cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15417
Views
15
Helpful
21
Replies

Inter VLAN-Routing ASA 5505

Garland Moore
Level 1
Level 1

Hello,

Ive been readin all over the internet (including this site) trying to figure out if the asa can handle intervlan routing. Im not sure what I am missing on my config to get this to work.  Ive read that it can work and Ive read that it cant work.  Can someone lead me in the right direction on how to get this to work on my asa 5505.

Here is my setup

Cable Modem ---> ASA (eth0/0) 

                                   (eth0/2) -->unmanaged switch for LAN connectivity

                                   (eth0/3) --> Access point for wireless LAN connectivty

My config is attached

What I would like to do is be able to communicate between vlan3(LAN) and vlan4(Wireless LAN)

Whats strange is I can RDP between the two vlans but I cant ping or anything else.

Any help is appreciated!

1 Accepted Solution

Accepted Solutions

Hi Bro

I believe everything is working fine now. Please do paste your latest config here, so that the others could learn from your experience as well.

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

View solution in original post

21 Replies 21

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Personally I would do the following

1.) Change the wifi interface security-level to something like 99

2.) remote the nat command: static (insidewifi,inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0

3.) Configure icmp inspection so ICMP will pass through without opening both directions for the traffic (echo and reply)

4.) Build access-lists for each interface even though they might be simple

One option with the NAT you have is ofcourse using NAT0/NAT Exempt to tell the ASA that no translation between these networks will be done. Then again I think the ASA doesnt have the "nat-control" configured at the moment so removing both the static translations should still mean your 2 LAN networks should be able to reach each other wihtout using NAT.

- Jouni

The ICMP inspection configuration was

policy-map global_policy

class inspection_default

  inspect icmp

  inspect icmp error

JouniForss, thanks for your response.  I tried your suggested step and I was still unable to talk between the two vlans.  Is my approach to this scenario wrong.  I know ASA arent typically used as Layer devices but from what Ive been reading it can be done.

From my reading it seems like the following alone should allow me to talk across the vlans:

static (insidewifi,inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0

static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

Sorry for all the questions, Im familiar with routing and switching.  The ASA is kind of a different beast.

Another thing thats weird to me is that, when I do a packet trace is states that the packet is allowed.  Any help is appreciated.

Hi,

There should be no problem using the ASA in this kind of setup. Though I'm more used to doing this with the other ASA models. ASA 5510 and onwards where the interface configurations change compared to the ASA5505 (no actual switch ports)

The "same-security-traffic" command basically either permit traffic between interfaces with same security-level or allow traffic to be sent out the same interface it originally came from. In this case only one of them should apply.

Seems strange to me that you can indeed use RDP connections but nothing else works. One would think the problem stems from something else than the firewall settings if some connections go through

Have you been able to send ICMP through the firewall after adding the commands I mentioned? There shouldnt be anything preventhing the Echos/Echo replys other than the devices sending them.

If you want to allow icmp echos on you ASAs interfaces you can use the command

icmp permit any

This command allows you to ping the ASAs interfaces. Notice though that you cant ping a ASA interface behind another ASA interface. You can only ping the interface behind which you are connected.

I typically allow ICMP on all interfaces that arent connected to public network/Internet.

Naturally, if you have some TCP connection that you can use to test traffic between these Vlans, try it out and at the same time monitor the traffic through ASDM and see what happens to the connection. Does the connection get built on the ASA but is it beeing torn down by SYN Timeout or whats happening?

- Jouni

So Ive made the changes you suggested but Im still unable to get the functionality I am looking for. My config is below after the changes.

ASA Version 8.2(2)

!

hostname frw01

enable password .MlTybcgwEXNF1HM encrypted

passwd .MlTybcgwEXNF1HM encrypted

names

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

no forward interface Vlan4

nameif guest

security-level 50

ip address 172.16.10.1 255.255.255.0

!

interface Vlan4

nameif inside

security-level 99

ip address 172.16.1.1 255.255.255.0

!

interface Vlan5

nameif insidewifi

security-level 100

ip address 172.16.2.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

!

interface Ethernet0/2

switchport access vlan 4

!

interface Ethernet0/3

switchport access vlan 5

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group icmp-type DefaultICMP

description Default ICMP Types permitted

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

access-list icmp_outside extended permit icmp any any object-group DefaultICMP

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu guest 1500

mtu inside 1500

mtu insidewifi 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any insidewifi

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (guest) 1 172.16.10.0 255.255.255.0

nat (inside) 1 172.16.1.0 255.255.255.0

nat (insidewifi) 1 172.16.2.0 255.255.255.0

static (insidewifi,inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0

static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

access-group icmp_outside in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 172.16.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 172.16.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 172.16.1.102

!

dhcprelay server 172.16.1.102 inside

dhcprelay enable guest

dhcprelay enable insidewifi

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username ******** password PNUmTwjDhevRqhkT encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:3fcbac02b3e4b4e6919cf34a9137b4fb

Below is the error message that I receive when trying to connect to an access point on a different subnet.

2Jul 11 201223:52:18106001172.16.1.20050262172.16.2.180Inbound TCP connection denied from 172.16.1.200/50262 to 172.16.2.1/80 flags SYN  on interface inside

Maybe I have some over kill here and should start from scratch and change my approach.  It seems that my like of experience with the asa is part of the issue.

Suggestions or thoughts?

Hi,

Seems to me that the log message implies that the host (inside) 172.16.1.200 is connecting to the ASA interface (insidewifi). (TCP SYN to interface IP)

This will naturally be blocked. In the same way an ICMP from behind the "inside" interface to the "insidewifi" would be blocked.

Why are you connecting to the ASA interface IP?

- Jouni

Also,

Have you considered configuring a trunk between the ASA 5505 and the local switch? Since at the moment you just have access ports for all the Vlan interfaces on the ASA.

I presume you have gotten the ASA with something else than the Base license since you have over 3 interfaces on it. To my understanding.

Unfortunately i so rarely deal with the ASA5505 that I have forgotten some of the differences it has to the later models.

- Jouni

The log above was generated when trying to ping a host on a different vlan.  I wasnt attempting to connect to the ASA interface IP/  The switch connected to the ASA is an unmanaged switch so I didnt think a trunk was necessary since everything connected to that switch will be on the same vlan.

The ASA does have a Security Plus license.

Hi,

I guess by ping you are refering to some application testing TCP traffic (sameway the newer ASA software versions have TCP ping)? An actual ICMP echo wouldnt generate that message.

I assume the unmanaged switch is only connected to the port Ethernet0/2 on the ASA? (only for interface "inside" users)

- Jouni

Hi Bro

Based on your requirement as stated in this subject, you want to PING between Vlan3 and Vlan4. This is not hard. Just follow the comments I've give you below, and you will do just fine :-)


!
interface Vlan3
no forward interface Vlan4  <-- remove this line!!!!!!!!!!!!!!!
nameif guest
security-level 50
ip address 172.16.10.1 255.255.255.0
!
interface Vlan4
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!


object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo <-- add this!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded

no access-list icmp_outside extended permit icmp any any object-group DefaultICMP
no access-group icmp_outside in interface outside

access-list guest permit icmp any any object-group DefaultICMP
access-list guest deny ip any any log
access-group guest in interface guest

access-list inside permit icmp any any object-group DefaultICMP
access-list inside deny ip any any log
access-group inside in interface inside

static (inside,guest) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

By the way, could you also paste the output of this command "show threat-detection shun" here, as well.

If this still doesn't work, paste your latest show run output here. This should be easy and fast :-) Good luck bro

Warm regards,
Ramraj Sivagnanam Sivajanam

Ramraj, thanks for your response!  Here what Im attempting to do...

I would like to have 4 VLANs

Vlan2 -- Outside

Vlan3 -- Guest Wifi

Vlan4 -- Inside LAN

Vlan5 -- Inside LAN Wifi

I would like to allow any communication between Vlan 4 and Vlan 5.

I would then like Vlan4 and Vlan5 to access Vlan 3 but not vice versa (not critical for this functionality to work)

I would like all the Vlans to have access to the internet.

I know the ASA is not a router but can act as one (kinda).  The "show threat-detection shun" command didnt return any results.  I appreciate any assistance with helping me get this up and running. 

Here is my latest config

: Saved

:

ASA Version 8.2(2)

!

hostname frw01

enable password .MlTybcgwEXNF1HM encrypted

passwd .MlTybcgwEXNF1HM encrypted

names

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

nameif guest

security-level 50

ip address 172.16.10.1 255.255.255.0

!

interface Vlan4

nameif inside

security-level 99

ip address 172.16.1.1 255.255.255.0

!

interface Vlan5

nameif insidewifi

security-level 100

ip address 172.16.2.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

!

interface Ethernet0/2

switchport access vlan 4

!

interface Ethernet0/3

switchport access vlan 5

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group icmp-type DefaultICMP

description Default ICMP Types permitted

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

access-list icmp_outside extended permit icmp any any object-group DefaultICMP

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu guest 1500

mtu inside 1500

mtu insidewifi 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any insidewifi

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (guest) 1 172.16.10.0 255.255.255.0

nat (inside) 1 172.16.1.0 255.255.255.0

nat (insidewifi) 1 172.16.2.0 255.255.255.0

static (insidewifi,inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0

static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

access-group icmp_outside in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 172.16.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 172.16.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 172.16.1.102

!

dhcprelay server 172.16.1.102 inside

dhcprelay enable guest

dhcprelay enable insidewifi

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username ***** password PNUmTwjDhevRqhkT encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e

: end

Hi Bro

Please delete / write erase your present FW configuration, and paste the configuration shown below. This will work. I've done it too many times, to know this will work :-)

Please ensure the hub or switch connected to each of the FW interface is different, for security and network performance purposes e.g. Ethernet0/0 - 0/3.

As for the rules portion, let's keep it loose for now. Once all is good, we can then tighten them yaa :-)

Let me know how it goes...

!
hostname FW01
enable password cisco
passwd cisco
!
interface Vlan2
description ### Link to Internet ###
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
description ### Link to GUEST WIFI  ###
nameif guest
security-level 50
ip address 172.16.10.1 255.255.255.0
!
interface Vlan4
description ### Link to INSIDE LAN ###
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Vlan5
description ### Link to INSIDE WIFI ###
nameif insidewifi
security-level 50
ip address 172.16.2.1 255.255.255.0
!
interface Ethernet0/0
description ### Link to Internet ###
switchport access vlan 2
!
interface Ethernet0/1
description ### Link to GUEST WIFI  ###
switchport access vlan 3
!
interface Ethernet0/2
description ### Link to INSIDE LAN ###
switchport access vlan 4
!
interface Ethernet0/3
description ### Link to INSIDE WIFI ###
switchport access vlan 5
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!

no nat-control

!
same-security-traffic permit inter-interface
!
access-list inside extended permit ip any any
access-list outside extended permit ip any any
access-list guest extended permit ip any any
access-list insidewifi extended permit ip any any

access-group outside in interface outside
access-group inside in interface inside
access-group guest in interface guest
access-group insidewifi in interface insidewifi


global (outside) 1 interface
nat (guest) 1 172.16.10.0 255.255.255.0
nat (inside) 1 172.16.1.0 255.255.255.0
nat (insidewifi) 1 172.16.2.0 255.255.255.0

aaa authentication ssh console LOCAL
aaa authentication http console LOCAL

http server enable
http 172.16.1.0 255.255.255.0 inside

username cisco password cisco privilege 15

ssh 172.16.1.0 255.255.255.0 inside

management-access inside

dhcpd dns 172.16.1.102
dhcpd ping_timeout 750
dhcprelay server 172.16.1.102 inside
dhcprelay enable guest
dhcprelay enable insidewifi
dhcprelay timeout 60
dhcprelay setroute guest
dhcprelay setroute insidewifi

Warm regards,
Ramraj Sivagnanam Sivajanam

Ok, so I took your advice and pasted your config.  Now the only host on the inside vlan can get to the internet.  The other vlans get ip addresses but that it.  Ive gotta be missing something simple here.

Here is my config:

hostname FW01

enable password .MlTybcgwEXNF1HM encrypted

passwd .MlTybcgwEXNF1HM encrypted

names

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan2

description ### Link to Internet ###

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

description ### Link to GUEST WIFI  ###

nameif guest

security-level 50

ip address 172.16.10.1 255.255.255.0

!

interface Vlan4

description ### Link to INSIDE LAN ###

nameif inside

security-level 100

ip address 172.16.1.1 255.255.255.0

!

interface Vlan5

description ### Link to INSIDE WIFI ###

nameif insidewifi

security-level 50

ip address 172.16.2.1 255.255.255.0

!

interface Ethernet0/0

description ### Link to Internet ###

switchport access vlan 2

!

interface Ethernet0/1

description ### Link to GUEST WIFI  ###

switchport access vlan 3

!

interface Ethernet0/2

description ### Link to INSIDE LAN ###

switchport access vlan 4

!

interface Ethernet0/3

description ### Link to INSIDE WIFI ###

switchport access vlan 5

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

same-security-traffic permit inter-interface

access-list inside extended permit ip any any

access-list outside extended permit ip any any

access-list guest extended permit ip any any

access-list insidewifi extended permit ip any any

pager lines 24

mtu outside 1500

mtu guest 1500

mtu inside 1500

mtu insidewifi 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (guest) 1 172.16.10.0 255.255.255.0

nat (inside) 1 172.16.1.0 255.255.255.0

nat (insidewifi) 1 172.16.2.0 255.255.255.0

access-group outside in interface outside

access-group guest in interface guest

access-group inside in interface inside

access-group insidewifi in interface insidewifi

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 172.16.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 172.16.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 172.16.1.102

dhcpd ping_timeout 750

!

dhcprelay server 172.16.1.102 inside

dhcprelay enable guest

dhcprelay enable insidewifi

dhcprelay setroute guest

dhcprelay setroute insidewifi

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username ****** password PNUmTwjDhevRqhkT encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:28bf26da86f44244c8f0e4768f75ee70

: end

Hi Bro

You Cisco ASA config is good but I'm suprised only INSIDE can access the Internet. Can you confirm the following;

a) LAN users in insidewifi and guest can PING to its' gateway i.e. the Cisco ASA itself?

b) LAN users in insidewifi and guest can PING to any Public IP Address e.g. 8.8.8.8?

c) LAN users in insidewifi and guest can PING to any Public FQDN e.g. www.yahoo.com?

d) Is the DNS Server settings in insidewifi and guest correct? as in it's the same as inside users. Is the nslookup output the same?

e) Can you paste the show xlate, and show access-list output here?

Warm regards,
Ramraj Sivagnanam Sivajanam
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: