how do I setup a guest wlan through the pix dmz interface?

I need to run 2 waps. The secure one is connected to the inside interface via a switch and it works fine. WPA, mac filtering, etc.  I want to add a second insecure wap for guests to the dmz interface and restrict them to outside access and a single inside host (printer) only. I tried to obvious stuff but I think I'm doing the subnet segmenting wrong. guest wap users cant reach anything and my inside machine cant hit the guest WAP box itself so I can admin it.

Probably easiest just to start from scratch.
my inside lan is 192.168.98.x
I'd like the guest lan to be 192.168.97.x

tks
pixnewbieAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pixnewbieAuthor Commented:
My config so far:

PIX Version 7.2(2)
!
hostname PIX3
domain-name xxx.com
enable password xxxxxxx encrypted
names
!
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 70.88.x.x 255.255.255.252
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.98.1 255.255.255.0
!
interface Ethernet2
 speed 100
 duplex full
 nameif guest
 security-level 50
 ip address 192.168.97.1 255.255.255.0
!
passwd xxxx encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name xxx.com
same-security-traffic permit intra-interface
access-list inside-to-outside remark -------------------
access-list inside-to-outside extended permit ip any any
access-list inside-to-outside extended permit icmp any any
access-list guest-to-inside remark ---------------------
access-list guest-to-inside remark // guest WAP to inside printer only //
access-list guest-to-inside extended permit tcp any host 192.168.98.99
access-list split extended permit ip 192.168.98.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.98.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list nonat extended permit ip 192.168.98.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list nonat extended permit ip any 10.10.11.0 255.255.255.0
access-list nonat extended permit ip 192.168.98.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip any 10.10.10.0 255.255.255.0
access-list remoteClients standard permit 192.168.98.0 255.255.255.0
pager lines 24
logging history warnings
mtu outside 1500
mtu inside 1500
mtu guest 1500
ip local pool new-pool 10.10.11.1-10.10.11.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (guest) 2 0.0.0.0 0.0.0.0
access-group guest-to-inside in interface guest
route outside 0.0.0.0 0.0.0.0 70.88.x.x 1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
dhcpd dns 64.202.x.x 64.202.x.x
!
dhcpd address 192.168.98.100-192.168.98.200 inside
dhcpd enable inside
!
dhcpd address 192.168.97.100-192.168.97.200 guest
dhcpd enable guest
0
batry_boyCommented:
Try putting in these commands in order, which assumes that IP 192.168.98.99 is the one host on the inside network that you want to give the guest users access to:

static (inside,guest) 192.168.98.99 192.168.98.99 netmask 255.255.255.255
access-list guest-to-inside extended deny ip any 192.168.98.0 255.255.255.0
access-list guest-to-inside extended permit ip any any
no nat (guest) 2 0.0.0.0 0.0.0.0
nat (guest) 1 0.0.0.0 0.0.0.0

See if that helps...
0
pixnewbieAuthor Commented:
nada. My pc is  192.168.98.8 and I cant ping or browse to http://192.168.97.10 which is how I would admin the wap. If I directly connect to the wap and get on the 97.x subnet, I get in fine. Am I going about this wrong? Should both waps be on the same subnet and segment them for security? I'm pretty open to how to do this.

tks
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

pixnewbieAuthor Commented:
I CAN ping teh guest wap from the PIX though.
0
pixnewbieAuthor Commented:
ah, and guests CAN hit the internet but not my subnet. Excellent. If we can get me to admin it from the 192.168.98.x to the 192.168.97.10, that'll be a victory.

Is that static you gave me supposed to have 98.99 as both IPs?

tks
0
batry_boyCommented:
>>Is that static you gave me supposed to have 98.99 as both IPs?

Yes.  That just means that when you send traffic from that IP address to any host in the dmz, it will be seen as that same IP address by the dmz hosts.

Is there perhaps an ACL on the WAP that is restricting access to which IP's can administrate it?

If you want to verify connectivity between the inside and the dmz WAP, add the following ACL statement which should allow ping replies to return back from the WAP to an inside host when you ping the WAP from an inside host:

access-list guest-to-inside extended permit icmp any any echo-reply
0
pixnewbieAuthor Commented:
still no ping. From the lan side, I assigned 192.168.97.10 to the wap and there may be an assumption that it only talks with others on the class C.  Can NAT change my 192.168.98.8 to 192.168.97.8 (and back)?
0
batry_boyCommented:
Yes, it can.  If you want to try natting that way instead, do this:

no static (inside,guest) 192.168.98.99 192.168.98.99 netmask 255.255.255.255
global (guest) 1 interface

That will cause any inside address sending traffic to the guest interface to be translated into the IP address of the guest interface itself, which is 192.168.97.1.
0
pixnewbieAuthor Commented:
bingo. I never thought of looking at it that way. very cool.

I assume my printer on 98.99 will still be accessable from the guest subnet??? I'm remote so I cant test it right now.

tks.
0
batry_boyCommented:
Actually, no.  If you want a host on a higher security level interface (meaning the inside interface in this case) to be accessible to a lower security level interface (the guest interface), then you will need to leave it as a static translation.  It can be a static back to itself or it can be a static to something on the local subnet of the lower security level interface.  For example, it could be:

static (inside,guest) 192.168.98.99 192.168.98.99 netmask 255.255.255.255

or it could be

static (inside,guest) 192.168.97.99 192.168.98.99 netmask 255.255.255.255

where it will look like 97.99 on the guest interface.  However, I would configure it as translated back to itself (the first example) if you want a lower level host to access it.
0
pixnewbieAuthor Commented:
I did it the first way and no printer from the guest subnet. It doesnt show up in printer  browsing, etc. Any other things I can try before accepting this solution?
0
batry_boyCommented:
You won't be able to see it show up in a browse list because browsing works via broadcast traffic and the firewall is essentially a layer 3 device meaning that broadcast traffic will not traverse it.  You will have to manually setup the printer and point it to the 192.168.98.99 address.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pixnewbieAuthor Commented:
tks for the help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.