Solved: guest access vlan

Sylvain Deschenes · ‎10-17-2011

Hi,

I'm trying to implement a guest vlan.

users in this vlan would only have access to internet

i have created the acl, the user use an external dns,

everything is working fine except for one thing

we have server in our LAN wich are published on the internet they have a static rule in the pix.

machine in the guest vlan are unable to access those server.

i found this article wich seems to be the same problem but with a sonic wall firewall.

http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=8612&formaction=faqalert

however i have not found something smilar for cisco pix, we use version 8.0.3

thank you

varrao · ‎10-19-2011

Hi Sylvain,

Yes, thats right, if your internal LAn and the guest vlan both are behind the inside interface of the ASA.

And you can only use:

static (inside,inside) 9.9.9.0 10.1.1.0 norand nailed

If 9.9.9.1 is mapped to 10.1.1.1

9.9.9.2 --> 10.1.1.2

9.9.9.3 ---> 10.1.1.3

.

9.9.9.255 -----> 10.1.1.255

only then you can use it, otherwise you need to add those static statements for each server

Hope that helps

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎10-17-2011

Hi Sylvain,

Lets say you have a nat for your server in the internal lan as:

static (inside,outside) 1.1.1.1 10.1.1.1

where 1.1.1.1 ---> public ip

10.1.1.1 ------> private ip

For guest lan you would need:

static (inside,guest_lan) 1.1.1.1 10.1.1.1

and an access-list on the guest lan interface as:

access-list guest_to_inside extended permit tcp any host 1.1.1.1

access-group guest_to_inside in interface guest_lan

and it would work after this.

Hope this helps

Varun

Thanks,
Varun Rao

Sylvain Deschenes · ‎10-17-2011

for exemple:

my internal network is 10.0.0.0/8, my guest vlan is in this range however its default gateway is a layer 3 switch wich have an acl that deny it from accessing 10.0.0.0/8 and use external dns

soo lets say i have a web server in my internal network:

10.1.1.100

its public ip is 9.9.9.9

static (inside,outside) 9.9.9.9 10.1.1.100

my guest vlan is 10.99.99.0/24

use external dns, soo when it try to access the web server it ask for 9.9.9.9 and is unable to connect.

nat 5 (inside) 10.99.99.0 255.255.255.0

and this line on the inside acl

permit ip 10.99.99.0 255.255.255.0 any

note that for my pix the inside interface is the whole 10.0.0.0/8 network.

thank you

varrao · ‎10-17-2011

Hi Sylvain,

If the guest vlan is behind the same interface as the server, then you would need to do u-turning on the ASA, something like this:

static (inside,inside) 9.9.9.9 10.1.1.100 norand nailed

same-securirt-traffic permit intra-interface

nat (inside) 5 10.99.99.0 255.255.255.0

global (inside) 5 interface

sysopt noproxyarp inside

route inside 10.1.1.100 255.255.255.255

and it shoudl work after it.

Let me know if you face any issues.

Varun

Thanks,
Varun Rao

Sylvain Deschenes · ‎10-18-2011

Thank you for the quick reply

if i understand right, if i have multiple web server in my internal network and they are nated to public ip, i would have to add this for my guest vlan to see them:

for example:

all server in 10.1.1.0/24

server a: 10.1.1.100 public : 9.9.9.9

server b: 10.1.1.101 public:9.9.9.10

server c: 10.1.1.102 public: 9.9.9.11

static (inside,inside) 9.9.9.9 10.1.1.100 norand nailed

static (inside,inside) 9.9.9.10 10.1.1.101 norand nailed

static (inside,inside) 9.9.9.11 10.1.1.102 norand nailed

or this command would be working:

static (inside,inside) 9.9.9.0 10.1.1.0 norand nailed

or i have to put a static for each of my web server i want my guest vlan to have access

thank you

varrao · ‎10-19-2011

Hi Sylvain,

Yes, thats right, if your internal LAn and the guest vlan both are behind the inside interface of the ASA.

And you can only use:

static (inside,inside) 9.9.9.0 10.1.1.0 norand nailed

If 9.9.9.1 is mapped to 10.1.1.1

9.9.9.2 --> 10.1.1.2

9.9.9.3 ---> 10.1.1.3

.

9.9.9.255 -----> 10.1.1.255

only then you can use it, otherwise you need to add those static statements for each server

Hope that helps

Thanks,

Varun

Thanks,
Varun Rao

Sylvain Deschenes · ‎10-20-2011

ok thank you that answer my question I will see how i can do it since my septup would not allow me to do it with one line i will have to put a static for each one of my server.

thank you

varrao · ‎10-20-2011

Hi Sylvain,

Sure, let me know if you run into any issues.

Thanks,

Varun

Thanks,
Varun Rao