Wireless Access

Reply
New Contributor
Posts: 4
Registered: ‎04-01-2013

Multiple Guest networks and NAT

I've recently created a second Guest network on our 3600 controller. The users on this WLAN have a requirement that their Guest traffic be filtered differently than our original Guest network. We have a proxy on our Guest DMZ segment, but all traffic from both Guest networks is being NATed to the same IP, the IP of the 3600 controllers physical interface on the DMZ segment. Due to this, we're unable to filter the traffic seperately, as the proxy is seeing everything coming from the same IP. Is there any way to get around this?

Frequent Contributor I
Posts: 97
Registered: ‎04-13-2009

Re: Multiple Guest networks and NAT

Hi, 

Could you please be more precise about your current configuration? You can create multiple translation rules per your convinience in the security policy but it is mutually exclusive with  per-vlan source NAT. 

Regards, 

 

Marek Krauze, CWNE# 174, ACMX #295, ACDX #356
Something cool, helpful or interesting in my post - click the Kudos Star.
Helped to solve your problem - Click Accept as Solution
New Contributor
Posts: 4
Registered: ‎04-01-2013

Re: Multiple Guest networks and NAT

We have a Guest network on our main campus on Vlan 1723. The traffic is tunneled from the APs and terminates on our controller. They aren't on a subnet that's routable from our internal networks. When the traffic leaves the controller it's NATed to the Vlan 1 IP of the controller's physical interface 192.168.112.202. It goes to a switch, then a proxy appliance, then an ASA. I created a new Guest network on Vlan 1724 for one of our branch offices. That office has very strict web filtering requirements for their Guest network. My security team is telling me that since both Guest networks are leaving the controller and being NATed to the same 192.168.112.202 address, they have no way to filter one WLAN without also filtering the other.

Frequent Contributor I
Posts: 97
Registered: ‎04-13-2009

Re: Multiple Guest networks and NAT

I guess that you need two different addresses for source-nat VLAN 1723 and 1724. You can do that with NAT Pools. 

HTH, 

Marek 

Marek Krauze, CWNE# 174, ACMX #295, ACDX #356
Something cool, helpful or interesting in my post - click the Kudos Star.
Helped to solve your problem - Click Accept as Solution
Regular Contributor I
Posts: 231
Registered: ‎05-04-2011

Re: Multiple Guest networks and NAT

"You can do that with NAT Pools".

 

Could you go further into detail on how to accomplish this?

MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: Multiple Guest networks and NAT

you would do something like this

 

ip access-list session src-nat-to-pool
  user any any  src-nat pool pool-1

!

 

and then use different pools on different users.

Search Airheads
Showing results for 
Search instead for 
Did you mean: