Access issue with guest wireless and ASA

John Blakley · ‎06-28-2010

All,

I have a guest wireless subnet that's only allowed access to the outside world and that's it. A problem came up today that required a user in the company to be able to get to a hosted server on the LAN. A static nat exists for everyone on the outside to get to the server, so the thought was that they would connect to the guest wireless and then get to the hosted server via public address. This didn't work, but I think it's because the traffic is going through the ASA as natted, and then coming back out again making it look like the packet is being spoofed. Is that correct, and is there a way around it?

Thanks,

John

HTH, John *** Please rate all useful posts ***

Marcin Latosiewicz · ‎06-28-2010

John,

There's a hundred of way this could have failed depending on configuration ...

Easiest way to check - enable logging on informational level, run a test check "show logg | i IP_ADDR_OF_SOURCE_OR_DESTINATION"

My GUESS it will be something related to translations or acls ...

You can create a static translation from LAN to wifi interface with public IP address.

Elegant solutions include

- IPsec VPN to access LAN resources from wifi

- DNS rewrite via "dns" keyword on static.

terrygwazdosky · ‎06-29-2010

You may be able to get this to work using hairpining. I did something similar recently and though it's a little tricky, it's not impossible. Take a look at this: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2