Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Guest Access Exceptions

Finally got Guest Access to work but need to set up exceptions. Users get DHCP and DNS from local server and then are allow http and https access to the internet only. Local http / https is blocked by a rule to all on an internal Class B subnet. Rules look like this:

permit any udp dhcp client in

permit any udp dhcp server out

permit range any udp dns in

permit any range udp dns out

deny range range tcp http in

deny range range tcp http out

deny range range tcp https in

deny range range tcp https out

allow range any tcp http in

allow any range tcp http out

allow range any tcp https in

allow any range tcp https out

Problem: Users may want to get to our websites that resolve differently locally. Global dns might point to, but internally points to This is a Class C subnet.

I created a permit rule for the local sites, but it's not working. I think the order is the problem, but I don't know.

Any help would be really appreciated. Thank you kindly.


Re: Guest Access Exceptions


Yes it could be the order, but it is difficult to say without the real ranges here.

Try to review your ACL, if you deny something that is allowed afterwards, it will be blocked. So if you say:

deny tcp http in

allow tcp http in, it will be blocked... the first rule to match the packet you receive is applied, and the system stops there, without checking the other lines...



Re: Guest Access Exceptions

Aside from your ACL problems, most people will point Guest Networks towards a public DNS server, not a private / internal one.

Two reasons for this;

First, it helps prevent guests from getting information about your internal network

Second, it ensures they go 'out' and 'back in' again - ie, public DNS will only ever return public IP addresses, therefore ensuring Guest Users don't encounter the problem you describe.

Community Member

Re: Guest Access Exceptions


Where can I get a list of trustworthy public DNS sites? I don't want to pick the first search response of Google. :)

Re: Guest Access Exceptions

Using the ones provided by your ISP will normally provide good results...

Community Member

Re: Guest Access Exceptions

Thanks for your help. We get our DNS from our parent company and this is out of spec--I can't ask them who their DNS provider is. Any other suggestion?

Community Member

Re: Guest Access Exceptions

OK, it was the order and I got it working!!!

Thanks for the ideas and help!

Re: Guest Access Exceptions

Excellent, glad to help!

And a 5 for you to give us our feedback, this thread might be useful to others!


Community Member

Re: Guest Access Exceptions

We had the same issue. We are using the FWSM. Our servers have an internal IP address and sit in a DMZ of the firewall as do the wireless users. Along with the internal ACL:'s we added a wireless view on our external DNS which also resides on another DMZ within the FWSM. This view takes just the subnet of those wireless users and points them to a different ip for specific name resolutions. This way I give the wireless users web access only to the internal address of the web server keeping them internal to the FWSM.

CreatePlease to create content