Showing results for 
Search instead for 
Did you mean: 


Guest network access to internal webserver

Just seeing if someone can help me out with making sure I have the syntax correct and thought process down right on a solution to allowing guest wireless users access to an internal webserver.  (DMZ discussion aside)

We have an ASA5510 with interfaces setup as:

outside - 65.x.x.x address

inside -

guest_inet -

Internally clients resolve our website to and that part works as it should.  Clients outside of our network resolve our website to the correct external address (lets just call it We have a NAT statement

static (inside, outside) netmask and an ACL to

permit tcp any host eq www

Clients on our guest_int use an external DNS server and hence resolve our website to  However it seems traffic goes out and back in our outside interface and this connection never occurs.

What I'm wondering is the correct NAT statement / ACL to add that would allow our internal clients on the 10.2.1.x network to access our internal website.  Would that be:

static (inside,guest_inet) netmask ?  Since there is already an ACL permitting port 80 traffic to we should be taken care of on the ACL side of things, right?

This is one of the newer experiences for me, so I'd appreciate any help you can share.  Thank you!

Jouni Forss


Usually (atleast for me) this is handled by modifying the Static NAT command for the actual Web Server

Now it is:

static (inside, outside) netmask

It could be

static (inside, outside) netmask dns

The parameter "dns" should make it so that as long as your Guest network users do their DNS querys to a public DNS server, they should be able to access the Web server with the URL. With the help of the "dns" parameter the ASA will modify the DNS replys coming from the public DNS server before they get to the Guest client. This will point them to the private IP address of the server even though they normally connect using the DNS name/URL like any other user from public network.

Do notice that if you change the Static NAT command to include the "dns" parameter, ASA will teardown any existing connections to that server from the Internet. Though since you are configuring it again, it shouldnt really be a problem. EDIT: Just to make it clear. The ASA will teardown connections because you have to remove to the existing Static NAT to configure it again with the "dns" parameter.

Also you will have to make sure that the Guest network has an ACL rule to reach the server with its actual IP address.

- Jouni

Thanks for the command.

Now, since our guest_inet interface has a security-level of 10 vs the internal interface security-level of 100 (and the default action is to only permit access to less secure networks) would an access need to be put in place to allow port 80 traffic to the webserver?


If the "guest_inet" doesnt have any kind of ACL attached to the interface and it has a lower security-level than the destination then you need to configure an ACL to the "guest_inet" interface.

Notice that as soon as you have attached an ACL to that interface, you will have to take into account all other traffic you want to allow through that interface (Security-level wont control the traffic anymore since theres an ACL in place). If you only allow TCP/80 the local Web server and dont allow anything else in the "guest_inet" ACL, all other traffic would get denied.

- Jouni