10-14-2014 12:22 AM - edited 03-11-2019 09:55 PM
Hi All,
I have configured ASA 5520 for 3 Networks & one ISP.
1> Official proxy 172.16.1.0/24
2> Guest ( SSID) on controller network Office Area 10.156.250.0/24
3> GueSt ( SSID) on controller Network Accomodation Area.10.156.249.0/24
From accomodation area gueSt (10.156.249.0) configured on switch through route map and hitting to internal1 Interface on firewall, i am able to access and browse the internet but not from guest office area, although able to ping all external IP's for google/yahoo but not domain name so unable to browse.
Pls. help to resolve. Config is below.
interface GigabitEthernet0/0
description Connected to Office LAN network
nameif internal0
security-level 100
ip address 172.16.1.1 255.255.255.252
!
interface GigabitEthernet0/1
description Connected to GUEST network
nameif internal1
security-level 1
ip address 10.156.250.1 255.255.255.0
!
interface GigabitEthernet0/3
description ISP facing interface
nameif external0
security-level 0
ip address 10.10.155.2 255.255.255.248
!
route external0 0.0.0.0 0.0.0.0 10.10.155.1 1
route internal1 10.156.249.0 255.255.255.0 10.156.250.5 1
object network obj_to_off
subnet 172.16.1.0 255.255.255.252
object network obj_to_off
nat (internal0,external0) dynamic interface
object network obj-2-gueSt
subnet 10.156.249.0 255.255.255.0
object network obj-2-gueSt
nat (internal1,external0) dynamic interface
object network obj-2-guest
subnet 10.156.250.0 255.255.255.0
object network obj-2-guest
nat (internal1,external0) dynamic interface
10-14-2014 12:54 AM
Hi,
So the users connected to the subnet that is directly connected to the "internal1" interface can not do DNS lookups for some reason but their external connectivity is otherwise fine?
Have you confirmed that their network settings are correct so that the traffic is forwarded to the ASA? Are the DNS servers configured correct? Where are the DNS servers located at? Have you monitored logs through ASDM while attempting connections from the problematic Guest Office network?
- Jouni
10-14-2014 04:48 AM
Yes guest user x.x.25.0 directly connected to internal1 and gueSt x.x.249.0 user connected through internal1 from core switch through router map.
Core SW Config......
access-list 49 permit 10.156.249.0 0.0.0.255
route-map 49 permit 20
match ip address 49
set ip next-hop 10.156.250.1
Ans it was working fine from last two years, Y day sudden happened that x.x.249.0 users able to access internet but x.x.250.0 user not.
I am connecting my laptop to guest able to ping all external site IP like 4.2.2.2 as well but not able to access not opening any page, and whenever connecting to GueSt SSID browing well.
Reg
Sanjeev
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: