03-01-2013 06:42 AM - edited 03-11-2019 06:08 PM
My internal network consists of Catalyst 3750 switches segmented into different VLANs. There is a default route on the layer 3 Catalyst switch sending all unknown traffice to the inside Internet of the ASA 5510. However, I'd like to have a separate VLAN for wifi guest access and send all of that traffic through one of the DMZ interfaces on the ASA 5510. I don't think you can have separate default routes based on VLANs on the 3750 switches so my only option is to make the ip address of the DMZ port the default gateway for all hosts on the wifi guest VLAN.
The problem I have is that I have a couple servers behind the inside interface that have services available to the public Internet via a NAT address on the outside interface. I want the guests on the wifi VLAN to have the ability to access the servers on the inside interface using the public address as well, but have not been able to come up with a solution yet.
Here is my config that pertains to this setup:
interface Ethernet0/0
description Outside Interface
nameif Outside
security-level 0
ip address 76.47.10.x 255.255.255.224
rip send version 1
rip receive version 1
!
interface Ethernet0/1
description Inside Interface
nameif Inside
security-level 100
ip address 192.168.17.1 255.255.255.0
rip send version 1
rip receive version 1
!
interface Ethernet0/3
description Wifi Guest Access
nameif DMZ2
security-level 50
ip address 192.168.60.1 255.255.255.0
global (Outside) 1 interface
nat (Inside) 0 access-list nonat
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (DMZ2) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) 76.47.10.x 192.168.17.88 netmask 255.255.255.255
I've tried the following commands below but it didn't help.
same-security-traffic permit intra-interface
static (inside, inside) 76.47.10.x 192.168.17.88 netmask 255.255.255.255
Any suggestions?
03-01-2013 06:47 AM
Hi,
I think you would need other interfaces in the NAT command.
If the Guest users are coming from the DMZ2 interface then you would be doing NAT from "Inside" to "DMZ2"
static (inside, DMZ2) 76.47.10.x 192.168.17.88 netmask 255.255.255.255
And naturally allowing the traffic with ACL.
- Jouni
03-01-2013 07:07 AM
David,
While I haven't had a chance to lab this up or confirm 3750 images needed for route-maps, have you considered using a route map with the "set ip default next-hop" parameter for your guest wifi access? The associate ACL could target the guest wifi network(s), and policy route as needed. I believe you could add this to your vlan interface.
However, note something interesting that I learned while looking into your question. In order for the route map to be applied to the vlan interface, apparently there is an SDM command that may be required. Below are links for the route-map set ip default next-hop and the relevant SDM command.
Best,
Ed
03-01-2013 07:14 AM
Hi,
Also if you want to separate the routing for the Guest users you could configure their Vlan interface into its own VRF which would separate Guest networks routing from the Global Routing Table.
I imagine there is some sort of software type requirement for this but cant say for sure
I dont see a point playing around with Policy Based Routing for this kind of setup. You can simply just take the Vlan to a single port on the ASA as you seemed to have done and handle the routing there.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide