Wireless Access

I've recently created a second Guest network on our 3600 controller. The users on this WLAN have a requirement that their Guest traffic be filtered differently than our original Guest network. We have a proxy on our Guest DMZ segment, but all traffic from both Guest networks is being NATed to the same IP, the IP of the 3600 controllers physical interface on the DMZ segment. Due to this, we're unable to filter the traffic seperately, as the proxy is seeing everything coming from the same IP. Is there any way to get around this?

Hi, 

Could you please be more precise about your current configuration? You can create multiple translation rules per your convinience in the security policy but it is mutually exclusive with  per-vlan source NAT. 

Regards, 

We have a Guest network on our main campus on Vlan 1723. The traffic is tunneled from the APs and terminates on our controller. They aren't on a subnet that's routable from our internal networks. When the traffic leaves the controller it's NATed to the Vlan 1 IP of the controller's physical interface 192.168.112.202. It goes to a switch, then a proxy appliance, then an ASA. I created a new Guest network on Vlan 1724 for one of our branch offices. That office has very strict web filtering requirements for their Guest network. My security team is telling me that since both Guest networks are leaving the controller and being NATed to the same 192.168.112.202 address, they have no way to filter one WLAN without also filtering the other.

I guess that you need two different addresses for source-nat VLAN 1723 and 1724. You can do that with NAT Pools. 

HTH, 

Marek 

"You can do that with NAT Pools".

Could you go further into detail on how to accomplish this?

you would do something like this

ip access-list session src-nat-to-pool
  user any any  src-nat pool pool-1

!

and then use different pools on different users.