3

I have an Cisco ASA 5510 configured thus:

interface Ethernet0/0
 description ### Trunk for inside, wlan ###
 speed 1000
 no nameif
 no security-level
 no ip address

interface Ethernet0/0.10
 description ### OFFICE ###
 vlan 10
 nameif inside
 security-level 100
 ip address 172.18.0.1 255.255.255.0 

interface Ethernet0/0.12
 description ### WIRELESS ###
 vlan 12      
 nameif wlan  
 security-level 20
 ip address 172.18.2.1 255.255.255.128 

interface Ethernet0/3
 description ### Upstream ###
 nameif outside
 security-level 0
 ip address X.X.X.X 255.255.255.252 

access-group WLAN in interface wlan

global (outside) 10 interface

nat (wlan) 0 access-list NONATWIRELESS
nat (wlan) 10 172.18.2.0 255.255.255.128
nat (inside) 0 access-list NONATINSIDE
nat (inside) 10 172.18.0.0 255.255.255.0

dhcprelay server ZZZ inside
dhcprelay enable wlan

access-list WLAN extended permit object-group DNS object-group WLAN host nic 
access-list WLAN extended permit object-group DNS object-group WLAN host idns 
access-list NONATWIRELESS extended permit ip any 172.18.0.0 255.255.255.0 
access-list NONATWIRELESS extended permit ip any 172.18.3.0 255.255.255.0 
access-list NONATINSIDE extended permit ip any 172.18.2.0 255.255.255.0 
access-list NONATINSIDE extended permit ip any 172.18.3.0 255.255.255.0 

no nat-control

There are no static routes.

On this configuration, hosts on vlan 10 are allowed to access the outside world, but hosts on vlan 12 are not. They provoke like log entries:

Jan 13 14:35:02 172.18.0.1 %ASA-4-106023: Deny tcp src wlan:172.18.2.125/48593 dst outside:Y.Y.Y.Y/80 by access-group "WLAN" [0x0, 0x0]

How come?

EDIT: I suppose this is because there is an access-list on wlan but not on inside, but this seems stupid? security-level should still be evaluated if there are no matching entries in the access-list?

Bittrance
  • 3,070
  • 3
  • 24
  • 27

1 Answers1

3

Umm, possibly because you've got the access group WLAN applied to traffic coming in the wlan interface, and that access group doesn't permit traffic to web servers.

The error message is pretty clear that the problem lies with the access-group WLAN, and that access-list is pretty restrictive.

Edit in response to your comment: not that I know of, because all access-lists in PIXOS are dispositive (that is, all have an implicit deny any any at the end) - so there's no such thing as an access list that doesn't match.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
  • Parallel commenting. Is there no way to get security-level logic in case of no match in access-list? – Bittrance Jan 13 '12 at 13:47
  • Nope. Once you apply an access-list to an interface security levels are no longer used for traffic on that interface. It is a very generic default configuration for very simple firewall configurations. – Paul Ackerman Jan 13 '12 at 13:58