I know just what you mean. I recently setup guest access on a 1252 ap in my network. I wanted to keep it private
so it wouldn't have access to my business network, and I also run 4 ssid's to 4 seperate vlans on my ap.
What I did was pretty similar to your ap config and I also had a 2950 as the next hop from the ap. You already setup the trunking whcih I hadn't done from the start, but was required to get the ap to send the various vlan traffic to the next hop. From there I had 2 more switch plants to go throguh and had to have the vlans at least identified on each switch in the path. These weren't vlan sub interfaces just the vlan declarations. The other two switch plants were also trunked together and already passing other vlan traffic.
What I ended up doing was having my firewall by the default gateway for the guest access, which is unique to only this vlan. I also had the firewall be the dhcp server for the guest access. Since I had no vlan interfaces defined on any of my switches there was no routed access to my internal network and I blocked routed access on my firewall with a security-level statement that was a lower number than my business traffic.
Then all I had to do was to add the NAT statement in my firewall to NAT this traffic out an ISP accepted IP address and it worked perfectly.
The only true downside to this for me is that my guest access has zero access to me internal network, and without some additional configuration in the firewall, it never will. This is what I wanted at the time, but I now can see it would be good to allow internal access for some applications to be truely flexible. But since it is open guest access I still would rather not risk it.
As an off-topic I just want to make sure I understand but your voice vlan is actually up on your ISP's vlan? Does that mean the ISp is your voice server? We also have a voice vlan internally, and the only outside access to the internet we allow is for the voice server to pickup updates from Cisco. My phone devices don't have any access to the Internet.
At any rate if you can get your ISP to handled the vlan 20 I think you will be golden on this issue, because it would be them who would determine the default route to the Internet I think at this point, so you may not even need to do the NAT on your end, I would guess your ISP would do the NAT for you along with your regular outgoing traffic.
So you might be done on your end at this point. I think a more normal way to do this that would keep your ISP out of the loop is to have your gateway be on your internal router of swtich that way all of this and any other changes you wanted to do internally to your network would only invovle you and not your ISP. That would also keep your ISP from knowing your intenal network structure. You could do this and still let them handle the firewall duties I think.
Cheers
Kevin Pulford
.
