Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 780
  • Last Modified:

LINKSYS WIRELESS ROUTER AND CISCO ASA5505

Hello all and thank you for your time.  I have a cisco asa 5505 appliance with one static IP for the LAN and a LINKSYS WIRELESS ROUTER in my conference room which OBVIOUSLY PROVIDES WIFI ACCESS to the network.  my concern is that guest who sign on using the WiFi could potentially access network resources that they should not have access to.  

the boss uses the WiFi so he can sit with his laptop and access our resources without jacking in.  I need to continue with his access but also secure the access if clients are using our wifi for internet access. the current linksys router has no security features as far as creating multiple ssid's, guest accounts, etc. obviously I could purchase a new WiFi router with guest access, web filtering , etc.  is their anything I could do  to secure the access for guest  and still maintane access fro internal users
0
jrojas1213
Asked:
jrojas1213
1 Solution
 
zgiuffriaCommented:
What are you worrying about them accessing?  Files on a server?  Database?  
0
 
Mighty_Commented:
Hello,

We have a similar setup. We have our wireless router available for visitors and it's WAN port is connected to a LAN port of our Linksys Gateway. We've put the linksys lan port on a separate VLAN and that successfully prevents consultants/visitors from accessing our LAN resources all the while allowing them access to the net via wifi. Internal users that want to benefit from the wifi have to use VPN to access LAN resources, which works great through PPTP or IPSEC.
0
 
jloiseauCommented:
What kind of Linksys WiFi Router do you have?

Most Linksys WiFi routers gives you the ability to use Encryption to deter unwarranted guest.

Also, you mentioned that you have an ASA FW, depending on your setup, you can use that as a buffer.

To make like easy, if the only purpose of the WiFi is to access the Internet, then place the IP address of the WiFi on a different segment as your LAN IP. For example, if you LAN is 10.10..200.1, make your WLAN 192.168.100.1, this way users on the WiFi will not be able to see anything on your LAN.
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
jrojas1213Author Commented:
zgiuffria:

Yes my concern would be Files, databases, etc.

Mighty:  
Thank you for your suggestion.  I could throw up another wireless router and add that to a vlan on the cisco box.  I dont want to setup a vpn internally just because I can here the complaints from the users if they have to go through an extra step to access resources because they need a vpn client.  
do you also handle web filtering through your linksys because I was just thinking just because I give guest internet access does not mean that I want them to start downloading movies, music, or visiting adult material and possibly infecting the network.

With a VLAN do they stilll get asigned an ip from the lan.  Can I create a new network segment ?  I have never setup a vlan so I dont know what that entails
0
 
zgiuffriaCommented:
If you have active directory they should have to authenticate to things like files and database.  Maybe a radius server would help?
0
 
mwblszCommented:
I think the simplest solution will be get another wireless router, get them into different vlan, use one of them for Internal users with hidden SSID, and the other for guests with broadcast SSID. You can apply rules at ASA to give different access to different wireless router(vlan).
0
 
Mighty_Commented:
jrojas,

The users of the wifi connection from the wifi are subjected to the same firewall/content filtering as our internal LAN users connected directly to our gateway which holds that configuration. However, we also further add constraints to the wifi users by configuring the firewall/content filtering of the wifi router, yes.

Since your wifi device actually needs to communicate with your front line cisco appliance, you will need to have them both in the same IP scope unlike what jloiseau suggested. So the WAN port of the wifi device would be in the same IP scope as the lan adressing of your cisco device. Unless you can assign two static LAN IP which I doubt is the case. And if you were to make routes between lets say 192.168.x.x and 172.16.x.x well, you could make both device communicate but, also both lan segments which would defeat the purpose of the question.

Wifi user will receive and IP from the wifi device's DHCP and in the same scope.

As for vlan configuration, in my gateway, it is as simple as going on the Port Management Tab and select on which VLAN I want port number X to be.

That is all nice and well for the visitor's setup but if you want your users to have wifi and still be able to use lan resources than unfortunately, I think you'll need to install a regular wifi access point to provide that.

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now