03-26-2009 09:53 AM - edited 07-03-2021 05:22 PM
Hi All,
i have configured WLC for guests users and internal users.
i have created 2 normal WLANs and 2 different interfaces with the all information like ip address scheme and gateway and dhcp address.
one is INTERNAL and another one is GUESTS.
INTERNAL WLAN is mapped to Internal interface which configuration is as follows:-
VLAN ID : 2
ip add : 192.168.10.177
subnet : 255.255.255.0
gateway: 192.168.10.10
dhcp add : 192.168.10.190
GUEST WLAN is mapped to GUEST interface which configuration is as follows:-
VLAN ID : 23
ip add : 192.168.23.2
subnet : 255.255.255.0
gateway: 192.168.23.1
dhcp add : 192.168.10.77
now i m getting 2 SSID when i search for wireless Networks.
i can connect to intra and inter network by using any of the SSIDs.
SOUNDS GOOD
currently i can access 192.168.10.0 and 192.168.23.0 and Internet too because of interVLAN Routing, but now if i join GUEST SSID i want to restrict intranet (192.168.10.0) access except 192.168.10.5 (Network Printer ip address).
i have configured 1 access list and applied it to GUEST interface.
access list has the following statements.
1 permit 192.168.23.0/24 192.168.10.5/32 any any any(outbound/inbound/any)
2 deny 192.168.23.0/24 192.168.10.0/24 any any any(outbound/inbound/any)
3 permit 0.0.0.0/0 0.0.0.0/0 any any any(outbound/inbound/any)
by using these statements i can access INTERNET and not reachable to intranet network. thats good
but not able to access network printer (i don't know why)
one more problem is that if i mention specific network in the statement it is not working as i mentioned 0.0.0.0 in last statement its working but if i set it as 192.168.23.0/24 0.0.0.0/0 it wont work.
03-27-2009 05:02 AM
ACLs on a WLC are not stateful - have a look at the document:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807810d1.shtml
it states:
if either the source or destination are not any, then the direction of the filter must be specified, and an inverse statement in the opposite direction must be created.
to allow access to your printer try:
permit 192.168.23.0/24 192.168.10.5/32 any any inbound
permit 192.168.10.5/32 192.168.23.0/24 any any outbound
hth
andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide