More Cisco Woes

ashrobbo · 11 Sep 2014 at 20:37

I think what im after is Hairpin NAT but im not 100% sure.

Cisco ASA5505 (running version 7.2!!!)

I have 3 interfaces (security level next to each)
Outside (100)
Inside (0)
Guest (10)

Public IP - 1.1.1.1 - 1.1.1.2

outside interface on firewall is 1.1.1.1

Server on LAN is 1.1.1.2 by static NAT and ACL to https internal IP of this server is 192.168.88.107

fairly simply I want hosts on either the guest or LAN network to enter 1.1.1.2 and get to the internal address of the server.

I am trying to setup the LAN interface first but its not working and i dont know enough to troubleshoot the issue.

COnfig below

ASA Version 7.0(6)
!
hostname XXXXXXXXXXXXXXXXXXX
domain-name XXXXXXXXXXXXXX
enable password XXXXXXXXXXXXXXXXX encrypted

dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.88.254 255.255.255.0
!
interface Ethernet0/2
nameif guest
security-level 10
ip address 10.99.99.254 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
passwd XXXXXXXXXXXXXXXXXXXXXX encrypted
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network LANNetworks
network-object 192.168.88.0 255.255.255.0
network-object 192.168.253.0 255.255.255.0
access-list 101 extended permit ip object-group LANNetworks 10.0.0.0 255.0.0.0
access-list 101 extended permit ip object-group LANNetworks 192.168.254.0 255.255.255.0
access-list 101 extended permit ip object-group LANNetworks 192.168.253.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging emblem
logging buffer-size 409600
logging buffered informational
logging trap notifications
logging asdm debugging
logging debug-trace
mtu outside 1500
mtu inside 1500
mtu guest 1500
ip local pool VPNPool 192.168.253.1-192.168.253.254
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 2 interface
global (inside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 2 192.168.88.0 255.255.255.0
nat (inside) 2 192.168.253.0 255.255.255.0
nat (guest) 2 10.99.99.0 255.255.255.0
static (inside,outside) 1.1.1.2 192.168.88.107 netmask 255.255.255.255
static (inside,inside) 1.1.1.2 192.168.88.107 netmask 255.255.255.255
access-group acl_out in interface outside
access-group inside_access_in in interface inside
access-group Guest_access_in in interface guest
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 192.168.89.0 255.255.255.0 192.168.88.190 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 10
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage enable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_splitTunnelAcl
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
port-forward-name value Application Access
console timeout 0
management-access inside
dhcpd address 10.99.99.10-10.99.99.50 guest
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable guest
priority-queue outside
!
class-map inspection_default
match default-inspection-traffic
class-map guest-class
match any
class-map voice-qos
match access-list PriorityQueue
!
!
policy-map global_policy
class inspection_default
inspect skinny
inspect ipsec-pass-thru
inspect pptp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map guest-policy
class guest-class
police 1500000 1000
policy-map outside_policy
class voice-qos
priority
class class-default
!
service-policy global_policy global
service-policy outside_policy interface outside
service-policy guest-policy interface guest
: end

help?

ashrobbo · 8 Oct 2014 at 16:18

I've upgraded this firewall to 8.3 - and its still not working,

Server in on Inside Interface and CLient also on Inside interface

can anybody shed any light? ive tried so many things and still cant work it out, i'd prefere to do this in ASDM if possible,

I've done the following

- Added permit-traffic-inter
- Added static Nat inside,inside external ip internal ip

help?

GhostlyPea · 8 Oct 2014 at 16:57

Question: Why are you trying to do it this way and not via DNS (Which is the way you should be doing it). Cisco ASAs along with most other vendor firewalls won't support, or properly support Hairpin NAT and even if you got it working, it's a terrible idea. You might get it working by either:

- Adding a source and destination statement to your NAT and therefore hiding the client IP behind another VIP
- Applying a TCP state bypass policy (This is where it is likely breaking as your traffic flow is messed up for a stateful firewall and TCP)
- Duplicated internal Global, although these aren't on 8.3+

Of course I wouldn't recommend going along that path. Ever.

- GP

ashrobbo · 8 Oct 2014 at 21:43

GhostlyPea said:
Question: Why are you trying to do it this way and not via DNS (Which is the way you should be doing it). Cisco ASAs along with most other vendor firewalls won't support, or properly support Hairpin NAT and even if you got it working, it's a terrible idea. You might get it working by either:

- Adding a source and destination statement to your NAT and therefore hiding the client IP behind another VIP
- Applying a TCP state bypass policy (This is where it is likely breaking as your traffic flow is messed up for a stateful firewall and TCP)
- Duplicated internal Global, although these aren't on 8.3+

Of course I wouldn't recommend going along that path. Ever.

- GP

Thanks Pea,

We don't usually deal with cisco kit, I usually use sonicwall etc so its all done for me - im a bit spoilt I guess!

I also usually use the internal DNS method which I think is what i'm going to suggest here, theres lots of phones to change and talking users through is always fun!! was hoping I could do without the hassle but seems I have no choice.

As im running users on a 'guest' network they wont be using internal DNS servers (set to googles). ANy reccomendations here? Is it worth me punching holes through and using the internal DNS?

GhostlyPea · 8 Oct 2014 at 22:16

ashrobbo said:
Thanks Pea,

We don't usually deal with cisco kit, I usually use sonicwall etc so its all done for me - im a bit spoilt I guess!

I also usually use the internal DNS method which I think is what i'm going to suggest here, theres lots of phones to change and talking users through is always fun!! was hoping I could do without the hassle but seems I have no choice.

As im running users on a 'guest' network they wont be using internal DNS servers (set to googles). ANy reccomendations here? Is it worth me punching holes through and using the internal DNS?

Well I guess that would depend on your security etc. Can the server be moved to another zone? If you have a sec+ license you can have more interfaces and dump the server in a DMZ. Not ideal but that will easily allow you do the relevant NATs between the interfaces without causing any major issues

- GP

ashrobbo · 9 Oct 2014 at 09:21

I have the guest network on a VLAN sub interface? Would this be a similar setup?

I am testing from the inside network as im not physically on site to test from the guest network.

Server external is: 1.1.1.1 (eth0/0)
Server actual LAN IP on inside network is: 192.168.88.1 (eth0/1)
Guest network is 10.99.99.x/24 on Eth0/1.9 (Vlan 9)

can you advise config? firewall is now running 8.2

Ash

GhostlyPea · 9 Oct 2014 at 09:59

I thought you were coming from a device on inside to inside but on it's public IP (tied to outside). Guess I must have misunderstood. If you're coming from guest to inside then you'll need something like:

Code:

object network obj-serverrealip
 host 192.168.88.107

object network obj-serverpublicip
 host 1.1.1.2

object network obj-guestlan
 subnet 10.99.99.0 255.255.255.0 

nat (inside,guest) 1 source static obj-serverrealip obj-serverpublicip destination static obj-guestlan obj-guestlan [I]no-proxy-arp route-lookup[/I]

Note: you may or may not need the commands in italic, try with both or either if it doesn't work at first

You'll also need an ACL entry permitting access to the server on the guest interface (add it to Guest_access_in)

Depending on how you have added your other NAT in for this server to go to the public interface it will either be:

Code:

1) Static NAT command like above for your [I]before auto[/I] section

or as a "nat" entry under the object such as

Code:

2) object network obj-serverrealip
     nat (inside,outside) static 1.1.1.2

If using ASDM chances are it's done the second

- GP

GhostlyPea · 9 Oct 2014 at 10:00

Damnit, just seen it's running 8.2 - upgrade it to 8.4 and be done with it otherwise I have to give you new config

- GP

ashrobbo · 9 Oct 2014 at 12:20

GhostlyPea said:
Damnit, just seen it's running 8.2 - upgrade it to 8.4 and be done with it otherwise I have to give you new config

- GP

Site is 1000 miles away and a 2 hour plane flight, would doing this cause any untoward issues?

its a 5510 with 256mb of flash i know anything after 8.3 needs 1gb?

GhostlyPea · 9 Oct 2014 at 12:31

Potentially a pain in the arse yes, unless you have somebody competent on the other end who can assist in a roll-back. In theory (and from practical experience) the upgrades are usually fine, but as the syntax is different for certain commands it has to convert between ACL and NAT statements among several things, possibly even VPN config too if you're going to 8.4. 99% of the time a remote upgrade will convert most of the config, at least to the point you can connect to it, but some statements won't work and need troubleshooting. I wouldn't do a remote upgrade like that without some form of assistance the other end. ASAs do not have roll-back features for configs (unless you do a reload in command which is far from perfect) let alone software roll-backs like CheckPoint

Are we talking about different kit here at each time? You first mentioned a 5505, now you say its a 5510, the original config is from 7.2, then you say it was upgraded to 8.3 and now it's back on 8.2. Jumping all over unless I'm mis-reading

- GP

ashrobbo · 9 Oct 2014 at 13:11

GhostlyPea said:
Potentially a pain in the arse yes, unless you have somebody competent on the other end who can assist in a roll-back. In theory (and from practical experience) the upgrades are usually fine, but as the syntax is different for certain commands it has to convert between ACL and NAT statements among several things, possibly even VPN config too if you're going to 8.4. 99% of the time a remote upgrade will convert most of the config, at least to the point you can connect to it, but some statements won't work and need troubleshooting. I wouldn't do a remote upgrade like that without some form of assistance the other end. ASAs do not have roll-back features for configs (unless you do a reload in command which is far from perfect) let alone software roll-backs like CheckPoint

Are we talking about different kit here at each time? You first mentioned a 5505, now you say its a 5510, the original config is from 7.2, then you say it was upgraded to 8.3 and now it's back on 8.2. Jumping all over unless I'm mis-reading

- GP

Partially my fault and partial mis-informarton.

Its a 5510 which has now been upgraded 8.2 which I thought supported U turn hairpin very easily. It was on 7.2, we had somebody there last week so I did this then.

I am now going down the DNS route, however I guess i need to allow the guest network to use the internal DNS servers, is this simply a case of allowing port 53 through on the inside_in ACL and changing the DNS servers for guests?

ashrobbo · 9 Oct 2014 at 13:51

Config for reference

: Saved
:
ASA Version 8.2(5)
!
hostname ASA1
names
name 192.168.254.0 UK
name 10.99.99.0 GuestLAN
name 10.0.0.0 JapanLAN
name 192.168.253.0 VPNLAN
name 192.168.88.0 ViennaLAN
name XXXXXXXXXXXX SERVER07_EXT
name 192.168.88.107 SERVER07_INT
name XXXXXXXXXXXX CITRIX_EXT
name XXXXXXXXXXX SERVER03_EXT
name 192.168.88.112 CITRIX_INT
name 192.168.88.103 SERVER03_INT
!
interface Ethernet0/0
mac-address 001a.6dea.4484
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.88.254 255.255.255.0
!
interface Ethernet0/1.9
mac-address 001a.6dea.4486
vlan 9
nameif Guest
security-level 10
ip address 10.99.99.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa825-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
object-group network ViennaNetworks
network-object VPNLAN 255.255.255.0
network-object ViennaLAN 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object VPNLAN 255.255.255.0
network-object ViennaLAN 255.255.255.0
access-list outside_access extended permit tcp any host CITRIX_EXT eq https log debugging
access-list outside_access extended permit tcp any host SERVER07_EXT eq https log debugging
access-list outside_access extended permit tcp any host SERVER03_EXT eq smtp log debugging
access-list outside_access extended permit ip VPNLAN 255.255.255.0 ViennaLAN 255.255.255.0 log debugging
access-list outside_access extended permit ip ViennaLAN 255.255.255.0 host SERVER07_EXT log debugging
access-list nichicon_splitTunnelAcl standard permit UK 255.255.255.0
access-list nichicon_splitTunnelAcl standard permit ViennaLAN 255.255.255.0
access-list nichicon_splitTunnelAcl standard permit JapanLAN 255.0.0.0
access-list inside_nat0_outbound extended permit ip object-group ViennaNetworks VPNLAN 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group ViennaNetworks UK 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group ViennaNetworks JapanLAN 255.0.0.0
access-list outside_1_cryptomap extended permit ip object-group ViennaNetworks UK 255.255.255.0
access-list outside_1_cryptomap extended permit ip VPNLAN 255.255.255.0 ViennaLAN 255.255.255.0
access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 JapanLAN 255.0.0.0
access-list inside_access_out extended permit ip any any log debugging
access-list Guest_access_in extended permit ip any any log debugging
access-list outside_nat0_outbound extended permit ip VPNLAN 255.255.255.0 JapanLAN 255.0.0.0
pager lines 24
logging enable
logging asdm warnings
logging debug-trace
mtu outside 1500
mtu inside 1500
mtu Guest 1500
mtu management 1500
ip local pool VPNPool 192.168.253.20-192.168.253.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (outside) 0 access-list outside_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (Guest) 101 0.0.0.0 0.0.0.0
static (inside,outside) SERVER07_EXT SERVER07_INT netmask 255.255.255.255
static (inside,outside) SERVER03_EXT SERVER03_INT netmask 255.255.255.255
static (inside,outside) CITRIX_EXT CITRIX_INT netmask 255.255.255.255
access-group outside_access in interface outside
access-group inside_access_out out interface inside
access-group Guest_access_in in interface Guest
route outside 0.0.0.0 0.0.0.0 80.252.37.185 1
route inside 192.168.89.0 255.255.255.0 192.168.88.190 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http ViennaLAN 255.255.255.0 inside
http UK 255.255.255.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 3.3.3.3
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer 4.4.4.4
crypto map outside_map 2 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication pre-share
encryption aes-256
hash sha
group 1
lifetime 86400
telnet ViennaLAN 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.99.99.10-10.99.99.30 Guest
dhcpd dns 8.8.8.8 8.8.4.4 interface Guest
dhcpd option 3 ip 10.99.99.254 interface Guest
dhcpd enable Guest
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
no threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy nichicon internal
group-policy nichicon attributes
dns-server value 192.168.88.122 192.168.88.123
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nichicon_splitTunnelAcl
default-domain value XXX.co.uk
username admin password XXXXXXXXXXXX encrypted
username Nichvie password XXXXXXXXXXXXXXXX encrypted
username Nichvie attributes
vpn-group-policy nichicon
username nichicon password XXXXXXXXXXXXXXXXX encrypted
username nichicon attributes
vpn-group-policy nichicon
username Nehanet nopassword
username Nehanet attributes
vpn-group-policy nichicon
tunnel-group nichicon type remote-access
tunnel-group nichicon general-attributes
address-pool VPNPool
default-group-policy nichicon
tunnel-group nichicon ipsec-attributes
pre-shared-key *****
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
pre-shared-key *****
tunnel-group 4.4.4.4 type ipsec-l2l
tunnel-group 4.4.4.4 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect icmp
inspect icmp error
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
policy-map TCP-BYPASS
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
asdm location UK 255.255.255.0 inside
no asdm history enable

any other things you think looks odd let me know

GhostlyPea · 9 Oct 2014 at 14:23

Correct, adding udp/53 through on the ACL would allow them to access it, although looking at that config they have access to anything anyway - possibly the rest of your network although you may just be being "protected" by NAT. You'll need a no-nat entry to global 0 for the guest network so that you can reach the DNS server but I'd also visit the ACL there and allow access to the DNS server, then deny anything to RFC-1918 addresses, then permit anything else. Otherwise you might have some guest users try and get to bits they shouldn't be able to.

You may just be able to get away with adding in this instead and it might work:

Code:

static (inside,guest) SERVER07_EXT SERVER07_INT netmask 255.255.255.255

May want to block out your public IP range from the name statements and NAT entries otherwise it's a bit revealing

I'd also chuck the telnet access and enable ssh instead, even from inside

- GP

ashrobbo · 9 Oct 2014 at 16:49

I'm still playing with this - again my CLI isn't much good so im using ASDM. Here my progress. I'm struggling with ACL's and IN/OUT.

If I want to allow the guest LAN to access just the LAN DNS Servers, do I add the ACL to the Guest coming in or out? or the LAN In or out?

I've been using packet tracer and I think I have the results I want but still not 100% sure it will actually deliver.

ashrobbo · 9 Oct 2014 at 17:21

Ive also added nat rules - do these look correct??

Im going to get connected to a laptop tomorrow on the guest wireless and do some testing

GhostlyPea · 9 Oct 2014 at 17:29

For the ACL, think of yourself as the ASA and your arms and legs as the interfaces. If its coming from your hand or foot to your body then the acl is applied IN, if youre applying it OUT then its from your shoulder or hip to your hands/feet(Excuse the analogy). In your screenshot above that's fine as it's incoming to the firewall from the hosts. There are merits for both and times when you may need to do both but generally most of the time you'll just filter inbound on each interface

The NAT looks OK from what I would guess it would be. I did this exact thing for a client a few years back but I can't remember who it was to see if I have the config and compare and unfortunately I don't have time to lab it up for you

Busy few days

- GP

ashrobbo · 9 Oct 2014 at 18:15

Pea, that's superb. Really helpful and totally understand now.

Will give it a go tomorrow and update.

Thanks again!

GhostlyPea · 9 Oct 2014 at 21:21

No worries. If it doesn't work then run a packet-tracer. There should be a tool in ASDM, but form the CLI it would be something like:

Code:

packet-tracer input guest tcp 10.99.99.10 12345 1.1.1.2 443 detailed

Paste the output and usually it will indicate where the issue lies, although it can be misleading sometimes

- GP

pre · 12 Oct 2014 at 13:03

You should specify the specific protocol you need but this is what you want for hairpinning:

static (inside,guest) 1.1.1.2 192.168.88.107 netmask 255.255.255.255
access-list Guest_access_in extended permit ip 10.99.99.0 255.255.255.0 host 1.1.1.2