ASA 5510 Guest Wireless Needs To Access Internal Web server

johnwoodssoundeklin · ‎11-08-2013

I have set up guest wireless with our ASA 5510 and WLC 2504 as follows:

Port 2 of the 2504 is connected to interface Ethernet0/2.62 on the 5510.

The guest wireless SSID is mapped to a dynamic interface using port 2 of the 2504.

I have a dynamic NAT rule on the 5510 allowing any traffic from the guest wireless interface (Ethernet0/2.62) to the outside.

I have a DHCP pool on the 2504 that is configured for external DNS (208.67.222.222).

Wireless clients can access the internet successfully and cannot access our internal network (as desired).

I have one problem: I need guest wireless users to be able to access our internal web server. I have done some research and found a few posts recommending DNS rewrite as the fix.

I have enabled DNS rewrite on the static NAT rule for our internal web server but guest wireless clients still cannot access the internal web server.

Any input as to a resolution would be greatly appreciated...

Thank you

Jouni Forss · ‎11-08-2013

Hi,

If the Guest network hosts DNS queries are still answered with the public IP address of your Web server then I would suggest configure Static NAT or Static PAT (Port Forward) from your "inside" to "guest" for the Web server the same way you have for the "inside" to "outside" direction.

Naturally the configuration format depends on your ASA software

If you wanted to configure Static NAT the configurations would be the following

Software 8.2 or below

static (inside,guest) netmask 255.255.255.255

Software 8.3 or above

object network WEB-SERVER

host

nat (inside,guest) static

Hope this helps

- Jouni