RE: ASA 5505 network behind an access point from Ryan West on 2012-07-17 (Ccielab archives 07/2012)

From: Ryan West <rwest_at_zyedge.com>
Date: Tue, 17 Jul 2012 20:19:47 +0000

Tony,

I would just run Anyconnect Essentials on the 5505. If you're using more
than the built-in 2 users for the premium VPN, then it's an expensive license
to go to 25 users. Essentials is $100 list for the 5505.

-ryan

From: Tony Singh [mailto:mothafungla_at_gmail.com]
Sent: Tuesday, July 17, 2012 4:11 PM
To: Ryan West
Cc: Carlos G Mendioroz; Cisco certification
Subject: Re: ASA 5505 network behind an access point

hi ryan / carlos

yes thanks - I tried a non-wan port on the netgear prior but couldnt get it to
work that way..... after further persistence I assigned manual lan ip address
to the netgear on one of the switchports this seemed to do it the trick and
yes turned off dhcp so the wireless clients are now serviced by the asa off
this switchport - muchos

everything is now on the same network 192.x range

thanks guys

any advice/heads up on clientless ssl vpn on the remote site which works best
/ or is it better to use anyconnect......

On 17 July 2012 14:03, Ryan West <rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>>
wrote:
Default behavior of dd-wrt would be NAT between the
192.168.1.0/24<http://192.168.1.0/24> network and
10.0.0.0/24<http://10.0.0.0/24> network. If you choose a port that's not wan
on the ap and turn off dhcp, you should get .1 addresses and this would be a
moot point. If you still want this setup, make sure you turn off NAT on the
ap.

Sent from handheld

On Jul 17, 2012, at 8:22 AM, "Tony Singh"
<mothafungla_at_gmail.com<mailto:mothafungla_at_gmail.com>> wrote:

> hi mate
>
> 1.7 pings fine from hosts on 192 & from the ASA , further testing from
packet tracer on ASA shows icmp,tcp & udp allowed from hosts on 192.x to 10.x
this passes with all boxes ticked.
>
> Looking at the ASDM syslog messages when I'm on a 192.x host when trying to
establish an ssh or http session to 10.x resources, the tcp session builds
then waits for SYN but tearsdown after timeout..
>
> ISP MODEM > ASA > NETGEAR wireless > DD-WRT wireless in client bridge
repeater mode
>
> Above proved to be working ok without ASA, need to set up SSL VPN to
resources hence the reason for it.
>
> ASA setup is vlan2 outside dhcp address from ISP ok & inside ports 1-7 vlan1
with different resources, port 1 is where wireless is connected with an
assigned dhcp address of 1.7 from the ASA this access point is using dhcp to
assign hosts 10.x range (these hosts have access to Internet ok through the
ASA)
>
> --
> BR
>
> Sent from my iPhone on 3
>
> On 17 Jul 2012, at 12:57, Ryan West
<rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>> wrote:
>
>> Can you ping .1.7? How many interfaces are you talking about on the ASA?
>>
>> Sent from handheld
>>
>> On Jul 17, 2012, at 6:34 AM, "Tony Singh"
<mothafungla_at_gmail.com<mailto:mothafungla_at_gmail.com>> wrote:
>>
>>> hi carlos
>>>
>>> yes sorry should have mentioned from asa - first time playing with
these...
>>>
>>> from linux host (192.168.1.6)
>>>
>>> root_at_dm8000:~# ping 10.0.0.2
>>> PING 10.0.0.2 (10.0.0.2): 56 data bytes
>>>
>>> not getting anything back
>>>
>>> but ASA looks like it's passing the icmp on
>>>
>>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
>>> seq=38400 len=56
>>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
>>> seq=38656 len=56
>>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
>>> seq=38912 len=56
>>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
>>> seq=39168 len=56
>>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
>>> seq=39424 len=56
>>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
>>> seq=39680 len=56
>>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
>>> seq=39936 len=56
>>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
>>> seq=40192 len=56
>>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
>>> seq=40448 len=56
>>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
>>> seq=40704 len=56
>>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
>>> seq=40960 len=56
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 17 July 2012 10:56, Carlos G Mendioroz
<tron_at_huapi.ba.ar<mailto:tron_at_huapi.ba.ar>> wrote:
>>>
>>>> Sorry, I thought you where trying to get from another host to the
>>>> wireless. Now I see that the ASA is not able to ping.
>>>> Can you ping a wireless host from another 192.168.1.1 host if you add a
>>>> route via .7 ? Sounds like a WLC ACL.
>>>>
>>>>
>>>> Tony Singh @ 17/07/2012 06:49 -0300 dixit:
>>>>
>>>>>
>>>>>
>>>>> hi carlos - thanks but see below...
>>>>>
>>>>> ciscoasa(config)# same-security-traffic permit inter-interface
>>>>> ciscoasa(config)# same-security-traffic permit intra-interface
>>>>> ciscoasa(config)# ping 10.0.0.1
>>>>> Type escape sequence to abort.
>>>>> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
>>>>> ?????
>>>>> Success rate is 0 percent (0/5)
>>>>>
>>>>> ciscoasa(config)# debug icmp trace 15
>>>>> debug icmp trace enabled at level 15
>>>>> ciscoasa(config)# ping 10.0.0.1
>>>>> Type escape sequence to abort.
>>>>> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
>>>>> ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650
len=72
>>>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650
len=72
>>>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650
len=72
>>>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650
len=72
>>>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650
len=72
>>>>> ?
>>>>> Success rate is 0 percent (0/5)
>>>>>
>>>>>
>>>>>
>>>>> On 17 July 2012 10:36, Carlos G Mendioroz
<tron_at_huapi.ba.ar<mailto:tron_at_huapi.ba.ar>
>>>>> <mailto:tron_at_huapi.ba.ar<mailto:tron_at_huapi.ba.ar>>> wrote:
>>>>>
>>>>> http://www.cisco.com/en/US/__**products/ps6120/products_tech_**
>>>>>
__note09186a0080734db7.shtml<http://www.cisco.com/en/US/__products/ps6120/pro
ducts_tech___note09186a0080734db7.shtml>
>>>>>
>>>>> <http://www.cisco.com/en/US/**products/ps6120/products_tech_**
>>>>>
note09186a0080734db7.shtml<http://www.cisco.com/en/US/products/ps6120/product
s_tech_note09186a0080734db7.shtml>
>>>>>>
>>>>> ?
>>>>>
>>>>> same security traffic permit intra-interface
>>>>>
>>>>> -Carlos
>>>>>
>>>>> Tony Singh @ 17/07/2012 05:21 -0300 dixit:
>>>>>
>>>>> hi experts
>>>>>
>>>>> problem
>>>>> network behind wireless is 10.0.0.0/24<http://10.0.0.0/24>
<http://10.0.0.0/24>
>>>>>
>>>>> unable to access from asa defined
>>>>> dhcp network 192.168.1.0/24<http://192.168.1.0/24>
<http://192.168.1.0/24>
>>>>>
>>>>>
>>>>> topology
>>>>> wireless access point wan port --> ASA inside switchport vlan 1
>>>>>
>>>>> on asa set a static route to say 10.x is behind 192.168.1.7
>>>>> (which is the
>>>>> address of the wan port of the wireless access point, pings fine
>>>>> from asa
>>>>> and traffic from the 10.x range is able to get out to the
>>>>> internet fine)
>>>>>
>>>>> route inside 10.0.0.0 255.255.255.0 192.168.1.7
>>>>>
>>>>> S 10.0.0.0 255.255.255.0 [1/0] via 192.168.1.7, inside
>>>>>
>>>>> but ping fails
>>>>>
>>>>> ciscoasa(config)# ping 10.0.0.1
>>>>> Type escape sequence to abort.
>>>>> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
>>>>> ?????
>>>>> Success rate is 0 percent (0/5)
>>>>>
>>>>> using the ASDM packet tracer facility it show that it is trying
>>>>> to ping
>>>>> from inside to outside interface, it fails due to acl-rule
>>>>>
>>>>> but on asa not seeing it here..
>>>>>
>>>>> ciscoasa(config)# show access-list
>>>>> access-list cached ACL log flows: total 0, denied 0
>>>>> (deny-flow-max 4096)
>>>>> alert-interval 300
>>>>>
>>>>> problem is this probably a private vlan scenario as I have a
>>>>> network within
>>>>> a network on my inside interface so the packet trace going from
>>>>> inside to
>>>>> outside is wrong
>>>>>
>>>>> any advice would be great
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> ______________________________**______________________________**
>>>>> _______________
>>>>>
>>>>> Subscription information may be found at:
>>>>>
http://www.groupstudy.com/__**list/CCIELab.html<http://www.groupstudy.com/__l
ist/CCIELab.html>
>>>>>
<http://www.groupstudy.com/**list/CCIELab.html<http://www.groupstudy.com/list
/CCIELab.html>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Carlos G Mendioroz <tron_at_huapi.ba.ar<mailto:tron_at_huapi.ba.ar>
<mailto:tron_at_huapi.ba.ar<mailto:tron_at_huapi.ba.ar>>>
>>>>> LW7 EQI Argentina
>>>>>
>>>>>
>>>>>
>>>>>
>>>> --
>>>> Carlos G Mendioroz <tron_at_huapi.ba.ar<mailto:tron_at_huapi.ba.ar>> LW7 EQI
Argentina
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Jul 17 2012 - 20:19:47 ART

This archive was generated by hypermail 2.2.0 : Wed Aug 01 2012 - 15:55:23 ART