how do I setup a guest wlan through the pix dmz interface?

My config so far:

PIX Version 7.2(2)
!
hostname PIX3
domain-name xxx.com
enable password xxxxxxx encrypted
names
!
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 70.88.x.x 255.255.255.252
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.98.1 255.255.255.0
!
interface Ethernet2
 speed 100
 duplex full
 nameif guest
 security-level 50
 ip address 192.168.97.1 255.255.255.0
!
passwd xxxx encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name xxx.com
same-security-traffic permit intra-interface
access-list inside-to-outside remark -------------------
access-list inside-to-outside extended permit ip any any
access-list inside-to-outside extended permit icmp any any
access-list guest-to-inside remark ---------------------
access-list guest-to-inside remark // guest WAP to inside printer only //
access-list guest-to-inside extended permit tcp any host 192.168.98.99
access-list split extended permit ip 192.168.98.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.98.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list nonat extended permit ip 192.168.98.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list nonat extended permit ip any 10.10.11.0 255.255.255.0
access-list nonat extended permit ip 192.168.98.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip any 10.10.10.0 255.255.255.0
access-list remoteClients standard permit 192.168.98.0 255.255.255.0
pager lines 24
logging history warnings
mtu outside 1500
mtu inside 1500
mtu guest 1500
ip local pool new-pool 10.10.11.1-10.10.11.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (guest) 2 0.0.0.0 0.0.0.0
access-group guest-to-inside in interface guest
route outside 0.0.0.0 0.0.0.0 70.88.x.x 1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
dhcpd dns 64.202.x.x 64.202.x.x
!
dhcpd address 192.168.98.100-192.168.98.200 inside
dhcpd enable inside
!
dhcpd address 192.168.97.100-192.168.97.200 guest
dhcpd enable guest

Try putting in these commands in order, which assumes that IP 192.168.98.99 is the one host on the inside network that you want to give the guest users access to:

static (inside,guest) 192.168.98.99 192.168.98.99 netmask 255.255.255.255
access-list guest-to-inside extended deny ip any 192.168.98.0 255.255.255.0
access-list guest-to-inside extended permit ip any any
no nat (guest) 2 0.0.0.0 0.0.0.0
nat (guest) 1 0.0.0.0 0.0.0.0

See if that helps...

nada. My pc is  192.168.98.8 and I cant ping or browse to http://192.168.97.10 which is how I would admin the wap. If I directly connect to the wap and get on the 97.x subnet, I get in fine. Am I going about this wrong? Should both waps be on the same subnet and segment them for security? I'm pretty open to how to do this.

tks

I CAN ping teh guest wap from the PIX though.

ah, and guests CAN hit the internet but not my subnet. Excellent. If we can get me to admin it from the 192.168.98.x to the 192.168.97.10, that'll be a victory.

Is that static you gave me supposed to have 98.99 as both IPs?

tks

>>Is that static you gave me supposed to have 98.99 as both IPs?

Yes.  That just means that when you send traffic from that IP address to any host in the dmz, it will be seen as that same IP address by the dmz hosts.

Is there perhaps an ACL on the WAP that is restricting access to which IP's can administrate it?

If you want to verify connectivity between the inside and the dmz WAP, add the following ACL statement which should allow ping replies to return back from the WAP to an inside host when you ping the WAP from an inside host:

access-list guest-to-inside extended permit icmp any any echo-reply

still no ping. From the lan side, I assigned 192.168.97.10 to the wap and there may be an assumption that it only talks with others on the class C.  Can NAT change my 192.168.98.8 to 192.168.97.8 (and back)?

Yes, it can.  If you want to try natting that way instead, do this:

no static (inside,guest) 192.168.98.99 192.168.98.99 netmask 255.255.255.255
global (guest) 1 interface

That will cause any inside address sending traffic to the guest interface to be translated into the IP address of the guest interface itself, which is 192.168.97.1.

bingo. I never thought of looking at it that way. very cool.

I assume my printer on 98.99 will still be accessable from the guest subnet??? I'm remote so I cant test it right now.

tks.

Actually, no.  If you want a host on a higher security level interface (meaning the inside interface in this case) to be accessible to a lower security level interface (the guest interface), then you will need to leave it as a static translation.  It can be a static back to itself or it can be a static to something on the local subnet of the lower security level interface.  For example, it could be:

static (inside,guest) 192.168.98.99 192.168.98.99 netmask 255.255.255.255

or it could be

static (inside,guest) 192.168.97.99 192.168.98.99 netmask 255.255.255.255

where it will look like 97.99 on the guest interface.  However, I would configure it as translated back to itself (the first example) if you want a lower level host to access it.

I did it the first way and no printer from the guest subnet. It doesnt show up in printer  browsing, etc. Any other things I can try before accepting this solution?

tks for the help.