hi ryan / carlos
yes thanks - I tried a non-wan port on the netgear prior but couldnt get it
to work that way..... after further persistence I assigned manual lan ip
address to the netgear on one of the switchports this seemed to do it the
trick and yes turned off dhcp so the wireless clients are now serviced by
the asa off this switchport - muchos
everything is now on the same network 192.x range
thanks guys
any advice/heads up on clientless ssl vpn on the remote site which works
best / or is it better to use anyconnect......
On 17 July 2012 14:03, Ryan West <rwest_at_zyedge.com> wrote:
> Default behavior of dd-wrt would be NAT between the 192.168.1.0/24network and
> 10.0.0.0/24 network. If you choose a port that's not wan on the ap and
> turn off dhcp, you should get .1 addresses and this would be a moot point.
> If you still want this setup, make sure you turn off NAT on the ap.
>
> Sent from handheld
>
> On Jul 17, 2012, at 8:22 AM, "Tony Singh" <mothafungla_at_gmail.com> wrote:
>
> > hi mate
> >
> > 1.7 pings fine from hosts on 192 & from the ASA , further testing from
> packet tracer on ASA shows icmp,tcp & udp allowed from hosts on 192.x to
> 10.x this passes with all boxes ticked.
> >
> > Looking at the ASDM syslog messages when I'm on a 192.x host when trying
> to establish an ssh or http session to 10.x resources, the tcp session
> builds then waits for SYN but tearsdown after timeout..
> >
> > ISP MODEM > ASA > NETGEAR wireless > DD-WRT wireless in client bridge
> repeater mode
> >
> > Above proved to be working ok without ASA, need to set up SSL VPN to
> resources hence the reason for it.
> >
> > ASA setup is vlan2 outside dhcp address from ISP ok & inside ports 1-7
> vlan1 with different resources, port 1 is where wireless is connected with
> an assigned dhcp address of 1.7 from the ASA this access point is using
> dhcp to assign hosts 10.x range (these hosts have access to Internet ok
> through the ASA)
> >
> > --
> > BR
> >
> > Sent from my iPhone on 3
> >
> > On 17 Jul 2012, at 12:57, Ryan West <rwest_at_zyedge.com> wrote:
> >
> >> Can you ping .1.7? How many interfaces are you talking about on the
> ASA?
> >>
> >> Sent from handheld
> >>
> >> On Jul 17, 2012, at 6:34 AM, "Tony Singh" <mothafungla_at_gmail.com>
> wrote:
> >>
> >>> hi carlos
> >>>
> >>> yes sorry should have mentioned from asa - first time playing with
> these...
> >>>
> >>> from linux host (192.168.1.6)
> >>>
> >>> root_at_dm8000:~# ping 10.0.0.2
> >>> PING 10.0.0.2 (10.0.0.2): 56 data bytes
> >>>
> >>> not getting anything back
> >>>
> >>> but ASA looks like it's passing the icmp on
> >>>
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=38400 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=38656 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=38912 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=39168 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=39424 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=39680 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=39936 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=40192 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=40448 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=40704 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=40960 len=56
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> On 17 July 2012 10:56, Carlos G Mendioroz <tron_at_huapi.ba.ar> wrote:
> >>>
> >>>> Sorry, I thought you where trying to get from another host to the
> >>>> wireless. Now I see that the ASA is not able to ping.
> >>>> Can you ping a wireless host from another 192.168.1.1 host if you add
> a
> >>>> route via .7 ? Sounds like a WLC ACL.
> >>>>
> >>>>
> >>>> Tony Singh @ 17/07/2012 06:49 -0300 dixit:
> >>>>
> >>>>>
> >>>>>
> >>>>> hi carlos - thanks but see below...
> >>>>>
> >>>>> ciscoasa(config)# same-security-traffic permit inter-interface
> >>>>> ciscoasa(config)# same-security-traffic permit intra-interface
> >>>>> ciscoasa(config)# ping 10.0.0.1
> >>>>> Type escape sequence to abort.
> >>>>> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
> >>>>> ?????
> >>>>> Success rate is 0 percent (0/5)
> >>>>>
> >>>>> ciscoasa(config)# debug icmp trace 15
> >>>>> debug icmp trace enabled at level 15
> >>>>> ciscoasa(config)# ping 10.0.0.1
> >>>>> Type escape sequence to abort.
> >>>>> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
> >>>>> ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650
> len=72
> >>>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650
> len=72
> >>>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650
> len=72
> >>>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650
> len=72
> >>>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650
> len=72
> >>>>> ?
> >>>>> Success rate is 0 percent (0/5)
> >>>>>
> >>>>>
> >>>>>
> >>>>> On 17 July 2012 10:36, Carlos G Mendioroz <tron_at_huapi.ba.ar
> >>>>> <mailto:tron_at_huapi.ba.ar>> wrote:
> >>>>>
> >>>>> http://www.cisco.com/en/US/__**products/ps6120/products_tech_**
> >>>>> __note09186a0080734db7.shtml<
> http://www.cisco.com/en/US/__products/ps6120/products_tech___note09186a0080734db7.shtml
> >
> >>>>>
> >>>>> <http://www.cisco.com/en/US/**products/ps6120/products_tech_**
> >>>>> note09186a0080734db7.shtml<
> http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
> >
> >>>>>>
> >>>>> ?
> >>>>>
> >>>>> same security traffic permit intra-interface
> >>>>>
> >>>>> -Carlos
> >>>>>
> >>>>> Tony Singh @ 17/07/2012 05:21 -0300 dixit:
> >>>>>
> >>>>> hi experts
> >>>>>
> >>>>> problem
> >>>>> network behind wireless is 10.0.0.0/24 <http://10.0.0.0/24>
> >>>>>
> >>>>> unable to access from asa defined
> >>>>> dhcp network 192.168.1.0/24 <http://192.168.1.0/24>
> >>>>>
> >>>>>
> >>>>> topology
> >>>>> wireless access point wan port --> ASA inside switchport vlan 1
> >>>>>
> >>>>> on asa set a static route to say 10.x is behind 192.168.1.7
> >>>>> (which is the
> >>>>> address of the wan port of the wireless access point, pings fine
> >>>>> from asa
> >>>>> and traffic from the 10.x range is able to get out to the
> >>>>> internet fine)
> >>>>>
> >>>>> route inside 10.0.0.0 255.255.255.0 192.168.1.7
> >>>>>
> >>>>> S 10.0.0.0 255.255.255.0 [1/0] via 192.168.1.7, inside
> >>>>>
> >>>>> but ping fails
> >>>>>
> >>>>> ciscoasa(config)# ping 10.0.0.1
> >>>>> Type escape sequence to abort.
> >>>>> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2
> seconds:
> >>>>> ?????
> >>>>> Success rate is 0 percent (0/5)
> >>>>>
> >>>>> using the ASDM packet tracer facility it show that it is trying
> >>>>> to ping
> >>>>> from inside to outside interface, it fails due to acl-rule
> >>>>>
> >>>>> but on asa not seeing it here..
> >>>>>
> >>>>> ciscoasa(config)# show access-list
> >>>>> access-list cached ACL log flows: total 0, denied 0
> >>>>> (deny-flow-max 4096)
> >>>>> alert-interval 300
> >>>>>
> >>>>> problem is this probably a private vlan scenario as I have a
> >>>>> network within
> >>>>> a network on my inside interface so the packet trace going from
> >>>>> inside to
> >>>>> outside is wrong
> >>>>>
> >>>>> any advice would be great
> >>>>>
> >>>>>
> >>>>> Blogs and organic groups at http://www.ccie.net
> >>>>>
> >>>>> ______________________________**______________________________**
> >>>>> _______________
> >>>>>
> >>>>> Subscription information may be found at:
> >>>>> http://www.groupstudy.com/__**list/CCIELab.html<
> http://www.groupstudy.com/__list/CCIELab.html>
> >>>>> <http://www.groupstudy.com/**list/CCIELab.html<
> http://www.groupstudy.com/list/CCIELab.html>
> >>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Carlos G Mendioroz <tron_at_huapi.ba.ar <mailto:tron_at_huapi.ba.ar>>
> >>>>> LW7 EQI Argentina
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>> --
> >>>> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Tue Jul 17 2012 - 21:10:52 ART
This archive was generated by hypermail 2.2.0 : Wed Aug 01 2012 - 15:55:23 ART