some questions may seem a little dumb so apologise in advance..
im pritty new to the asa and am struggling a bit..
trying to get a slingbox working for remote viewing and in the asdm syslog
I can see the udp, tcp message go out of the asa outside interface from the
inside source (192.168.1.237) not so long after I see these communications
teardown.....
I have set a NAT rule to allow any service from outside to connect to host
192.168.1.237/32 but still it does not work
I also have a cccam client which does similar, but relations teardown and
im unable to get this application working - (needs more understanding I
have various remote ports it tries to connect to)
*I would have thought the default behaviour would have been for any inside
address to communicate with outside & establish comms?*
I dont really want to put these devices into a dmz
is it possible to have a scenario where I can use my home public ip address
for internet access from a remote location
thanks in advance.
On 17 July 2012 14:03, Ryan West <rwest_at_zyedge.com> wrote:
> Default behavior of dd-wrt would be NAT between the 192.168.1.0/24network and
> 10.0.0.0/24 network. If you choose a port that's not wan on the ap and
> turn off dhcp, you should get .1 addresses and this would be a moot point.
> If you still want this setup, make sure you turn off NAT on the ap.
>
> Sent from handheld
>
> On Jul 17, 2012, at 8:22 AM, "Tony Singh" <mothafungla_at_gmail.com> wrote:
>
> > hi mate
> >
> > 1.7 pings fine from hosts on 192 & from the ASA , further testing from
> packet tracer on ASA shows icmp,tcp & udp allowed from hosts on 192.x to
> 10.x this passes with all boxes ticked.
> >
> > Looking at the ASDM syslog messages when I'm on a 192.x host when trying
> to establish an ssh or http session to 10.x resources, the tcp session
> builds then waits for SYN but tearsdown after timeout..
> >
> > ISP MODEM > ASA > NETGEAR wireless > DD-WRT wireless in client bridge
> repeater mode
> >
> > Above proved to be working ok without ASA, need to set up SSL VPN to
> resources hence the reason for it.
> >
> > ASA setup is vlan2 outside dhcp address from ISP ok & inside ports 1-7
> vlan1 with different resources, port 1 is where wireless is connected with
> an assigned dhcp address of 1.7 from the ASA this access point is using
> dhcp to assign hosts 10.x range (these hosts have access to Internet ok
> through the ASA)
> >
> > --
> > BR
> >
> > Sent from my iPhone on 3
> >
> > On 17 Jul 2012, at 12:57, Ryan West <rwest_at_zyedge.com> wrote:
> >
> >> Can you ping .1.7? How many interfaces are you talking about on the
> ASA?
> >>
> >> Sent from handheld
> >>
> >> On Jul 17, 2012, at 6:34 AM, "Tony Singh" <mothafungla_at_gmail.com>
> wrote:
> >>
> >>> hi carlos
> >>>
> >>> yes sorry should have mentioned from asa - first time playing with
> these...
> >>>
> >>> from linux host (192.168.1.6)
> >>>
> >>> root_at_dm8000:~# ping 10.0.0.2
> >>> PING 10.0.0.2 (10.0.0.2): 56 data bytes
> >>>
> >>> not getting anything back
> >>>
> >>> but ASA looks like it's passing the icmp on
> >>>
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=38400 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=38656 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=38912 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=39168 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=39424 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=39680 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=39936 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=40192 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=40448 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=40704 len=56
> >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> >>> seq=40960 len=56
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> On 17 July 2012 10:56, Carlos G Mendioroz <tron_at_huapi.ba.ar> wrote:
> >>>
> >>>> Sorry, I thought you where trying to get from another host to the
> >>>> wireless. Now I see that the ASA is not able to ping.
> >>>> Can you ping a wireless host from another 192.168.1.1 host if you add
> a
> >>>> route via .7 ? Sounds like a WLC ACL.
> >>>>
> >>>>
> >>>> Tony Singh @ 17/07/2012 06:49 -0300 dixit:
> >>>>
> >>>>>
> >>>>>
> >>>>> hi carlos - thanks but see below...
> >>>>>
> >>>>> ciscoasa(config)# same-security-traffic permit inter-interface
> >>>>> ciscoasa(config)# same-security-traffic permit intra-interface
> >>>>> ciscoasa(config)# ping 10.0.0.1
> >>>>> Type escape sequence to abort.
> >>>>> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
> >>>>> ?????
> >>>>> Success rate is 0 percent (0/5)
> >>>>>
> >>>>> ciscoasa(config)# debug icmp trace 15
> >>>>> debug icmp trace enabled at level 15
> >>>>> ciscoasa(config)# ping 10.0.0.1
> >>>>> Type escape sequence to abort.
> >>>>> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
> >>>>> ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650
> len=72
> >>>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650
> len=72
> >>>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650
> len=72
> >>>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650
> len=72
> >>>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650
> len=72
> >>>>> ?
> >>>>> Success rate is 0 percent (0/5)
> >>>>>
> >>>>>
> >>>>>
> >>>>> On 17 July 2012 10:36, Carlos G Mendioroz <tron_at_huapi.ba.ar
> >>>>> <mailto:tron_at_huapi.ba.ar>> wrote:
> >>>>>
> >>>>> http://www.cisco.com/en/US/__**products/ps6120/products_tech_**
> >>>>> __note09186a0080734db7.shtml<
> http://www.cisco.com/en/US/__products/ps6120/products_tech___note09186a0080734db7.shtml
> >
> >>>>>
> >>>>> <http://www.cisco.com/en/US/**products/ps6120/products_tech_**
> >>>>> note09186a0080734db7.shtml<
> http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
> >
> >>>>>>
> >>>>> ?
> >>>>>
> >>>>> same security traffic permit intra-interface
> >>>>>
> >>>>> -Carlos
> >>>>>
> >>>>> Tony Singh @ 17/07/2012 05:21 -0300 dixit:
> >>>>>
> >>>>> hi experts
> >>>>>
> >>>>> problem
> >>>>> network behind wireless is 10.0.0.0/24 <http://10.0.0.0/24>
> >>>>>
> >>>>> unable to access from asa defined
> >>>>> dhcp network 192.168.1.0/24 <http://192.168.1.0/24>
> >>>>>
> >>>>>
> >>>>> topology
> >>>>> wireless access point wan port --> ASA inside switchport vlan 1
> >>>>>
> >>>>> on asa set a static route to say 10.x is behind 192.168.1.7
> >>>>> (which is the
> >>>>> address of the wan port of the wireless access point, pings fine
> >>>>> from asa
> >>>>> and traffic from the 10.x range is able to get out to the
> >>>>> internet fine)
> >>>>>
> >>>>> route inside 10.0.0.0 255.255.255.0 192.168.1.7
> >>>>>
> >>>>> S 10.0.0.0 255.255.255.0 [1/0] via 192.168.1.7, inside
> >>>>>
> >>>>> but ping fails
> >>>>>
> >>>>> ciscoasa(config)# ping 10.0.0.1
> >>>>> Type escape sequence to abort.
> >>>>> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2
> seconds:
> >>>>> ?????
> >>>>> Success rate is 0 percent (0/5)
> >>>>>
> >>>>> using the ASDM packet tracer facility it show that it is trying
> >>>>> to ping
> >>>>> from inside to outside interface, it fails due to acl-rule
> >>>>>
> >>>>> but on asa not seeing it here..
> >>>>>
> >>>>> ciscoasa(config)# show access-list
> >>>>> access-list cached ACL log flows: total 0, denied 0
> >>>>> (deny-flow-max 4096)
> >>>>> alert-interval 300
> >>>>>
> >>>>> problem is this probably a private vlan scenario as I have a
> >>>>> network within
> >>>>> a network on my inside interface so the packet trace going from
> >>>>> inside to
> >>>>> outside is wrong
> >>>>>
> >>>>> any advice would be great
> >>>>>
> >>>>>
> >>>>> Blogs and organic groups at http://www.ccie.net
> >>>>>
> >>>>> ______________________________**______________________________**
> >>>>> _______________
> >>>>>
> >>>>> Subscription information may be found at:
> >>>>> http://www.groupstudy.com/__**list/CCIELab.html<
> http://www.groupstudy.com/__list/CCIELab.html>
> >>>>> <http://www.groupstudy.com/**list/CCIELab.html<
> http://www.groupstudy.com/list/CCIELab.html>
> >>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Carlos G Mendioroz <tron_at_huapi.ba.ar <mailto:tron_at_huapi.ba.ar>>
> >>>>> LW7 EQI Argentina
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>> --
> >>>> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Wed Jul 18 2012 - 23:54:13 ART
This archive was generated by hypermail 2.2.0 : Wed Aug 01 2012 - 15:55:23 ART