3

Cisco ASA 5505, 8.4.3

  1. LAN: 10.0.15.0, Security Level 100
  2. WIRELESS: 10.0.17.0, Security Level 75
  3. WAN: Security Level 0

From the WIRELESS interface I need to access servers on the LAN. The problem is WIRELESS traffic heads out on WAN1 and does not make it back in to LAN. To solve this problem on the LAN I simply created DNS entries for the servers to point to LAN IPs. This is not possible on the WIRELESS interface because it uses external DNS servers. I'd like for the WIRELESS interface to use external IPs then pass back through the firewall.

What additional information must I post to help find a solution to this problem?

Rex
  • 7,895
  • 3
  • 29
  • 45
nick
  • 31
  • 2
  • do you have a security+ license on the 5505? – Zypher Mar 15 '12 at 20:22
  • Yes I do. Is there an extra feature I can utilize? – nick Mar 15 '12 at 20:34
  • Oh no just making sure, the base lic doesn't let you have all legs talk to each other - i.e. You would need to choose whether WIRELESS could talk to WAN or LAN it couldn't talk to both. – Zypher Mar 15 '12 at 20:35
  • Can you provide the output of a `packet-tracer` command simulating traffic from the wireless interface bound for the LAN interface? – Shane Madden Mar 16 '12 at 02:30

1 Answers1

2

Not to be pedantic but going from WIRELESS to LAN is not a hairpin as the traffic travels from one interface to another. A hairpin would be from WIRELESS to WIRELESS or from LAN to LAN -- an altogether more challenging problem than what you have requested.

However, to pass traffic from WIRELESS to LAN:

  • Since WIRELESS has security-level 75 to LAN's security-level 100 ensure that you have an ACL permitting traffic from the real source IP's on WIRELESS to the real IP's on LAN. Regardless of NAT, real IP's are used in ASA 8.3+.
  • If you want to use the public IP's of services hosted on LAN from WIRELESS the easiest way is to use the any keyword for the mapped interface the Object NAT of the server (behind the LAN interface) itself.

Example:

! Define object for LAN network and Object NAT dynamic PAT
object network net-10.0.15.0-24
 description LAN Network
 subnet 10.0.15.0 255.255.255.0
 nat (LAN,WAN) dynamic interface

! Define object for WIRELESS and Object NAT dynamic PAT
object network net-10.0.17.0-24
 description WIRELESS Network
 subnet 10.0.17.0 255.255.255.0
 nat (WIRELESS,WAN) dynamic interface

! Define object for a server hosted in LAN, note the *any* in the Object NAT
object network hst-10.0.15.100
 description Server on LAN
 host 10.0.15.100
 nat (LAN,any) static 1.2.3.4

! Tweak as needed -- permits WIRELESS to LAN due to security-level difference.
access-list WIRELESS_access_in extended permit ip object net-10.0.17.0-24 object net-10.0.15.0-24
! Beware of implicit deny at end, make sure to configure this ACL properly.
! May have to finish with a permit any any.  Included below for reference.
access-list WIRELESS_access_in extended permit ip any any

! Apply the ACL to the interface
access-group WIRELESS_access_in in interface WIRELESS

Be very careful using the any keyword in Object NAT. Especially with dynamic PAT and dynamic NAT. Read the ASA 8.4 Configuration Guide NAT Section

Weaver
  • 1,952
  • 12
  • 13