- Posts: 1
- Thank you received: 0
cisco 5510-guest interface can't reach the net
14 years 1 month ago #35576
by CORHIO
cisco 5510-guest interface can't reach the net was created by CORHIO
I have a ASA 5510, and a physical interface (CGN_GUEST_WLAN) for an internal vlan. The 5510 is performing DHCP duties for this interface. My client machines get an ip, the correct gateway and DNS server, but can not get out to the web. Im Guessing it's a NAT rule but I can't figure out where the issue is... it's a simple setup, any other advice welcome
here is the ASA Config:
ASA Version 8.2(3)
!
hostname CORHIOASA
domain-name xxx.local
enable password xxx encrypted
passwd xxx encrypted
names
dns-guard
!
interface Ethernet0/0
nameif COMCAST-OUTSIDE
security-level 0
ip address x.x.x.249 255.255.255.248
!
interface Ethernet0/1
nameif TELESPHERE-OUTSIDE
security-level 0
ip address x.x.x.42 255.255.255.248
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
interface GigabitEthernet1/0
nameif INSIDE
security-level 100
ip address 192.168.254.1 255.255.255.0
!
interface GigabitEthernet1/1
nameif CGN_GUEST_WLAN
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa823-k8.bin
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
domain-name corhio.local
access-list INSIDE_nat0_outbound extended permit ip any 192.168.254.0 255.255.255.128
access-list COMCAST-OUTSIDE_nat0_outbound extended permit ip x.x.x.248 255.255.255.248 any
access-list COMCAST-OUTSIDE_nat0_outbound extended permit ip interface CGN_GUEST_WLAN any
pager lines 24
logging enable
logging asdm informational
mtu COMCAST-OUTSIDE 1500
mtu TELESPHERE-OUTSIDE 1500
mtu management 1500
mtu INSIDE 1500
mtu CGN_GUEST_WLAN 1500
ip local pool VPN-IP-POOL 192.168.254.134-192.168.254.174 mask 255.255.255.0
ip verify reverse-path interface COMCAST-OUTSIDE
ip verify reverse-path interface TELESPHERE-OUTSIDE
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634.bin
no asdm history enable
arp timeout 14400
global (COMCAST-OUTSIDE) 101 interface
global (TELESPHERE-OUTSIDE) 102 interface
nat (COMCAST-OUTSIDE) 0 access-list COMCAST-OUTSIDE_nat0_outbound
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 101 0.0.0.0 0.0.0.0
route COMCAST-OUTSIDE 0.0.0.0 0.0.0.0 x.x.x.254 1 track 100
route TELESPHERE-OUTSIDE 0.0.0.0 0.0.0.0 x.x.x.41 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server 192.168.254.5 protocol nt
aaa-server 192.168.254.5 (INSIDE) host 192.168.254.5
nt-auth-domain-controller corhio-file
http server enable
http 192.168.254.0 255.255.255.0 INSIDE
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho x.x.x.254 interface COMCAST-OUTSIDE
num-packets 3
frequency 5
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map COMCAST-OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map COMCAST-OUTSIDE_map interface COMCAST-OUTSIDE
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn CORHIOASA
subject-name CN=CORHIOASA
no client-types
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
30820235 3082019e a0030201 02020131 300d0609 2a864886 f70d0101 04050030
2e311230 10060355 04031309 434f5248 494f4153 41311830 1606092a 864886f7
0d010902 1609434f 5248494f 41534130 1e170d31 30303930 39323135 3831345a
170d3230 30393036 32313538 31345a30 2e311230 10060355 04031309 434f5248
494f4153 41311830 1606092a 864886f7 0d010902 1609434f 5248494f 41534130
819f300d 06092a86 4886f70d 01010105 0003818d 00308189 02818100 b8dac036
2e72f43e fc9ba6ef c5cea867 760a66be cc3c7f9b f5330541 ba0a0475 db909a22
8f1b5e94 d30693c2 dd545cdf 43511cfe beb4553d 0b328de6 57b9556a 82fd26e5
66cc9f61 f36e24c1 117a887d 40cae366 f2d4ed83 d248f46a 13133a78 928028cd
a05988b5 35e92a99 a5e3d97f 5d83f3ff 55b31f00 30fc01f0 96f98393 02030100
01a36330 61300f06 03551d13 0101ff04 05300301 01ff300e 0603551d 0f0101ff
04040302 0186301f 0603551d 23041830 168014d2 431ef6bd f2c1e8a6 d4f1d538
ac999cf5 a25dda30 1d060355 1d0e0416 0414d243 1ef6bdf2 c1e8a6d4 f1d538ac
999cf5a2 5dda300d 06092a86 4886f70d 01010405 00038181 003d6d1f 14353d39
07094bdb 88be70fb 8fbc3521 ddf20da6 1a5be995 b1b33ebd cdae5957 26807787
f9d74fae 0a7372e0 c7ea117b fe946408 f7257173 f1c3d915 7681be81 6bb00e8c
29195c15 b7896e57 e49f56e5 1d6fff2f 9f8d7515 7af31d08 8e950dc9 e1693592
6774257e fe2460d5 6f234cb5 945902eb e1d82f92 ea8d41ea c5
quit
crypto isakmp enable COMCAST-OUTSIDE
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 100 rtr 123 reachability
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcpd address 192.168.254.175-192.168.254.253 INSIDE
dhcpd dns 192.168.254.5 8.8.8.8 interface INSIDE
dhcpd domain corhio.local interface INSIDE
dhcpd enable INSIDE
!
dhcpd address 10.0.0.11-10.0.0.254 CGN_GUEST_WLAN
dhcpd dns 8.8.8.8 interface CGN_GUEST_WLAN
dhcpd enable CGN_GUEST_WLAN
!
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.254.5 source INSIDE prefer
ssl trust-point ASDM_TrustPoint0 COMCAST-OUTSIDE
webvpn
svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy VPNUSERS internal
group-policy VPNUSERS attributes
vpn-tunnel-protocol svc
username corhioadmin password hlrGvFb742UKEwkU encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:da8cd3f6ce6acae68bb7e8f587b3ea74
: end
asdm image disk0:/asdm-634.bin
no asdm history enable
here is the ASA Config:
ASA Version 8.2(3)
!
hostname CORHIOASA
domain-name xxx.local
enable password xxx encrypted
passwd xxx encrypted
names
dns-guard
!
interface Ethernet0/0
nameif COMCAST-OUTSIDE
security-level 0
ip address x.x.x.249 255.255.255.248
!
interface Ethernet0/1
nameif TELESPHERE-OUTSIDE
security-level 0
ip address x.x.x.42 255.255.255.248
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
interface GigabitEthernet1/0
nameif INSIDE
security-level 100
ip address 192.168.254.1 255.255.255.0
!
interface GigabitEthernet1/1
nameif CGN_GUEST_WLAN
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa823-k8.bin
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
domain-name corhio.local
access-list INSIDE_nat0_outbound extended permit ip any 192.168.254.0 255.255.255.128
access-list COMCAST-OUTSIDE_nat0_outbound extended permit ip x.x.x.248 255.255.255.248 any
access-list COMCAST-OUTSIDE_nat0_outbound extended permit ip interface CGN_GUEST_WLAN any
pager lines 24
logging enable
logging asdm informational
mtu COMCAST-OUTSIDE 1500
mtu TELESPHERE-OUTSIDE 1500
mtu management 1500
mtu INSIDE 1500
mtu CGN_GUEST_WLAN 1500
ip local pool VPN-IP-POOL 192.168.254.134-192.168.254.174 mask 255.255.255.0
ip verify reverse-path interface COMCAST-OUTSIDE
ip verify reverse-path interface TELESPHERE-OUTSIDE
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634.bin
no asdm history enable
arp timeout 14400
global (COMCAST-OUTSIDE) 101 interface
global (TELESPHERE-OUTSIDE) 102 interface
nat (COMCAST-OUTSIDE) 0 access-list COMCAST-OUTSIDE_nat0_outbound
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 101 0.0.0.0 0.0.0.0
route COMCAST-OUTSIDE 0.0.0.0 0.0.0.0 x.x.x.254 1 track 100
route TELESPHERE-OUTSIDE 0.0.0.0 0.0.0.0 x.x.x.41 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server 192.168.254.5 protocol nt
aaa-server 192.168.254.5 (INSIDE) host 192.168.254.5
nt-auth-domain-controller corhio-file
http server enable
http 192.168.254.0 255.255.255.0 INSIDE
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho x.x.x.254 interface COMCAST-OUTSIDE
num-packets 3
frequency 5
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map COMCAST-OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map COMCAST-OUTSIDE_map interface COMCAST-OUTSIDE
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn CORHIOASA
subject-name CN=CORHIOASA
no client-types
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
30820235 3082019e a0030201 02020131 300d0609 2a864886 f70d0101 04050030
2e311230 10060355 04031309 434f5248 494f4153 41311830 1606092a 864886f7
0d010902 1609434f 5248494f 41534130 1e170d31 30303930 39323135 3831345a
170d3230 30393036 32313538 31345a30 2e311230 10060355 04031309 434f5248
494f4153 41311830 1606092a 864886f7 0d010902 1609434f 5248494f 41534130
819f300d 06092a86 4886f70d 01010105 0003818d 00308189 02818100 b8dac036
2e72f43e fc9ba6ef c5cea867 760a66be cc3c7f9b f5330541 ba0a0475 db909a22
8f1b5e94 d30693c2 dd545cdf 43511cfe beb4553d 0b328de6 57b9556a 82fd26e5
66cc9f61 f36e24c1 117a887d 40cae366 f2d4ed83 d248f46a 13133a78 928028cd
a05988b5 35e92a99 a5e3d97f 5d83f3ff 55b31f00 30fc01f0 96f98393 02030100
01a36330 61300f06 03551d13 0101ff04 05300301 01ff300e 0603551d 0f0101ff
04040302 0186301f 0603551d 23041830 168014d2 431ef6bd f2c1e8a6 d4f1d538
ac999cf5 a25dda30 1d060355 1d0e0416 0414d243 1ef6bdf2 c1e8a6d4 f1d538ac
999cf5a2 5dda300d 06092a86 4886f70d 01010405 00038181 003d6d1f 14353d39
07094bdb 88be70fb 8fbc3521 ddf20da6 1a5be995 b1b33ebd cdae5957 26807787
f9d74fae 0a7372e0 c7ea117b fe946408 f7257173 f1c3d915 7681be81 6bb00e8c
29195c15 b7896e57 e49f56e5 1d6fff2f 9f8d7515 7af31d08 8e950dc9 e1693592
6774257e fe2460d5 6f234cb5 945902eb e1d82f92 ea8d41ea c5
quit
crypto isakmp enable COMCAST-OUTSIDE
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 100 rtr 123 reachability
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcpd address 192.168.254.175-192.168.254.253 INSIDE
dhcpd dns 192.168.254.5 8.8.8.8 interface INSIDE
dhcpd domain corhio.local interface INSIDE
dhcpd enable INSIDE
!
dhcpd address 10.0.0.11-10.0.0.254 CGN_GUEST_WLAN
dhcpd dns 8.8.8.8 interface CGN_GUEST_WLAN
dhcpd enable CGN_GUEST_WLAN
!
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.254.5 source INSIDE prefer
ssl trust-point ASDM_TrustPoint0 COMCAST-OUTSIDE
webvpn
svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy VPNUSERS internal
group-policy VPNUSERS attributes
vpn-tunnel-protocol svc
username corhioadmin password hlrGvFb742UKEwkU encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:da8cd3f6ce6acae68bb7e8f587b3ea74
: end
asdm image disk0:/asdm-634.bin
no asdm history enable
Time to create page: 0.109 seconds