To summarize, I believe that you want both VLAN 1 and VLAN 2 to have public Internet access via NAT from the WAN port and this is working, but you do not want VLAN 1 and VLAN 2 to communicate with each other, is this correct?
Having your existing configuration would be useful, but you probably want two different policy classes for VLAN 1 and VLAN 2. They're probably both now in "Private".
So assuming that VLAN 2 is your guest network, do something like the following:
Create a new policy class "Guest"
ip policy-class Guest
Copy just the nat source list line from the Private policy class to the Guest policy class.
Put the VLAN 2 interface in the Guest policy class.
interface vlan 2
ip access-policy Guest
If this doesn't work, or isn't what you want to do, please clarify and post your existing configuration with passwords and sensitive information removed.
the configuration I am using is very simple at this point its just a network with 2 vlans, and the firewall wizard run to set up basic internet access rules. this indeed means both interface vlans are on the "private" security zone. I need to ensure only traffic from the 192.168.2.0 network to the gateway address of 192.168.1.1, and then out the WAN port using dynamic dhcp internet connectivity. therefore, i would need the ensure all other traffic destined for any other internal networks is dropped. would using that particular NAT rule in a new security zone separate the 2 subnets? or would I need to apply further rules on the "private" security zone (vlan1, 192.168.1.0) to block those packets?
for reference, VLAN2 is indeed a guest network with Wireless access points and no wired nodes other than those access points.
the configuration I am using is very simple at this point its just a network with 2 vlans, and the firewall wizard run to set up basic internet access rules. this indeed means both interface vlans are on the "private" security zone. I need to ensure only traffic from the 192.168.2.0 network to the gateway address of 192.168.1.1, and then out the WAN port using dynamic dhcp internet connectivity.
What I suggested should work, assuming that the WAN port is a public IP and you're doing NAT from the Private to Public zone now. What it does is to have two separate "Private-like" zones, each of which NATs out to the same public IP but which are separated from each other by policy.
The gateway address for 192.168.2.0/24 won't be 192.168.1.1, by the way. It will most likely be 192.168.2.1 or whatever the interface IP is on the device for VLAN 2.
would using that particular NAT rule in a new security zone separate the 2 subnets? or would I need to apply further rules on the "private" security zone (vlan1, 192.168.1.0) to block those packets?
It isn't the NAT rule as much as creating a different policy-class for the guest wireless than you are using for your business LAN. The firewall by default blocks all traffic between different policy classes unless it is specifically allowed. You would be allowing both the "Private" and "Guest" classes to NAT out to the "Public" class but without a rule that permits traffic between them they will be isolated from each other, which is your goal. The names of the zones "Public, Private, Guest" are just reference identifiers interpreted by the software. You could call them Tom, ****, and Harry if you wanted, but it might make it harder to remember later.
If my suggestion doesn't work, please post your configuration with passwords deleted.
Message was edited by: jayh Actually, you probably can't name a zone ****. The forum seems to have a rather aggressive dirty-word filter, but you get the idea. http://en.wikipedia.org/wiki/Scunthorpe_problem
The best way to separate/protect the two networks from each other is to put them in different policy classes. You can duplicate the NAT settings in each of the security zones to NAT to the desired address. Putting the VLAN interfaces in different policy classes automatically blocks access to one another.
I went ahead and flagged this post as "Assumed Answered". If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Yes, problem is solved. The separate security zones worked like I thought.
I replicated NAT rules from the original security zone and all worked as
On Nov 7, 2013 11:58 AM, "levi" <email@example.com>