Guest Access Exceptions

svillardi · ‎07-03-2008

Finally got Guest Access to work but need to set up exceptions. Users get DHCP and DNS from local server and then are allow http and https access to the internet only. Local http / https is blocked by a rule to all on an internal Class B subnet. Rules look like this:

permit 0.0.0.0 any udp dhcp client in

permit any 0.0.0.0. udp dhcp server out

permit range any udp dns in

permit any range udp dns out

deny range range tcp http in

deny range range tcp http out

deny range range tcp https in

deny range range tcp https out

allow range any tcp http in

allow any range tcp http out

allow range any tcp https in

allow any range tcp https out

Problem: Users may want to get to our websites that resolve differently locally. Global dns might point www.website.com to 100.100.100.100, but internally www.website.com points to 10.10.10.10. This is a Class C subnet.

I created a permit rule for the local sites, but it's not working. I think the order is the problem, but I don't know.

Any help would be really appreciated. Thank you kindly.

jeromehenry_2 · ‎07-04-2008

Hi,

Yes it could be the order, but it is difficult to say without the real ranges here.

Try to review your ACL, if you deny something that is allowed afterwards, it will be blocked. So if you say:

deny 10.0.0.0 tcp http in

allow 10.1.0.0 tcp http in, it will be blocked... the first rule to match the packet you receive is applied, and the system stops there, without checking the other lines...

hth

J

Richard Atkin · ‎07-07-2008

Aside from your ACL problems, most people will point Guest Networks towards a public DNS server, not a private / internal one.

Two reasons for this;

First, it helps prevent guests from getting information about your internal network

Second, it ensures they go 'out' and 'back in' again - ie, public DNS will only ever return public IP addresses, therefore ensuring Guest Users don't encounter the problem you describe.

svillardi · ‎07-07-2008

Thanks.

Where can I get a list of trustworthy public DNS sites? I don't want to pick the first search response of Google. :)

Richard Atkin · ‎07-07-2008

Using the ones provided by your ISP will normally provide good results...

svillardi · ‎07-07-2008

Thanks for your help. We get our DNS from our parent company and this is out of spec--I can't ask them who their DNS provider is. Any other suggestion?

svillardi · ‎07-07-2008

OK, it was the order and I got it working!!!

Thanks for the ideas and help!

jeromehenry_2 · ‎07-07-2008

Excellent, glad to help!

And a 5 for you to give us our feedback, this thread might be useful to others!

:-)

michael.lussier · ‎07-08-2008

We had the same issue. We are using the FWSM. Our servers have an internal IP address and sit in a DMZ of the firewall as do the wireless users. Along with the internal ACL:'s we added a wireless view on our external DNS which also resides on another DMZ within the FWSM. This view takes just the subnet of those wireless users and points them to a different ip for specific name resolutions. This way I give the wireless users web access only to the internal address of the web server keeping them internal to the FWSM.