway/router had been configured on the internal network. Somehow we had never set the gateway and yet the DHCP system worked fine until the reboot.

We have now set the gateway/router IP for that network, and all is fine again.

 

[unclerico]

cool beans. sometimes a reboot is the only fix for these devices.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)