@jcarvaja - Sure thing!  I'll get something uploaded soon ...

Attached is the network diagram.  What I want to do is have guest users attach to the wireless internally, use the route-map to force them to the Outside interface on the ASA, and use the ACL 'Inside_access_in' on the ASA to block those users from contacting any internal host with the explicit exception of our two DNS servers and restrict that level of access to tcp-udp/domain since those are domain controllers and have other services as well.  I am currently getting portmap translation errors.  I suspect this is going to be tricky since I have to NAT the users to the outside interface, but then still allow the DNS queries back in.  Perhaps I should make the next hop the Inside interface?

Hello Scott,

That is correct, you cannot access a distant interface, in this case the host are behind the inside interface, they will be able to access outside users but they will not be able to access the outside interface so packets will not flow directly to that interface.

Please change it to the inside interface, and then lets work from there!!

Rate helpful posts

Regards,

Julio

Julio -

I've got the route-map set to the Inside interface.  Now I have to deal with exempting from translation ONLY the requests to the DNS server (Inside to Inside) and then still follow the normal PAT for all other requests.  I know it's a NAT issue right now, and if I do no config modifications I get a 'portmap translation' error.  If I add a NAT Exempt for the (Inside to Inside) the 'portmap translation' error goes away, but the NAT still isn't working correctly because packet-tracer shows it being dropped.  I wish there was a book that talks about the architecture of the ASA and the way that it processes traffic and how interfaces are related to one another.  All the books I have seen are glorified config manuals, and if your config doesn't match exactly then it isn't necessarily helpful.

Regards,
Scott

It seems like what I would want is a Policy Exempt rule, but it doesn't appear to be an option.  I want to tell the firewall that traffic originating from 192.168.14.0 /24 with a destination of our internal DNS servers (and possibly even specify the destination port) that the address should be exempted from NAT.  Then, all remaining traffic outbound for the internet (once the DNS lookup is successful) should follow the default PAT to the outside interface.  If this can be done with a couple of different NAT rules/policies/ACLs I'm all for it.  But at this point it might seem to be a whole lot easier to just give guest users an outside DNS server and then I can just use the current default PAT rule.

Hello Scott,

Your ASA will need to have a route for both networks

You also will need the following command:

          -same-security-traffic permit intra-interface

The thing is that the packets from the guest vlan will go directly to the ASA as its default gateway, then packets will be routed to the Router on stick and finally to the DNS server, the reply will go from the DNS to the Router on stick and then directly to the Guest user.

Nat exemption will look like this:

access-list nonat permit ip 192.168.14.0 255.255.255.0  host 192.168.11.6

access-list nonat permit ip 192.168.14.0 255.255.255.0  host 192.168.11.4

nat (inside) 0 access-list nonat

Please give it a try, also please provide packet tracer

packet-tracer input inside udp 192.168.14.10 1025 192.168.11.4 53

Regards,

Julio

Rate helpful posts