Ping a Specific Port

Question

Bittrance

Asked: 2012-01-14 05:40:29 +0800 CST2012-01-14 05:40:29 +0800 CST 2012-01-14 05:40:29 +0800 CST

Traffic blocked between VLANs despite security-level difference on ASA 5510

772

I have an Cisco ASA 5510 configured thus:

interface Ethernet0/0
 description ### Trunk for inside, wlan ###
 speed 1000
 no nameif
 no security-level
 no ip address

interface Ethernet0/0.10
 description ### OFFICE ###
 vlan 10
 nameif inside
 security-level 100
 ip address 172.18.0.1 255.255.255.0 

interface Ethernet0/0.12
 description ### WIRELESS ###
 vlan 12      
 nameif wlan  
 security-level 20
 ip address 172.18.2.1 255.255.255.128 

interface Ethernet0/3
 description ### Upstream ###
 nameif outside
 security-level 0
 ip address X.X.X.X 255.255.255.252 

access-group WLAN in interface wlan

global (outside) 10 interface

nat (wlan) 0 access-list NONATWIRELESS
nat (wlan) 10 172.18.2.0 255.255.255.128
nat (inside) 0 access-list NONATINSIDE
nat (inside) 10 172.18.0.0 255.255.255.0

dhcprelay server ZZZ inside
dhcprelay enable wlan

access-list WLAN extended permit object-group DNS object-group WLAN host nic 
access-list WLAN extended permit object-group DNS object-group WLAN host idns 
access-list NONATWIRELESS extended permit ip any 172.18.0.0 255.255.255.0 
access-list NONATWIRELESS extended permit ip any 172.18.3.0 255.255.255.0 
access-list NONATINSIDE extended permit ip any 172.18.2.0 255.255.255.0 
access-list NONATINSIDE extended permit ip any 172.18.3.0 255.255.255.0 

no nat-control

There are no static routes.

On this configuration, hosts on vlan 10 are allowed to access the outside world, but hosts on vlan 12 are not. They provoke like log entries:

Jan 13 14:35:02 172.18.0.1 %ASA-4-106023: Deny tcp src wlan:172.18.2.125/48593 dst outside:Y.Y.Y.Y/80 by access-group "WLAN" [0x0, 0x0]

How come?

EDIT: I suppose this is because there is an access-list on wlan but not on inside, but this seems stupid? security-level should still be evaluated if there are no matching entries in the access-list?

1 Answers

Voted

MadHatter · Answer 1 · 2012-01-14T05:45:02+08:00

Best Answer

MadHatter

2012-01-14T05:45:02+08:002012-01-14T05:45:02+08:00

Umm, possibly because you've got the access group WLAN applied to traffic coming in the wlan interface, and that access group doesn't permit traffic to web servers.

The error message is pretty clear that the problem lies with the access-group WLAN, and that access-list is pretty restrictive.

Edit in response to your comment: not that I know of, because all access-lists in PIXOS are dispositive (that is, all have an implicit deny any any at the end) - so there's no such thing as an access list that doesn't match.

3

Traffic blocked between VLANs despite security-level difference on ASA 5510

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?