cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
686
Views
0
Helpful
3
Replies

Flex Connect Split-Tunnel with DMZ Anchor

Brett Verney
Level 1
Level 1

Hi all,

I was wondering if someone can tell me the mechanics of Flex Connect split-tunnelling, more specifically when the SSID is tunnelled to a WLC housed in a DMZ for Internet only access? How does the wireless client access those split tunneled resources when the client IP address technically exists in the DMZ and not at the local site. How does it route to the destination hosts in the split tunnel? I'm guessing some for of NAT is involved?

I have a client with a Guest SSID who require access to a local subnet at each one of it's branch offices and need to determine the data flows as they have several firewalls throughout the environment.

Thanks,

-Brett

1 Accepted Solution

Accepted Solutions

Ric Beeching
Level 7
Level 7

G'day Brett!

You're correct with your assumption of a NAT when you create an access-list that matches your local traffic e.g. permit 0.0.0.0 to 192.168.0.0/24 and apply that to your Flex AP (or use a WLAN-ACL mapping in FlexGroup).

After applying the split-tunnel ACL to the Flex AP it will create a NAT on its BVI with the interesting traffic being whatever you have defined in the ACL.

Cheers,

Ric

-----------------------------
Please rate helpful / correct posts

View solution in original post

3 Replies 3

Ric Beeching
Level 7
Level 7

G'day Brett!

You're correct with your assumption of a NAT when you create an access-list that matches your local traffic e.g. permit 0.0.0.0 to 192.168.0.0/24 and apply that to your Flex AP (or use a WLAN-ACL mapping in FlexGroup).

After applying the split-tunnel ACL to the Flex AP it will create a NAT on its BVI with the interesting traffic being whatever you have defined in the ACL.

Cheers,

Ric

-----------------------------
Please rate helpful / correct posts

Thanks Ric!

I was hoping it was the AP that did the NAT. This means no changes required from a Firewall perspective in my client's scenario. :-)

-Brett

No worries, good luck with the design!

-----------------------------
Please rate helpful / correct posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: