Re: Guest Wifi cannot acces internet

m.yildiz · ‎05-18-2023

Hi,

i have the following issue, Guest Vlan 40, getting ip from dhcp and all working fine, except internet.

Vlan 40 should be only accces internet.

any help would be really appreciated

attached my config

thanks

Reza Sharifi · ‎05-18-2023

Hi,

What type of device is this? Most small Cisco switches do not support NAT. If this is the case, you need a router or a firewall to perform NAT function.

HTH

m.yildiz · ‎05-18-2023

C1111X Router

Harold Ritter · ‎05-18-2023

Hi @m.yildiz ,

The Vlan 40 subnet is specifically denied in the access-list used for NAT.

ip access-list extended 100
10 permit ip 192.168.178.0 0.0.0.255 any
20 permit ip 10.10.10.0 0.0.0.255 any
30 permit ip 20.20.20.0 0.0.0.255 any
40 permit ip 30.30.30.0 0.0.0.255 any
50 deny ip 40.40.40.0 0.0.0.255 any
60 permit ip 50.50.50.0 0.0.0.255 any
70 permit ip 60.60.60.0 0.0.0.255 any
!

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

m.yildiz · ‎05-18-2023

how to correctly do the acces list?

Harold Ritter · ‎05-18-2023

Hi @m.yildiz ,

To fix the issue you need to permit the Vlan40 subnet, like the other subnets in the access list. You can do the following:

config t

no ip access-list extended 100

ip access-list extended 100
10 permit ip 192.168.178.0 0.0.0.255 any
20 permit ip 10.10.10.0 0.0.0.255 any
30 permit ip 20.20.20.0 0.0.0.255 any
40 permit ip 30.30.30.0 0.0.0.255 any
50 permit ip 40.40.40.0 0.0.0.255 any
60 permit ip 50.50.50.0 0.0.0.255 any
70 permit ip 60.60.60.0 0.0.0.255 any
!

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

m.yildiz · ‎05-18-2023

that means, vlan can reach the other vlans, which should not be

vlan40 guest vlan, only internet acces

Harold Ritter · ‎05-18-2023

Hi @m.yildiz ,

access-list 100 is strictly used for NAT purpose. There is no access-list to control traffic between the vlans. So if the intent was to prevent vlan40 subnet to communicate with the other vlans then it was the wrong way.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

m.yildiz · ‎05-18-2023

HI,

any suggestions?

How to solve ?

Thanks

Harold Ritter · ‎05-18-2023

Hi @m.yildiz ,

You could add an inbound access-list on interface vlan40 to prevent it from accessing the other local vlans and allow everything else. It would look something like this:

interface vlan40

ip access-group 101 in

!
ip access-list extended 101
10 deny ip any 192.168.178.0 0.0.0.255
20 deny ip any 10.10.10.0 0.0.0.255
30 deny ip any 20.20.20.0 0.0.0.255
40 deny ip any 30.30.30.0 0.0.0.255
50 deny ip any 50.50.50.0 0.0.0.255
60 deny ip any 60.60.60.0 0.0.0.255
70 permit ip 40.40.40.0 0.0.0.255 any
!

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México