Allow access to server on inside Interface from DMZ

David Koll · ‎03-01-2013

My internal network consists of Catalyst 3750 switches segmented into different VLANs. There is a default route on the layer 3 Catalyst switch sending all unknown traffice to the inside Internet of the ASA 5510. However, I'd like to have a separate VLAN for wifi guest access and send all of that traffic through one of the DMZ interfaces on the ASA 5510. I don't think you can have separate default routes based on VLANs on the 3750 switches so my only option is to make the ip address of the DMZ port the default gateway for all hosts on the wifi guest VLAN.

The problem I have is that I have a couple servers behind the inside interface that have services available to the public Internet via a NAT address on the outside interface. I want the guests on the wifi VLAN to have the ability to access the servers on the inside interface using the public address as well, but have not been able to come up with a solution yet.

Here is my config that pertains to this setup:

interface Ethernet0/0
description Outside Interface
nameif Outside
security-level 0
ip address 76.47.10.x 255.255.255.224
rip send version 1
rip receive version 1
!
interface Ethernet0/1
description Inside Interface
nameif Inside
security-level 100
ip address 192.168.17.1 255.255.255.0
rip send version 1
rip receive version 1
!
interface Ethernet0/3
description Wifi Guest Access
nameif DMZ2
security-level 50
ip address 192.168.60.1 255.255.255.0

global (Outside) 1 interface

nat (Inside) 0 access-list nonat

nat (Inside) 1 0.0.0.0 0.0.0.0

nat (DMZ2) 1 0.0.0.0 0.0.0.0

static (Inside,Outside) 76.47.10.x 192.168.17.88 netmask 255.255.255.255

I've tried the following commands below but it didn't help.

same-security-traffic permit intra-interface

static (inside, inside) 76.47.10.x 192.168.17.88 netmask 255.255.255.255

Any suggestions?

Jouni Forss · ‎03-01-2013

Hi,

I think you would need other interfaces in the NAT command.

If the Guest users are coming from the DMZ2 interface then you would be doing NAT from "Inside" to "DMZ2"

static (inside, DMZ2) 76.47.10.x 192.168.17.88 netmask 255.255.255.255

And naturally allowing the traffic with ACL.

- Jouni

Edwin Summers · ‎03-01-2013

David,

While I haven't had a chance to lab this up or confirm 3750 images needed for route-maps, have you considered using a route map with the "set ip default next-hop" parameter for your guest wifi access? The associate ACL could target the guest wifi network(s), and policy route as needed. I believe you could add this to your vlan interface.

However, note something interesting that I learned while looking into your question. In order for the route map to be applied to the vlan interface, apparently there is an SDM command that may be required. Below are links for the route-map set ip default next-hop and the relevant SDM command.

Best,

Ed

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00801f3b54.shtml#casethree

https://supportforums.cisco.com/thread/150322

Jouni Forss · ‎03-01-2013

Hi,

Also if you want to separate the routing for the Guest users you could configure their Vlan interface into its own VRF which would separate Guest networks routing from the Global Routing Table.

I imagine there is some sort of software type requirement for this but cant say for sure

I dont see a point playing around with Policy Based Routing for this kind of setup. You can simply just take the Vlan to a single port on the ASA as you seemed to have done and handle the routing there.

- Jouni