The wireless router translates the network 192.168.0.0/24 to 10.20.20.100 then forwards the traffic to the firewall. The gateway IP address set on this router is 10.20.20.254. However, the firewall has an interface named wlan and IP address 172.16.0.1 (MAC address: 00aa.0091.9e02). So it is not possible to have traffic from the wireless router to the firewall. That's wrong!
The firewall has a static route to the internal network 10.20.20.0/24, so we cannot assign an IP address of this range to the wlan interface without using VLSM. The solution is Proxy ARP:
no sysopt noproxyarp guest
arp guest 10.20.20.254 00aa.0091.9e02 alias
route inside 10.20.20.0 255.255.255.0 10.10.10.254 1
route guest 10.20.20.100 255.255.255.255 10.20.20.100 1
When the wireless router tries to reach 10.20.20.0/24 using the gateway 10.20.20.254, the firewall replies to the ARP request with its MAC address. We just need layer 2 connectivity between these devices, thus everything works fine.
Now we just have to implement some NATs and ACLs to allow traffic from wlan to inside, and have some fun.
WL-Router#sh arp | i 10.20.20.254
Internet 10.20.20.254 38 00aa.0091.9e02 ARPA Ethernet1/0
WL-Router#ping 10.20.20.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.20.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/52/92 ms
The firewall replies ARP requests, but forwards echo requests to 10.20.20.254:
arp-in: request at guest from 10.20.20.100 cc01.0a44.0010 for 10.20.20.254 0000.0000.0000
arp-in: rqst for me from 10.20.20.100 for 10.20.20.254, on guest
arp-set: added arp guest 10.20.20.100 cc01.0a44.0010 and updating NPs at 3051950
arp-in: generating reply from 10.20.20.254 00aa.0091.9e02 to 10.20.20.100 cc01.0a44.0010
ICMP echo request from guest:10.20.20.100 to inside:10.20.20.254 ID=10 seq=0 len=72
ICMP echo reply from inside:10.20.20.254 to guest:10.20.20.100 ID=10 seq=0 len=72
asa(config)# end
asa# wr mem
No comments:
Post a Comment