Guest Access Exceptions

Unanswered Question
Jul 3rd, 2008

Finally got Guest Access to work but need to set up exceptions. Users get DHCP and DNS from local server and then are allow http and https access to the internet only. Local http / https is blocked by a rule to all on an internal Class B subnet. Rules look like this:

permit any udp dhcp client in

permit any udp dhcp server out

permit range any udp dns in

permit any range udp dns out

deny range range tcp http in

deny range range tcp http out

deny range range tcp https in

deny range range tcp https out

allow range any tcp http in

allow any range tcp http out

allow range any tcp https in

allow any range tcp https out

Problem: Users may want to get to our websites that resolve differently locally. Global dns might point to, but internally points to This is a Class C subnet.

I created a permit rule for the local sites, but it's not working. I think the order is the problem, but I don't know.

Any help would be really appreciated. Thank you kindly.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
jeromehenry_2 Fri, 07/04/2008 - 02:06


Yes it could be the order, but it is difficult to say without the real ranges here.

Try to review your ACL, if you deny something that is allowed afterwards, it will be blocked. So if you say:

deny tcp http in

allow tcp http in, it will be blocked... the first rule to match the packet you receive is applied, and the system stops there, without checking the other lines...



Richard Atkin Mon, 07/07/2008 - 03:22

Aside from your ACL problems, most people will point Guest Networks towards a public DNS server, not a private / internal one.

Two reasons for this;

First, it helps prevent guests from getting information about your internal network

Second, it ensures they go 'out' and 'back in' again - ie, public DNS will only ever return public IP addresses, therefore ensuring Guest Users don't encounter the problem you describe.

svillardi Mon, 07/07/2008 - 04:24


Where can I get a list of trustworthy public DNS sites? I don't want to pick the first search response of Google. :)

svillardi Mon, 07/07/2008 - 07:13

Thanks for your help. We get our DNS from our parent company and this is out of spec--I can't ask them who their DNS provider is. Any other suggestion?

svillardi Mon, 07/07/2008 - 07:41

OK, it was the order and I got it working!!!

Thanks for the ideas and help!

jeromehenry_2 Mon, 07/07/2008 - 12:32

Excellent, glad to help!

And a 5 for you to give us our feedback, this thread might be useful to others!


michael.lussier Tue, 07/08/2008 - 06:11

We had the same issue. We are using the FWSM. Our servers have an internal IP address and sit in a DMZ of the firewall as do the wireless users. Along with the internal ACL:'s we added a wireless view on our external DNS which also resides on another DMZ within the FWSM. This view takes just the subnet of those wireless users and points them to a different ip for specific name resolutions. This way I give the wireless users web access only to the internal address of the web server keeping them internal to the FWSM.


This Discussion