07-09-2012 09:19 PM - edited 03-11-2019 04:28 PM
Hello,
Ive been readin all over the internet (including this site) trying to figure out if the asa can handle intervlan routing. Im not sure what I am missing on my config to get this to work. Ive read that it can work and Ive read that it cant work. Can someone lead me in the right direction on how to get this to work on my asa 5505.
Here is my setup
Cable Modem ---> ASA (eth0/0)
(eth0/2) -->unmanaged switch for LAN connectivity
(eth0/3) --> Access point for wireless LAN connectivty
My config is attached
What I would like to do is be able to communicate between vlan3(LAN) and vlan4(Wireless LAN)
Whats strange is I can RDP between the two vlans but I cant ping or anything else.
Any help is appreciated!
Solved! Go to Solution.
07-22-2012 01:17 PM
Hi Bro
I believe everything is working fine now. Please do paste your latest config here, so that the others could learn from your experience as well.
P/S: If you think this comment is useful, please do rate them nicely :-)
07-09-2012 10:33 PM
Hi,
Personally I would do the following
1.) Change the wifi interface security-level to something like 99
2.) remote the nat command: static (insidewifi,inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0
3.) Configure icmp inspection so ICMP will pass through without opening both directions for the traffic (echo and reply)
4.) Build access-lists for each interface even though they might be simple
One option with the NAT you have is ofcourse using NAT0/NAT Exempt to tell the ASA that no translation between these networks will be done. Then again I think the ASA doesnt have the "nat-control" configured at the moment so removing both the static translations should still mean your 2 LAN networks should be able to reach each other wihtout using NAT.
- Jouni
07-09-2012 10:33 PM
The ICMP inspection configuration was
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
07-10-2012 09:27 PM
JouniForss, thanks for your response. I tried your suggested step and I was still unable to talk between the two vlans. Is my approach to this scenario wrong. I know ASA arent typically used as Layer devices but from what Ive been reading it can be done.
From my reading it seems like the following alone should allow me to talk across the vlans:
static (insidewifi,inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0
static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Sorry for all the questions, Im familiar with routing and switching. The ASA is kind of a different beast.
Another thing thats weird to me is that, when I do a packet trace is states that the packet is allowed. Any help is appreciated.
07-10-2012 11:22 PM
Hi,
There should be no problem using the ASA in this kind of setup. Though I'm more used to doing this with the other ASA models. ASA 5510 and onwards where the interface configurations change compared to the ASA5505 (no actual switch ports)
The "same-security-traffic" command basically either permit traffic between interfaces with same security-level or allow traffic to be sent out the same interface it originally came from. In this case only one of them should apply.
Seems strange to me that you can indeed use RDP connections but nothing else works. One would think the problem stems from something else than the firewall settings if some connections go through
Have you been able to send ICMP through the firewall after adding the commands I mentioned? There shouldnt be anything preventhing the Echos/Echo replys other than the devices sending them.
If you want to allow icmp echos on you ASAs interfaces you can use the command
icmp permit any
This command allows you to ping the ASAs interfaces. Notice though that you cant ping a ASA interface behind another ASA interface. You can only ping the interface behind which you are connected.
I typically allow ICMP on all interfaces that arent connected to public network/Internet.
Naturally, if you have some TCP connection that you can use to test traffic between these Vlans, try it out and at the same time monitor the traffic through ASDM and see what happens to the connection. Does the connection get built on the ASA but is it beeing torn down by SYN Timeout or whats happening?
- Jouni
07-11-2012 10:00 PM
So Ive made the changes you suggested but Im still unable to get the functionality I am looking for. My config is below after the changes.
ASA Version 8.2(2)
!
hostname frw01
enable password .MlTybcgwEXNF1HM encrypted
passwd .MlTybcgwEXNF1HM encrypted
names
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
no forward interface Vlan4
nameif guest
security-level 50
ip address 172.16.10.1 255.255.255.0
!
interface Vlan4
nameif inside
security-level 99
ip address 172.16.1.1 255.255.255.0
!
interface Vlan5
nameif insidewifi
security-level 100
ip address 172.16.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 4
!
interface Ethernet0/3
switchport access vlan 5
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
access-list icmp_outside extended permit icmp any any object-group DefaultICMP
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu guest 1500
mtu inside 1500
mtu insidewifi 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any insidewifi
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (guest) 1 172.16.10.0 255.255.255.0
nat (inside) 1 172.16.1.0 255.255.255.0
nat (insidewifi) 1 172.16.2.0 255.255.255.0
static (insidewifi,inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0
static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
access-group icmp_outside in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 172.16.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 172.16.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 172.16.1.102
!
dhcprelay server 172.16.1.102 inside
dhcprelay enable guest
dhcprelay enable insidewifi
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username ******** password PNUmTwjDhevRqhkT encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3fcbac02b3e4b4e6919cf34a9137b4fb
Below is the error message that I receive when trying to connect to an access point on a different subnet.
2 | Jul 11 2012 | 23:52:18 | 106001 | 172.16.1.200 | 50262 | 172.16.2.1 | 80 | Inbound TCP connection denied from 172.16.1.200/50262 to 172.16.2.1/80 flags SYN on interface inside |
Maybe I have some over kill here and should start from scratch and change my approach. It seems that my like of experience with the asa is part of the issue.
Suggestions or thoughts?
07-11-2012 11:26 PM
Hi,
Seems to me that the log message implies that the host (inside) 172.16.1.200 is connecting to the ASA interface (insidewifi). (TCP SYN to interface IP)
This will naturally be blocked. In the same way an ICMP from behind the "inside" interface to the "insidewifi" would be blocked.
Why are you connecting to the ASA interface IP?
- Jouni
07-11-2012 11:34 PM
Also,
Have you considered configuring a trunk between the ASA 5505 and the local switch? Since at the moment you just have access ports for all the Vlan interfaces on the ASA.
I presume you have gotten the ASA with something else than the Base license since you have over 3 interfaces on it. To my understanding.
Unfortunately i so rarely deal with the ASA5505 that I have forgotten some of the differences it has to the later models.
- Jouni
07-12-2012 06:27 AM
The log above was generated when trying to ping a host on a different vlan. I wasnt attempting to connect to the ASA interface IP/ The switch connected to the ASA is an unmanaged switch so I didnt think a trunk was necessary since everything connected to that switch will be on the same vlan.
The ASA does have a Security Plus license.
07-16-2012 02:12 AM
Hi,
I guess by ping you are refering to some application testing TCP traffic (sameway the newer ASA software versions have TCP ping)? An actual ICMP echo wouldnt generate that message.
I assume the unmanaged switch is only connected to the port Ethernet0/2 on the ASA? (only for interface "inside" users)
- Jouni
07-16-2012 02:35 AM
Hi Bro
Based on your requirement as stated in this subject, you want to PING between Vlan3 and Vlan4. This is not hard. Just follow the comments I've give you below, and you will do just fine :-)
!
interface Vlan3
no forward interface Vlan4 <-- remove this line!!!!!!!!!!!!!!!
nameif guest
security-level 50
ip address 172.16.10.1 255.255.255.0
!
interface Vlan4
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo <-- add this!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
no access-list icmp_outside extended permit icmp any any object-group DefaultICMP
no access-group icmp_outside in interface outside
access-list guest permit icmp any any object-group DefaultICMP
access-list guest deny ip any any log
access-group guest in interface guest
access-list inside permit icmp any any object-group DefaultICMP
access-list inside deny ip any any log
access-group inside in interface inside
static (inside,guest) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
By the way, could you also paste the output of this command "show threat-detection shun" here, as well.
If this still doesn't work, paste your latest show run output here. This should be easy and fast :-) Good luck bro
07-16-2012 07:14 PM
Ramraj, thanks for your response! Here what Im attempting to do...
I would like to have 4 VLANs
Vlan2 -- Outside
Vlan3 -- Guest Wifi
Vlan4 -- Inside LAN
Vlan5 -- Inside LAN Wifi
I would like to allow any communication between Vlan 4 and Vlan 5.
I would then like Vlan4 and Vlan5 to access Vlan 3 but not vice versa (not critical for this functionality to work)
I would like all the Vlans to have access to the internet.
I know the ASA is not a router but can act as one (kinda). The "show threat-detection shun" command didnt return any results. I appreciate any assistance with helping me get this up and running.
Here is my latest config
: Saved
:
ASA Version 8.2(2)
!
hostname frw01
enable password .MlTybcgwEXNF1HM encrypted
passwd .MlTybcgwEXNF1HM encrypted
names
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
nameif guest
security-level 50
ip address 172.16.10.1 255.255.255.0
!
interface Vlan4
nameif inside
security-level 99
ip address 172.16.1.1 255.255.255.0
!
interface Vlan5
nameif insidewifi
security-level 100
ip address 172.16.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 4
!
interface Ethernet0/3
switchport access vlan 5
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
access-list icmp_outside extended permit icmp any any object-group DefaultICMP
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu guest 1500
mtu inside 1500
mtu insidewifi 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any insidewifi
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (guest) 1 172.16.10.0 255.255.255.0
nat (inside) 1 172.16.1.0 255.255.255.0
nat (insidewifi) 1 172.16.2.0 255.255.255.0
static (insidewifi,inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0
static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
access-group icmp_outside in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 172.16.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 172.16.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 172.16.1.102
!
dhcprelay server 172.16.1.102 inside
dhcprelay enable guest
dhcprelay enable insidewifi
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username ***** password PNUmTwjDhevRqhkT encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
07-16-2012 10:56 PM
Hi Bro
Please delete / write erase your present FW configuration, and paste the configuration shown below. This will work. I've done it too many times, to know this will work :-)
Please ensure the hub or switch connected to each of the FW interface is different, for security and network performance purposes e.g. Ethernet0/0 - 0/3.
As for the rules portion, let's keep it loose for now. Once all is good, we can then tighten them yaa :-)
Let me know how it goes...
!
hostname FW01
enable password cisco
passwd cisco
!
interface Vlan2
description ### Link to Internet ###
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
description ### Link to GUEST WIFI ###
nameif guest
security-level 50
ip address 172.16.10.1 255.255.255.0
!
interface Vlan4
description ### Link to INSIDE LAN ###
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Vlan5
description ### Link to INSIDE WIFI ###
nameif insidewifi
security-level 50
ip address 172.16.2.1 255.255.255.0
!
interface Ethernet0/0
description ### Link to Internet ###
switchport access vlan 2
!
interface Ethernet0/1
description ### Link to GUEST WIFI ###
switchport access vlan 3
!
interface Ethernet0/2
description ### Link to INSIDE LAN ###
switchport access vlan 4
!
interface Ethernet0/3
description ### Link to INSIDE WIFI ###
switchport access vlan 5
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
no nat-control
!
same-security-traffic permit inter-interface
!
access-list inside extended permit ip any any
access-list outside extended permit ip any any
access-list guest extended permit ip any any
access-list insidewifi extended permit ip any any
access-group outside in interface outside
access-group inside in interface inside
access-group guest in interface guest
access-group insidewifi in interface insidewifi
global (outside) 1 interface
nat (guest) 1 172.16.10.0 255.255.255.0
nat (inside) 1 172.16.1.0 255.255.255.0
nat (insidewifi) 1 172.16.2.0 255.255.255.0
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 172.16.1.0 255.255.255.0 inside
username cisco password cisco privilege 15
ssh 172.16.1.0 255.255.255.0 inside
management-access inside
dhcpd dns 172.16.1.102
dhcpd ping_timeout 750
dhcprelay server 172.16.1.102 inside
dhcprelay enable guest
dhcprelay enable insidewifi
dhcprelay timeout 60
dhcprelay setroute guest
dhcprelay setroute insidewifi
07-17-2012 09:01 PM
Ok, so I took your advice and pasted your config. Now the only host on the inside vlan can get to the internet. The other vlans get ip addresses but that it. Ive gotta be missing something simple here.
Here is my config:
hostname FW01
enable password .MlTybcgwEXNF1HM encrypted
passwd .MlTybcgwEXNF1HM encrypted
names
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
description ### Link to Internet ###
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
description ### Link to GUEST WIFI ###
nameif guest
security-level 50
ip address 172.16.10.1 255.255.255.0
!
interface Vlan4
description ### Link to INSIDE LAN ###
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Vlan5
description ### Link to INSIDE WIFI ###
nameif insidewifi
security-level 50
ip address 172.16.2.1 255.255.255.0
!
interface Ethernet0/0
description ### Link to Internet ###
switchport access vlan 2
!
interface Ethernet0/1
description ### Link to GUEST WIFI ###
switchport access vlan 3
!
interface Ethernet0/2
description ### Link to INSIDE LAN ###
switchport access vlan 4
!
interface Ethernet0/3
description ### Link to INSIDE WIFI ###
switchport access vlan 5
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
same-security-traffic permit inter-interface
access-list inside extended permit ip any any
access-list outside extended permit ip any any
access-list guest extended permit ip any any
access-list insidewifi extended permit ip any any
pager lines 24
mtu outside 1500
mtu guest 1500
mtu inside 1500
mtu insidewifi 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (guest) 1 172.16.10.0 255.255.255.0
nat (inside) 1 172.16.1.0 255.255.255.0
nat (insidewifi) 1 172.16.2.0 255.255.255.0
access-group outside in interface outside
access-group guest in interface guest
access-group inside in interface inside
access-group insidewifi in interface insidewifi
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 172.16.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 172.16.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 172.16.1.102
dhcpd ping_timeout 750
!
dhcprelay server 172.16.1.102 inside
dhcprelay enable guest
dhcprelay enable insidewifi
dhcprelay setroute guest
dhcprelay setroute insidewifi
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username ****** password PNUmTwjDhevRqhkT encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:28bf26da86f44244c8f0e4768f75ee70
: end
07-17-2012 09:14 PM
Hi Bro
You Cisco ASA config is good but I'm suprised only INSIDE can access the Internet. Can you confirm the following;
a) LAN users in insidewifi and guest can PING to its' gateway i.e. the Cisco ASA itself?
b) LAN users in insidewifi and guest can PING to any Public IP Address e.g. 8.8.8.8?
c) LAN users in insidewifi and guest can PING to any Public FQDN e.g. www.yahoo.com?
d) Is the DNS Server settings in insidewifi and guest correct? as in it's the same as inside users. Is the nslookup output the same?
e) Can you paste the show xlate, and show access-list output here?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide