×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

No internet access on new LAN eth0/2

No internet access on new LAN eth0/2

No internet access on new LAN eth0/2

(OP)
I have an ASA 5510 and just configured eth0/2 as 192.168.200.1 to expand my network -- I would like to just put all the wireless access points on this new network. I don't have much CLI experience but have been using ASDM for the last couple years and have managed to figure out how to do quite a bit just by looking at how other ASAs are configured while working.

Eth0/1 is 192.168.100.1 and currently on average only has ~5 IP addresses left in the DHCP pool.

I enabled bi-directional traffic using the following command:

static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

Now I can RDP to a computer on the 192.168.200.0 network from the 192.168.100.0, but from that 200.x computer I cannot get to the internet or ping the router on the 100.x network (192.168.100.1). I can connect to ALL OTHER COMPUTERS on the "main" network (192.168.100.0), I just can't ping the router on that network or get to the internet... so this whole LAN is useless unless it can get to the internet.

I tried:

static (inside-wlan,inside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0

...but still no luck.

What do I need to do to get internet on eth0/2?

Result of the command: "sh run"

: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name domain.com
enable
passwd
names
!
interface Ethernet0/0
description from Fiber
speed 100
duplex full
nameif newISP
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Ethernet0/1
description inside lan
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/2
description inside wlan network
nameif inside-wlan
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface Ethernet0/3
description From oldISP
speed 100
shutdown
nameif oldISP
security-level 1
ip address x.x.x.x 255.255.255.248
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address x.x.x.x 255.255.255.0
management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns domain-lookup newISP
dns domain-lookup inside
dns domain-lookup inside-wlan
dns server-group DefaultDNS
name-server DHCP-Relay-Server
name-server 192.168.100.2
domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 Connection_Profile_0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 my_subnet 255.255.255.0
access-list vpn_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list vpn_splitTunnelAcl standard permit Connection_Profile_0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 Connection_Profile_0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 Connection_Profile_0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 my_subnet 255.255.255.0
pager lines 10
mtu newISP 1500
mtu inside 1500
mtu inside-wlan 1500
mtu management 1500
ip verify reverse-path interface newISP
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
arp timeout 14400
global (newISP) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,inside-wlan) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (inside-wlan,inside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0
access-group outside_access_in in interface newISP
route newISP 0.0.0.0 0.0.0.0 x.x.x.x 1
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sip
inspect tftp
inspect http
inspect icmp
inspect icmp error
inspect ip-options
!
: end

RE: No internet access on new LAN eth0/2

The second static() you added is not valid. You are missing a translation from inside-wlan to the Internet.
Something like:
nat (inside-wlan) 1 0.0.0.0 0.0.0.0 
As for pinging, you cannot ping the ASA interfaces without allowing that explicitely, for example:
icmp permit any inside 
I would discourage from allowing that on the outside/DMZ interfaces though.

RE: No internet access on new LAN eth0/2

(OP)
Wow! Thanks for the quick reply iggsterman. Should I remove the second static line then, or leave it and add the nat line?

I can ping the gateway from the 192.168.100.1 network. From what I understand if I make the security level the same on eth0/2 (100, just like eth0/1), it's technically not a DMZ but just a second LAN?

Thanks again for your reply!!

RE: No internet access on new LAN eth0/2

(OP)
YOU THE MAN iggsterman. IT WORKED! My palms are sweating, it's been MONTHS! Many, many thanks! :D

RE: No internet access on new LAN eth0/2

Glad it worked. To answer your question, making interfaces same security will only allow traffic between them IF nat-control is off, then you won't need any translation rules. I personally do not like implicit allowances on a security device. It is always better to have the "deny all unless explicitly allowed" approach. But that's me.

RE: No internet access on new LAN eth0/2

(OP)
Last question. I just want to clarify what "nat (inside-wlan) 1 0.0.0.0 0.0.0.0" actually did. Is it basically creating a default route for that interface, and does 1 represent the "pool ID"?

Many thanks again. I have been posting on Cisco forums for months but I just get drive-by "try this...., try that..." (I feel only to increase their "points") and no one sticks around.

RE: No internet access on new LAN eth0/2

No, this is not creating any routes. When your traffic wants to leave the inside-wlan interface for some site outside your (only) matching route will be
route newISP 0.0.0.0 0.0.0.0 x.x.x.x 1 
This is when the NAT (PAT actually) rule will apply and translate your internal IP addresses to the address specified by global 1, which in your case is that of the interface itself.

Good luck.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login


Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close