Re: ASA 5505 network behind an access point

ryan / brian

great advice.. will muck around some more me thinks....

with regards to getting non-standard applications working via the asa, from
what I understand your saying is that I need to know what reply ports these
apps want to talk to me on and create an acl from outside to in?

I did create an acl to permit any service to host 192.168.1.237 and then
again with ip,tcp & udp - not sure if the packet tracer feature will allow
me to test from an outside interface to inside

On 19 July 2012 04:14, Ryan Lindfield <ryan_at_westchasetech.com> wrote:

> And the "FM" to go along with it :)
>
>
> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080972e4f.shtml
>
> ----- Original Message -----
> From: Brian McGahan [mailto:bmcgahan_at_ine.com]
> To: Tony Singh [mailto:mothafungla_at_gmail.com], Cisco certification
> [mailto:ccielab_at_groupstudy.com]
> Sent: Wed, 18 Jul 2012 23:10:20 -0400
> Subject: RE: ASA 5505 network behind an access point
>
>
> > > is it possible to have a scenario where I can use my home public ip
> > address
> > for internet access from a remote location
> >
> > Yes. If you configure an SSL VPN or IPsec VPN remote access tunnel to
> the
> > ASA, and if your group-policy says that the split-tunnel-policy is to
> > tunnel-all (which is the default to begin with), then all traffic will
> first
> > go from your machine to the ASA, then the ASA will re-NAT it back out to
> the
> > Internet. This is basically what the "anonymizer" type services do on
> the
> > Internet, where you configure a VPN tunnel to them over SSL, and then
> they
> > re-NAT your traffic back out to the Internet. The final result is that
> if
> > you browse to a site like whatismyip.com it'll show their IP address,
> not
> > yours.
> >
> > Brian McGahan, CCIE #8593 (R&S/SP/Security)
> > bmcgahan_at_INE.com
> >
> > Internetwork Expert, Inc.
> > http://www.INE.com
> >
> >
> > -----Original Message-----
> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Tony
> > Singh
> > Sent: Wednesday, July 18, 2012 5:54 PM
> > To: Carlos G Mendioroz; Cisco certification
> > Subject: Re: ASA 5505 network behind an access point
> >
> > some questions may seem a little dumb so apologise in advance..
> >
> > im pritty new to the asa and am struggling a bit..
> >
> > trying to get a slingbox working for remote viewing and in the asdm
> syslog
> > I can see the udp, tcp message go out of the asa outside interface from
> the
> > inside source (192.168.1.237) not so long after I see these
> communications
> > teardown.....
> >
> > I have set a NAT rule to allow any service from outside to connect to
> host
> > 192.168.1.237/32 but still it does not work
> >
> >
> > I also have a cccam client which does similar, but relations teardown and
> > im unable to get this application working - (needs more understanding I
> > have various remote ports it tries to connect to)
> >
> > *I would have thought the default behaviour would have been for any
> inside
> > address to communicate with outside & establish comms?*
> >
> > I dont really want to put these devices into a dmz
> >
> > is it possible to have a scenario where I can use my home public ip
> address
> > for internet access from a remote location
> >
> > thanks in advance.
> >
> >
> > On 17 July 2012 14:03, Ryan West <rwest_at_zyedge.com> wrote:
> >
> > > Default behavior of dd-wrt would be NAT between the
> 192.168.1.0/24network
> > and
> > > 10.0.0.0/24 network. If you choose a port that's not wan on the ap
> and
> > > turn off dhcp, you should get .1 addresses and this would be a moot
> point.
> > > If you still want this setup, make sure you turn off NAT on the ap.
> > >
> > > Sent from handheld
> > >
> > > On Jul 17, 2012, at 8:22 AM, "Tony Singh" <mothafungla_at_gmail.com>
> wrote:
> > >
> > > > hi mate
> > > >
> > > > 1.7 pings fine from hosts on 192 & from the ASA , further testing
> from
> > > packet tracer on ASA shows icmp,tcp & udp allowed from hosts on 192.x
> to
> > > 10.x this passes with all boxes ticked.
> > > >
> > > > Looking at the ASDM syslog messages when I'm on a 192.x host when
> trying
> > > to establish an ssh or http session to 10.x resources, the tcp session
> > > builds then waits for SYN but tearsdown after timeout..
> > > >
> > > > ISP MODEM > ASA > NETGEAR wireless > DD-WRT wireless in client bridge
> > > repeater mode
> > > >
> > > > Above proved to be working ok without ASA, need to set up SSL VPN to
> > > resources hence the reason for it.
> > > >
> > > > ASA setup is vlan2 outside dhcp address from ISP ok & inside ports
> 1-7
> > > vlan1 with different resources, port 1 is where wireless is connected
> with
> > > an assigned dhcp address of 1.7 from the ASA this access point is using
> > > dhcp to assign hosts 10.x range (these hosts have access to Internet ok
> > > through the ASA)
> > > >
> > > > --
> > > > BR
> > > >
> > > > Sent from my iPhone on 3
> > > >
> > > > On 17 Jul 2012, at 12:57, Ryan West <rwest_at_zyedge.com> wrote:
> > > >
> > > >> Can you ping .1.7? How many interfaces are you talking about on
> the
> > > ASA?
> > > >>
> > > >> Sent from handheld
> > > >>
> > > >> On Jul 17, 2012, at 6:34 AM, "Tony Singh" <mothafungla_at_gmail.com>
> > > wrote:
> > > >>
> > > >>> hi carlos
> > > >>>
> > > >>> yes sorry should have mentioned from asa - first time playing with
> > > these...
> > > >>>
> > > >>> from linux host (192.168.1.6)
> > > >>>
> > > >>> root_at_dm8000:~# ping 10.0.0.2
> > > >>> PING 10.0.0.2 (10.0.0.2): 56 data bytes
> > > >>>
> > > >>> not getting anything back
> > > >>>
> > > >>> but ASA looks like it's passing the icmp on
> > > >>>
> > > >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2
> ID=57673
> > > >>> seq=38400 len=56
> > > >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2
> ID=57673
> > > >>> seq=38656 len=56
> > > >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2
> ID=57673
> > > >>> seq=38912 len=56
> > > >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2
> ID=57673
> > > >>> seq=39168 len=56
> > > >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2
> ID=57673
> > > >>> seq=39424 len=56
> > > >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2
> ID=57673
> > > >>> seq=39680 len=56
> > > >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2
> ID=57673
> > > >>> seq=39936 len=56
> > > >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2
> ID=57673
> > > >>> seq=40192 len=56
> > > >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2
> ID=57673
> > > >>> seq=40448 len=56
> > > >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2
> ID=57673
> > > >>> seq=40704 len=56
> > > >>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2
> ID=57673
> > > >>> seq=40960 len=56
> > > >>>
> > > >>>
> > > >>>
> > > >>>
> > > >>>
> > > >>>
> > > >>> On 17 July 2012 10:56, Carlos G Mendioroz <tron_at_huapi.ba.ar>
> wrote:
> > > >>>
> > > >>>> Sorry, I thought you where trying to get from another host to the
> > > >>>> wireless. Now I see that the ASA is not able to ping.
> > > >>>> Can you ping a wireless host from another 192.168.1.1 host if you
> add
> > > a
> > > >>>> route via .7 ? Sounds like a WLC ACL.
> > > >>>>
> > > >>>>
> > > >>>> Tony Singh @ 17/07/2012 06:49 -0300 dixit:
> > > >>>>
> > > >>>>>
> > > >>>>>
> > > >>>>> hi carlos - thanks but see below...
> > > >>>>>
> > > >>>>> ciscoasa(config)# same-security-traffic permit inter-interface
> > > >>>>> ciscoasa(config)# same-security-traffic permit intra-interface
> > > >>>>> ciscoasa(config)# ping 10.0.0.1
> > > >>>>> Type escape sequence to abort.
> > > >>>>> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
> > > >>>>> ?????
> > > >>>>> Success rate is 0 percent (0/5)
> > > >>>>>
> > > >>>>> ciscoasa(config)# debug icmp trace 15
> > > >>>>> debug icmp trace enabled at level 15
> > > >>>>> ciscoasa(config)# ping 10.0.0.1
> > > >>>>> Type escape sequence to abort.
> > > >>>>> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
> > > >>>>> ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650
> > > len=72
> > > >>>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139
> seq=39650
> > > len=72
> > > >>>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139
> seq=39650
> > > len=72
> > > >>>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139
> seq=39650
> > > len=72
> > > >>>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139
> seq=39650
> > > len=72
> > > >>>>> ?
> > > >>>>> Success rate is 0 percent (0/5)
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>> On 17 July 2012 10:36, Carlos G Mendioroz <tron_at_huapi.ba.ar
> > > >>>>> <mailto:tron_at_huapi.ba.ar>> wrote:
> > > >>>>>
> > > >>>>> http://www.cisco.com/en/US/__**products/ps6120/products_tech_**
> > > >>>>> __note09186a0080734db7.shtml<
> > >
> >
> http://www.cisco.com/en/US/__products/ps6120/products_tech___note09186a0080734db7.shtml
> > > >
> > > >>>>>
> > > >>>>> <http://www.cisco.com/en/US/**products/ps6120/products_tech_**
> > > >>>>> note09186a0080734db7.shtml<
> > >
> >
> http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
> > > >
> > > >>>>>>
> > > >>>>> ?
> > > >>>>>
> > > >>>>> same security traffic permit intra-interface
> > > >>>>>
> > > >>>>> -Carlos
> > > >>>>>
> > > >>>>> Tony Singh @ 17/07/2012 05:21 -0300 dixit:
> > > >>>>>
> > > >>>>> hi experts
> > > >>>>>
> > > >>>>> problem
> > > >>>>> network behind wireless is 10.0.0.0/24 <http://10.0.0.0/24>
> > > >>>>>
> > > >>>>> unable to access from asa defined
> > > >>>>> dhcp network 192.168.1.0/24 <http://192.168.1.0/24>
> > > >>>>>
> > > >>>>>
> > > >>>>> topology
> > > >>>>> wireless access point wan port --> ASA inside switchport
> vlan 1
> > > >>>>>
> > > >>>>> on asa set a static route to say 10.x is behind 192.168.1.7
> > > >>>>> (which is the
> > > >>>>> address of the wan port of the wireless access point, pings
> > fine
> > > >>>>> from asa
> > > >>>>> and traffic from the 10.x range is able to get out to the
> > > >>>>> internet fine)
> > > >>>>>
> > > >>>>> route inside 10.0.0.0 255.255.255.0 192.168.1.7
> > > >>>>>
> > > >>>>> S 10.0.0.0 255.255.255.0 [1/0] via 192.168.1.7, inside
> > > >>>>>
> > > >>>>> but ping fails
> > > >>>>>
> > > >>>>> ciscoasa(config)# ping 10.0.0.1
> > > >>>>> Type escape sequence to abort.
> > > >>>>> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2
> > > seconds:
> > > >>>>> ?????
> > > >>>>> Success rate is 0 percent (0/5)
> > > >>>>>
> > > >>>>> using the ASDM packet tracer facility it show that it is
> trying
> > > >>>>> to ping
> > > >>>>> from inside to outside interface, it fails due to acl-rule
> > > >>>>>
> > > >>>>> but on asa not seeing it here..
> > > >>>>>
> > > >>>>> ciscoasa(config)# show access-list
> > > >>>>> access-list cached ACL log flows: total 0, denied 0
> > > >>>>> (deny-flow-max 4096)
> > > >>>>> alert-interval 300
> > > >>>>>
> > > >>>>> problem is this probably a private vlan scenario as I have a
> > > >>>>> network within
> > > >>>>> a network on my inside interface so the packet trace going
> from
> > > >>>>> inside to
> > > >>>>> outside is wrong
> > > >>>>>
> > > >>>>> any advice would be great
> > > >>>>>
> > > >>>>>
> > > >>>>> Blogs and organic groups at http://www.ccie.net
> > > >>>>>
> > > >>>>>
> > ______________________________**______________________________**
> > > >>>>> _______________
> > > >>>>>
> > > >>>>> Subscription information may be found at:
> > > >>>>> http://www.groupstudy.com/__**list/CCIELab.html<
> > > http://www.groupstudy.com/__list/CCIELab.html>
> > > >>>>> <http://www.groupstudy.com/**list/CCIELab.html<
> > > http://www.groupstudy.com/list/CCIELab.html>
> > > >>>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>> --
> > > >>>>> Carlos G Mendioroz <tron_at_huapi.ba.ar <mailto:tron_at_huapi.ba.ar
> >>
> > > >>>>> LW7 EQI Argentina
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>> --
> > > >>>> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
> > > >>>
> > > >>>
> > > >>> Blogs and organic groups at http://www.ccie.net
> > > >>>
> > > >>>
> > _______________________________________________________________________
> > > >>> Subscription information may be found at:
> > > >>> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Jul 19 2012 - 04:22:54 ART