Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
972
Views
5
Helpful
4
Replies

Guest WLAN cannot Access internet

M. Bryan
Level 1
Level 1

‎07-05-2021 11:14 AM

I would like to ask for a help with our guest network no able to access internet.

 

My network is connected like this:

WLC <> Switch <> ISR4321 <> ISP

Guest network subnet: 10.43.52.0/24

Gateway: 10.43.52.1

 

DHCP for Guest WLAN is running in WLC (internal DHCP server)

Wireless Clients can get the right subnet for guest and can ping the gateway (10.43.52.1) in ISR432 but cannot access the internet.

It seems that there is nothing wrong with the WLC configuration since it can reach the gateway.

 

Here is the ISR configuration:

!

class-map type inspect match-any Internet-cmap
match protocol icmp
match protocol tcp
match protocol udp
match protocol http
match protocol https
match protocol pop3
match protocol pop3s
match protocol smtp
match protocol h323
match protocol h323callsigalt
match protocol bootpc
match protocol bootps
class-map type inspect match-all ICMP-cmap
match access-group name ICMP
policy-map type inspect router-guest-pmap
class class-default
pass
policy-map type inspect guest-router-pmap
class type inspect ICMP-cmap
pass
class class-default
drop
policy-map type inspect guest-outside-pmap
class type inspect Internet-cmap
inspect
class type inspect ICMP-cmap
inspect
class class-default
pass
!
zone security outside
zone security inside
zone security guest
zone-pair security guest-to-outside source guest destination outside
service-policy type inspect guest-outside-pmap
zone-pair security guest-to-router source guest destination self
service-policy type inspect guest-router-pmap
zone-pair security outside-to-inside source outside destination inside
service-policy type inspect outside-inside-pmap
zone-pair security outside-to-router source outside destination self
service-policy type inspect Outside-Router-pmap
zone-pair security router-to-guest source self destination guest
service-policy type inspect router-guest-pmap

!
interface GigabitEthernet0/0/0
description Internet
bandwidth 50000
ip address 78.90.19.11 255.255.255.252
ip nat outside
zone-member security outside
media-type rj45
speed 100
no negotiation auto
crypto map outside-map
service-policy output 50M-Shaper
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1.9
description Guest Wireless VLAN
encapsulation dot1Q 9
ip address 10.43.52.1 255.255.255.0
ip nat inside
zone-member security guest
ip virtual-reassembly
!

ip nat inside source route-map NAT-Route-Map interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 78.90.19.11 251
!
!
ip access-list extended ICMP
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit icmp any any
ip access-list extended NAT
permit ip 10.3.0.0 0.0.255.255 any
permit ip 10.103.0.0 0.0.255.255 any
permit ip 10.43.52.0 0.0.0.255 any
ip access-list extended NO-NAT
permit ip 10.3.0.0 0.0.255.255 10.0.0.0 0.255.255.255
permit ip 10.103.0.0 0.0.255.255 10.0.0.0 0.255.255.255
permit ip 10.3.0.0 0.0.255.255 172.16.32.0 0.0.0.255
permit ip 10.103.0.0 0.0.255.255 172.16.32.0 0.0.0.255
permit ip 10.3.0.0 0.0.255.255 any
permit ip 10.103.0.0 0.0.255.255 any
permit ip host 10.43.52.250 host 10.2.34.98
!
route-map NAT-Route-Map deny 10
match ip address NO-NAT
!
route-map NAT-Route-Map permit 20
match ip address NAT

 

Thanks!

 

4 Replies 4

MHM Cisco World
VIP
VIP

‎07-05-2021 11:30 AM

WLC 

per WLAN or per AP there is ACL deny http check this point.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎07-05-2021 11:38 AM

Not sure use case here for stantic NAT if you Like to get Interent for Guest you can do simple NAT as example :

 

Example :

ip nat inside source 1 interface GigabitEthernet0/0/0 overload

access-list 1 deny host 10.43.52.250 host 10.2.34.98

access-list 1 permit ip 10.43.52.0 0.0.0.255

 

check the below reference :

 

https://community.cisco.com/t5/networking-documents/how-to-configure-static-nat-with-route-maps/ta-p/3132855

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

M. Bryan
Level 1
Level 1
In response to balaji.bandi

‎07-06-2021 10:28 AM

Is it ok to have multiple NAT overload statement?

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to M. Bryan

‎07-06-2021 11:58 AM

can you explain the use case why do you need multiple overload ? if all cover in ACL ? or show us the example ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card