Hi Richard,

Thanks for the advice. I have modified the configuration for review, also question on the ip next-hop (This will be the ip address of the provider)? Thanks for your assistance.

Configuration template

(Config#) route-map guest_network permit 10
(Config-route-map#) match IP address guest_network
(Config-route-map#) set ip next-hop x.x.x.x

access-list guest_network extended permit IP x.x.x.0 255.255.255.0 any

The route map looks better. Yes the IP for next-hop is the address of the ISP.

 

HTH

 

Rick

Hi,

I configured the route map without any success, it actually stopped the guest networking from routing and had to back out the changes. I have appended everything in the running config for the guest network, hopefully you can identify why the routing didn't forward the guest network traffic out the secondary interface (OUTSIDE-2). I did find the guest network utilizing dynamic nat, I changed the statement to the outside-2 interface still no success. Any suggestions will help greatly.

 

Configuration on FW for guest network

object network Company-Guest
subnet 10.253.30.0 255.255.255.0

access-list ACL-OUTSIDE-IN extended permit ip any 10.x.x.0 255.255.255.0

access-list ACL-GUEST-IN extended deny ip any 10.x.x.0 255.255.255.0

interface GigabitEthernet0/5.30
vlan 30
nameif Company-Guest
security-level 10
ip address 10.x.x.1 255.255.255.0


mtu Company-Guest 1500

object network Company-Guest
nat (Company-Guest,OUTSIDE-1) dynamic interface

dhcpd address 10.x.x.2-10.x.x.254 Company-Guest

dhcpd dns 8.8.8.8 interface Company-Guest

dhcpd enable Company-Guest


object network obj_any
nat (INSIDE,OUTSIDE-1) dynamic interface

interface GigabitEthernet0/1
description OUTSIDE COMCAST ISP INTERNET
speed 1000
duplex full
nameif OUTSIDE-2
security-level 0
ip address 50.x.x.29 255.255.255.240 standby 50.x.x.28

route OUTSIDE-2 0.0.0.0 0.0.0.0 50.x.x.30 254

mtu OUTSIDE-2 1500
icmp permit any echo OUTSIDE-2
icmp permit any echo-reply OUTSIDE-2

 

Configuration changes that didn't work to route the traffic out the OUTSIDE-2 interface

(Config#) route-map Company_Guest permit 10
(Config-route-map#) match IP address Company_Guest
(Config-route-map#) set ip next-hop 50.x.x.30
(Config)# interaface gi0/5.30 (Dedicated guest interaface)
(Config-if) policy-route route-map Company_Guest

 

access-list Company_Guest extended permit IP 10.x.x.0 255.255.255.0 any

object network Company_Guest
nat (Company_Guest, OUTSIDE-2) dynamic interaface

 

 

 

The first thing I will say is that I understand the desire to mask sensitive information. So I understand using 50.x.x.29. But why mask in 10.x.x.0? What is sensitive about that? And it does make it difficult to discern whether these parts of the config are correct.

 

You show this access list

access-list ACL-GUEST-IN extended deny ip any 10.x.x.0 255.255.255.0

I can not tell what it is doing. And you do not show where it is applied. Can you clarify this?

 

I can understand why you are doing nat for guest this way in normal operation. Can you clarify that this was removed when you attempted the route map for PBR

object network Company-Guest
nat (Company-Guest,OUTSIDE-1) dynamic interface

 

I question whether this route statement is needed

route OUTSIDE-2 0.0.0.0 0.0.0.0 50.x.x.30 254

 

You did not use the correct object name in the nat to use with PBR (note the difference between hyphen and underscore)

object network Company_Guest
nat (Company_Guest, OUTSIDE-2) dynamic interaface

 

HTH

 

Rick

Hi Richard
Thanks for your assistance and time on this!

object network Company-Guest
nat (Company-Guest, OUTSIDE-1)
Note: Replaced OUTSIDE-1 with OUTSIDE-2 (was not removed).

access-list ACL-GUEST-IN extended deny ip any 10.x.x.0 255.255.255.0
Note: Isn't applied to any interface (old config on device)

All access-groups below and interface association on device.
access-group ACL-OUTSIDE-IN in interface OUTSIDE-1
access-group ACL-OUTSIDE-IN in interface OUTSIDE-2
access-group ACL-INSIDE-IN in interface INSIDE

Here's my configuration after reviewing your notes
(Config#) route-map NACO-Guest permit 10
(Config-route-map#) match IP address NACO_Guest
(Config-route-map#) set ip next-hop 50.242.179.30
(Config)# interaface gi0/5.30 (Dedicated guest interaface)
(Config-if) policy-route route-map NACO-Guest (Do this statement go under the dedicated guest interface of the outbound interface) ?

access-list ACL-OUTSIDE-IN extended permit IP any 10.253.30.0 255.255.255.0
access-group ACL-OUTSIDE-IN in interface OUTSIDE-2

object network NACO-Guest
nat (NACO-Guest, OUTSIDE-2) dynamic interaface

Thanks for the update. You say that the "nat (Company-Guest, OUTSIDE-1)"    was replaced and then say that it was no removed. I am not sure how to interpret that. I would suggest that as you attempt to implement the route map that this nat not be in the config.

 

Good to know that the ACL ACL-GUEST-IN is not used anywhere.

 

Yes the policy route command goes on the interface where the traffic is received and does not go on the outbound interface. (it seems intuitive that the policy route might go on the interface where traffic will go, but that is not how it works. I find this to be one of the most frequent issues when implementing PBR)

 

Your route map uses NACO_Guest in the match statement but you have not shown us that ACL.

 

From what I see it now looks pretty good. Have you tested it yet?

 

HTH

 

Rick

Final draft of configuration and thank you very much for your time!

PBR For Guest Network
(Config#) route-map NACO-Guest permit 10
(Config-route-map#) match IP address NACO-Guest-ACL
(Config-route-map#) set ip next-hop 50.x.x.x

Apply PBR To Guest Interface
(Config)# interaface gi0/5.30 (Dedicated guest interaface)
(Config-if) policy-route policy route-map NACO-Guest

Access-list For PBR
access-list NACO-Guest-ACL extended permit IP 10.x.x.0 255.255.255.0 any
access-group NACO-Guest-ACL out interface OUTSIDE-2

NAT For Guest Network
object network NACO-Guest
subnet 10.x.x.0 255.255.255.0
nat (NACO-Guest, OUTSIDE-2) dynamic interface

Test at this point

-----------------------------------------------------------------------------------------------------

STATIC NAT For New Host (Please review)

(config#)object network webex
(config-network-object)# host 10.x.x.x
(config-network-object)# nat (inside,outside) static 40.x.x.x

access-list OutsideToInside permit IP any host 10.x.x.x
access-group OutsideToInside in interaface OUTSIDE-1
done.................

Verification commands
sh run | inc NACO-Guest
sh run | inc webex
show nat translations
show nat statistics
show run access-group
show policy-route
Debug policy-route
traceroute 8.8.8.8 source 10.x.x.x
tracert 8.8.8.8 for guest host

I have these comments

1) in earlier post you have an ACL applied in for interface OUTSIDE-2 (which I am not sure that you needed). Now you have an ACL applied out. You do not need this. Any traffic originated from an interface with  higher security level (like your guest) to an interface with lower security level (like your OUTSIDE-2) is automatically permitted (and response traffic from outside is permitted) without needing an ACL.

access-group NACO-Guest-ACL out interface OUTSIDE-2

2) the nat looks ok, I would just repeat my advice that when you implement PBR that you make sure that the original nat for guest (using OUTSIDE-1) is removed.

3) in your testing you have this

(config-network-object)# nat (inside,outside) static 40.x.x.x

but it uses an interface name that does not match interfaces in previous posts.

4) your post continues to use masking of what are already private addresses such as 10.x.x.x so it is hard to know what you are doing in your test and whether the results of your test show success or not.

 

HTH

 

Rick

Hi Richard,

There are two configurations, one for the guest network and another for adding a new host with static nat. You are referencing the second configuration, I draw a line separating the two configs.

 

Quintin

 

Quintin

 

I understand that there are two configs. I assumed that both configs were for the ASA that we have been discussing. Is the second config for a different ASA?

 

My comments 1and 2 are related to the first config (for guest access) and I believe that both are still applicable. My comment 3 is related to the config for new host. If this is for a different ASA then it perhaps is not applicable. If it is for the same ASA then it is applicable. My comment 4 is applicable to both configs.

 

HTH

 

Rick