cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4641
Views
0
Helpful
8
Replies

ASA 5520 Allowing Guest Wireless Network Access to Internal Internet Facing Resources

jstarr
Level 1
Level 1

I have searched the community but have been unable to find another discussion wth this issue, but if anyone knows of another please let me know with a link.

We have a Cisco wireless infrastructure in place that includes a guest network with its own subnet that is a sub interface of the inside interface on our ASA 5520.  There are no routes for it to be allowed access to the internal subnets.  So it can only access the internet.  This is primarily used by the public, but we have several non employee personnel that we only want to give internet access and force them to access the internal network through our clientless SSL vpn portal or through other internet facing internal resources such as webmail.

I have done packet traces from within the ASA and the break appears to be there is no ACL allowing the traffic back into the network once the web resource replies to the request and the traffic is attempting to come back into the network from the web resource.  Is that as clear as mud?

I know that this has to be a common problem and a way around this is to allow the guest wireless network access to the internal network but only for the select resources that they require.  And that this can be done seemlessly by network specific routes and or alternate DNS entries, but I would like to keep this simple and just allow them to access the web resource, webmail and VPN, from the guest wireless using internet DNS servers without route trickery.

Thanks in advanced,

Justin Starr

jstarr@novacoast.com

8 Replies 8

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Justin,

I am not sure that I understand this, I would like to see a diagram of the network to have a better understanding of what you are looking for!

But just in case, you have an ASA with sub-interfaces and one of them is connected to the wireless section, another one is connected to the internal users/servers and you want to allow traffic from some host on the wireless are to the internal users and servers, right?

I would be more than glad to help.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

OK pretty chessy I know, but hopefully it gets the point across.

The clients on the Guest Wireless Network only have access to the internet.  I would like to give the ability to both VPN using our SSL Clientless VPN Portal as well as access the SSL website for Email. 

I have already allowed Guest Network to access the VPN via AnyConnect client by enabling a ISAKMP for the Guest Wireless Network Interface, but I need to give the HTTPS access for these other resources. 

Does that explain the situation any clearer?

Thanks for the help,

Justin

Hello Justin,

So basically all you are looking for is to allow HTTPS traffic from the Internal network to the Wireless network.

As they belong to the same interface vlan.

You need to add the same-security-traffic permit intra-interface command.

Also can you do a packet tracer to see the result.

lets say web server is 10.2.0.18 and the client on the wireless will be 10.1.0.19, so:

packet-tracer input inside tcp 10.1.0.19 1025 10.2.0.18 443

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Sorry Julio.

I do not believe I am communicating what I am trying to do well enough. 

We have the wireless guest network segregated from all internal networks.  They even use external DNS.  I want to give them the ability to access our OWA and Clientless SSL VPN portal from the internet. 

Allowing them access to the internal network for such access if poking a hole in that seperation of networks we have to keep.

This is a hospital environment and for HIPAA we can not allow the public using an unsecured guest wireless that we provide for internet access only the ability to traverse our internal network even if it is only to a specific machine on a specific port in this manner.

I know this has to be possible but I can not get it figured out.

Thanks again for your help.

StepStoneCB
Level 1
Level 1

Justin - Did you ever resolve this problem?  I'm looking at the same senario, need the Wireless vlan to hit internal webmail via the public internet. 

Thanks!

Hello Chrsitopher,

Where is the DNS that the wireless people is using?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

StepStoneCB
Level 1
Level 1

External Public DNS. 

The only solution I've found is a NAT statement translating the internal mailserver to it public address on the Wireless vlan and adding the necessary access rule. 

I would have much prefered the traffic just went straight out to the internet and was treated a such instead of opening this path from the DMZ.  Not sure that is possible though. 

Hello Christopher,

If that is what you want then you will need to call the DNS doctoring feature

I would explain it to you but I think the guy on this forum did an amazin job so he will do it for me

http://www.techrepublic.com/blog/networking/cisco-asa-and-dns-pain-is-there-a-doctor-in-the-house/1140

Remember to rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: