cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1690
Views
0
Helpful
7
Replies

ASA 5510 Guest Internet Access

Scott Pickles
Level 4
Level 4

I have a subnet for guest network access, both wired and wireless.  We have a Netgear ProSafe that is trunked to a Cisco 2901 performing 'Router-on-a-Stick'.  For most internal traffic, it all stays behind the ASA.  But for guest traffic, I have a route-map that sets the next-hop address as the outside interface of the ASA.  The question is, how can I still permit those users to access our internal DNS servers?  Do I need any particular NAT translations, exemptions, DNS doctoring, hairpinning, etc.?  I have an ACL on the inside interface that permits traffic from the guest networks to our internal DNS servers, and then the next ACL line denies any other traffic from the guest networks to any of our internal networks.

Regards,
Scott

7 Replies 7

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Scott,

Not sure if I get it!

Can you elaborate a draw of your network so we can understand this, then you can let us know from where to where do you need the communication to work so we can provide you the next step on this troubleshooting.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

@jcarvaja - Sure thing!  I'll get something uploaded soon ...

Attached is the network diagram.  What I want to do is have guest users attach to the wireless internally, use the route-map to force them to the Outside interface on the ASA, and use the ACL 'Inside_access_in' on the ASA to block those users from contacting any internal host with the explicit exception of our two DNS servers and restrict that level of access to tcp-udp/domain since those are domain controllers and have other services as well.  I am currently getting portmap translation errors.  I suspect this is going to be tricky since I have to NAT the users to the outside interface, but then still allow the DNS queries back in.  Perhaps I should make the next hop the Inside interface?ASA Guest Access.png

Hello Scott,

That is correct, you cannot access a distant interface, in this case the host are behind the inside interface, they will be able to access outside users but they will not be able to access the outside interface so packets will not flow directly to that interface.

Please change it to the inside interface, and then lets work from there!!

Rate helpful posts

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio -

I've got the route-map set to the Inside interface.  Now I have to deal with exempting from translation ONLY the requests to the DNS server (Inside to Inside) and then still follow the normal PAT for all other requests.  I know it's a NAT issue right now, and if I do no config modifications I get a 'portmap translation' error.  If I add a NAT Exempt for the (Inside to Inside) the 'portmap translation' error goes away, but the NAT still isn't working correctly because packet-tracer shows it being dropped.  I wish there was a book that talks about the architecture of the ASA and the way that it processes traffic and how interfaces are related to one another.  All the books I have seen are glorified config manuals, and if your config doesn't match exactly then it isn't necessarily helpful.

Regards,
Scott

It seems like what I would want is a Policy Exempt rule, but it doesn't appear to be an option.  I want to tell the firewall that traffic originating from 192.168.14.0 /24 with a destination of our internal DNS servers (and possibly even specify the destination port) that the address should be exempted from NAT.  Then, all remaining traffic outbound for the internet (once the DNS lookup is successful) should follow the default PAT to the outside interface.  If this can be done with a couple of different NAT rules/policies/ACLs I'm all for it.  But at this point it might seem to be a whole lot easier to just give guest users an outside DNS server and then I can just use the current default PAT rule.

Hello Scott,

Your ASA will need to have a route for both networks

You also will need the following command:

          -same-security-traffic permit intra-interface

The thing is that the packets from the guest vlan will go directly to the ASA as its default gateway, then packets will be routed to the Router on stick and finally to the DNS server, the reply will go from the DNS to the Router on stick and then directly to the Guest user.

Nat exemption will look like this:

access-list nonat permit ip 192.168.14.0 255.255.255.0  host 192.168.11.6

access-list nonat permit ip 192.168.14.0 255.255.255.0  host 192.168.11.4

nat (inside) 0 access-list nonat

Please give it a try, also please provide packet tracer

packet-tracer input inside udp 192.168.14.10 1025 192.168.11.4 53

Regards,

Julio

Rate helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card