RE: ASA 5505 network behind an access point from Ryan Lindfield on 2012-07-19 (Ccielab archives 07/2012)

From: Ryan Lindfield <ryan_at_westchasetech.com>
Date: Wed, 18 Jul 2012 23:14:17 -0400

And the "FM" to go along with it :)

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080972e4f.shtml

----- Original Message -----
From: Brian McGahan [mailto:bmcgahan_at_ine.com]
To: Tony Singh [mailto:mothafungla_at_gmail.com], Cisco certification [mailto:ccielab_at_groupstudy.com]
Sent: Wed, 18 Jul 2012 23:10:20 -0400
Subject: RE: ASA 5505 network behind an access point

> > is it possible to have a scenario where I can use my home public ip
> address
> for internet access from a remote location
>
> Yes. If you configure an SSL VPN or IPsec VPN remote access tunnel to the
> ASA, and if your group-policy says that the split-tunnel-policy is to
> tunnel-all (which is the default to begin with), then all traffic will first
> go from your machine to the ASA, then the ASA will re-NAT it back out to the
> Internet. This is basically what the "anonymizer" type services do on the
> Internet, where you configure a VPN tunnel to them over SSL, and then they
> re-NAT your traffic back out to the Internet. The final result is that if
> you browse to a site like whatismyip.com it'll show their IP address, not
> yours.
>
> Brian McGahan, CCIE #8593 (R&S/SP/Security)
> bmcgahan_at_INE.com
>
> Internetwork Expert, Inc.
> http://www.INE.com
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Tony
> Singh
> Sent: Wednesday, July 18, 2012 5:54 PM
> To: Carlos G Mendioroz; Cisco certification
> Subject: Re: ASA 5505 network behind an access point
>
> some questions may seem a little dumb so apologise in advance..
>
> im pritty new to the asa and am struggling a bit..
>
> trying to get a slingbox working for remote viewing and in the asdm syslog
> I can see the udp, tcp message go out of the asa outside interface from the
> inside source (192.168.1.237) not so long after I see these communications
> teardown.....
>
> I have set a NAT rule to allow any service from outside to connect to host
> 192.168.1.237/32 but still it does not work
>
>
> I also have a cccam client which does similar, but relations teardown and
> im unable to get this application working - (needs more understanding I
> have various remote ports it tries to connect to)
>
> *I would have thought the default behaviour would have been for any inside
> address to communicate with outside & establish comms?*
>
> I dont really want to put these devices into a dmz
>
> is it possible to have a scenario where I can use my home public ip address
> for internet access from a remote location
>
> thanks in advance.
>
>
> On 17 July 2012 14:03, Ryan West <rwest_at_zyedge.com> wrote:
>
> > Default behavior of dd-wrt would be NAT between the 192.168.1.0/24network
> and
> > 10.0.0.0/24 network. If you choose a port that's not wan on the ap and
> > turn off dhcp, you should get .1 addresses and this would be a moot point.
> > If you still want this setup, make sure you turn off NAT on the ap.
> >
> > Sent from handheld
> >
> > On Jul 17, 2012, at 8:22 AM, "Tony Singh" <mothafungla_at_gmail.com> wrote:
> >
> > > hi mate
> > >
> > > 1.7 pings fine from hosts on 192 & from the ASA , further testing from
> > packet tracer on ASA shows icmp,tcp & udp allowed from hosts on 192.x to
> > 10.x this passes with all boxes ticked.
> > >
> > > Looking at the ASDM syslog messages when I'm on a 192.x host when trying
> > to establish an ssh or http session to 10.x resources, the tcp session
> > builds then waits for SYN but tearsdown after timeout..
> > >
> > > ISP MODEM > ASA > NETGEAR wireless > DD-WRT wireless in client bridge
> > repeater mode
> > >
> > > Above proved to be working ok without ASA, need to set up SSL VPN to
> > resources hence the reason for it.
> > >
> > > ASA setup is vlan2 outside dhcp address from ISP ok & inside ports 1-7
> > vlan1 with different resources, port 1 is where wireless is connected with
> > an assigned dhcp address of 1.7 from the ASA this access point is using
> > dhcp to assign hosts 10.x range (these hosts have access to Internet ok
> > through the ASA)
> > >
> > > --
> > > BR
> > >
> > > Sent from my iPhone on 3
> > >
> > > On 17 Jul 2012, at 12:57, Ryan West <rwest_at_zyedge.com> wrote:
> > >
> > >> Can you ping .1.7? How many interfaces are you talking about on the
> > ASA?
> > >>
> > >> Sent from handheld
> > >>
> > >> On Jul 17, 2012, at 6:34 AM, "Tony Singh" <mothafungla_at_gmail.com>
> > wrote:
> > >>
> > >>> hi carlos
> > >>>
> > >>> yes sorry should have mentioned from asa - first time playing with
> > these...
> > >>>
> > >>> from linux host (192.168.1.6)
> > >>>
> > >>> root_at_dm8000:~# ping 10.0.0.2
> > >>> PING 10.0.0.2 (10.0.0.2): 56 data bytes
> > >>>
> > >>> not getting anything back
> > >>>
> > >>> but ASA looks like it's passing the icmp on
> > >>>
> > >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> > >>> seq=38400 len=56
> > >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> > >>> seq=38656 len=56
> > >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> > >>> seq=38912 len=56
> > >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> > >>> seq=39168 len=56
> > >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> > >>> seq=39424 len=56
> > >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> > >>> seq=39680 len=56
> > >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> > >>> seq=39936 len=56
> > >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> > >>> seq=40192 len=56
> > >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> > >>> seq=40448 len=56
> > >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> > >>> seq=40704 len=56
> > >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> > >>> seq=40960 len=56
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>> On 17 July 2012 10:56, Carlos G Mendioroz <tron_at_huapi.ba.ar> wrote:
> > >>>
> > >>>> Sorry, I thought you where trying to get from another host to the
> > >>>> wireless. Now I see that the ASA is not able to ping.
> > >>>> Can you ping a wireless host from another 192.168.1.1 host if you add
> > a
> > >>>> route via .7 ? Sounds like a WLC ACL.
> > >>>>
> > >>>>
> > >>>> Tony Singh @ 17/07/2012 06:49 -0300 dixit:
> > >>>>
> > >>>>>
> > >>>>>
> > >>>>> hi carlos - thanks but see below...
> > >>>>>
> > >>>>> ciscoasa(config)# same-security-traffic permit inter-interface
> > >>>>> ciscoasa(config)# same-security-traffic permit intra-interface
> > >>>>> ciscoasa(config)# ping 10.0.0.1
> > >>>>> Type escape sequence to abort.
> > >>>>> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
> > >>>>> ?????
> > >>>>> Success rate is 0 percent (0/5)
> > >>>>>
> > >>>>> ciscoasa(config)# debug icmp trace 15
> > >>>>> debug icmp trace enabled at level 15
> > >>>>> ciscoasa(config)# ping 10.0.0.1
> > >>>>> Type escape sequence to abort.
> > >>>>> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
> > >>>>> ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650
> > len=72
> > >>>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650
> > len=72
> > >>>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650
> > len=72
> > >>>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650
> > len=72
> > >>>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650
> > len=72
> > >>>>> ?
> > >>>>> Success rate is 0 percent (0/5)
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>> On 17 July 2012 10:36, Carlos G Mendioroz <tron_at_huapi.ba.ar
> > >>>>> <mailto:tron_at_huapi.ba.ar>> wrote:
> > >>>>>
> > >>>>> http://www.cisco.com/en/US/__**products/ps6120/products_tech_**
> > >>>>> __note09186a0080734db7.shtml<
> >
> http://www.cisco.com/en/US/__products/ps6120/products_tech___note09186a0080734db7.shtml
> > >
> > >>>>>
> > >>>>> <http://www.cisco.com/en/US/**products/ps6120/products_tech_**
> > >>>>> note09186a0080734db7.shtml<
> >
> http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
> > >
> > >>>>>>
> > >>>>> ?
> > >>>>>
> > >>>>> same security traffic permit intra-interface
> > >>>>>
> > >>>>> -Carlos
> > >>>>>
> > >>>>> Tony Singh @ 17/07/2012 05:21 -0300 dixit:
> > >>>>>
> > >>>>> hi experts
> > >>>>>
> > >>>>> problem
> > >>>>> network behind wireless is 10.0.0.0/24 <http://10.0.0.0/24>
> > >>>>>
> > >>>>> unable to access from asa defined
> > >>>>> dhcp network 192.168.1.0/24 <http://192.168.1.0/24>
> > >>>>>
> > >>>>>
> > >>>>> topology
> > >>>>> wireless access point wan port --> ASA inside switchport vlan 1
> > >>>>>
> > >>>>> on asa set a static route to say 10.x is behind 192.168.1.7
> > >>>>> (which is the
> > >>>>> address of the wan port of the wireless access point, pings
> fine
> > >>>>> from asa
> > >>>>> and traffic from the 10.x range is able to get out to the
> > >>>>> internet fine)
> > >>>>>
> > >>>>> route inside 10.0.0.0 255.255.255.0 192.168.1.7
> > >>>>>
> > >>>>> S 10.0.0.0 255.255.255.0 [1/0] via 192.168.1.7, inside
> > >>>>>
> > >>>>> but ping fails
> > >>>>>
> > >>>>> ciscoasa(config)# ping 10.0.0.1
> > >>>>> Type escape sequence to abort.
> > >>>>> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2
> > seconds:
> > >>>>> ?????
> > >>>>> Success rate is 0 percent (0/5)
> > >>>>>
> > >>>>> using the ASDM packet tracer facility it show that it is trying
> > >>>>> to ping
> > >>>>> from inside to outside interface, it fails due to acl-rule
> > >>>>>
> > >>>>> but on asa not seeing it here..
> > >>>>>
> > >>>>> ciscoasa(config)# show access-list
> > >>>>> access-list cached ACL log flows: total 0, denied 0
> > >>>>> (deny-flow-max 4096)
> > >>>>> alert-interval 300
> > >>>>>
> > >>>>> problem is this probably a private vlan scenario as I have a
> > >>>>> network within
> > >>>>> a network on my inside interface so the packet trace going from
> > >>>>> inside to
> > >>>>> outside is wrong
> > >>>>>
> > >>>>> any advice would be great
> > >>>>>
> > >>>>>
> > >>>>> Blogs and organic groups at http://www.ccie.net
> > >>>>>
> > >>>>>
> ______________________________**______________________________**
> > >>>>> _______________
> > >>>>>
> > >>>>> Subscription information may be found at:
> > >>>>> http://www.groupstudy.com/__**list/CCIELab.html<
> > http://www.groupstudy.com/__list/CCIELab.html>
> > >>>>> <http://www.groupstudy.com/**list/CCIELab.html<
> > http://www.groupstudy.com/list/CCIELab.html>
> > >>>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>> --
> > >>>>> Carlos G Mendioroz <tron_at_huapi.ba.ar <mailto:tron_at_huapi.ba.ar>>
> > >>>>> LW7 EQI Argentina
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>> --
> > >>>> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
> > >>>
> > >>>
> > >>> Blogs and organic groups at http://www.ccie.net
> > >>>
> > >>>
> _______________________________________________________________________
> > >>> Subscription information may be found at:
> > >>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Jul 18 2012 - 23:14:17 ART

This archive was generated by hypermail 2.2.0 : Wed Aug 01 2012 - 15:55:23 ART