Solved

LINKSYS WIRELESS ROUTER AND CISCO ASA5505

Posted on 2010-11-09
7
752 Views
Last Modified: 2012-05-10
Hello all and thank you for your time.  I have a cisco asa 5505 appliance with one static IP for the LAN and a LINKSYS WIRELESS ROUTER in my conference room which OBVIOUSLY PROVIDES WIFI ACCESS to the network.  my concern is that guest who sign on using the WiFi could potentially access network resources that they should not have access to.  

the boss uses the WiFi so he can sit with his laptop and access our resources without jacking in.  I need to continue with his access but also secure the access if clients are using our wifi for internet access. the current linksys router has no security features as far as creating multiple ssid's, guest accounts, etc. obviously I could purchase a new WiFi router with guest access, web filtering , etc.  is their anything I could do  to secure the access for guest  and still maintane access fro internal users
0
Comment
Question by:jrojas1213
7 Comments
 
LVL 4

Expert Comment

by:zgiuffria
ID: 34094472
What are you worrying about them accessing?  Files on a server?  Database?  
0
 
LVL 1

Accepted Solution

by:
Mighty_ earned 125 total points
ID: 34094534
Hello,

We have a similar setup. We have our wireless router available for visitors and it's WAN port is connected to a LAN port of our Linksys Gateway. We've put the linksys lan port on a separate VLAN and that successfully prevents consultants/visitors from accessing our LAN resources all the while allowing them access to the net via wifi. Internal users that want to benefit from the wifi have to use VPN to access LAN resources, which works great through PPTP or IPSEC.
0
 
LVL 3

Expert Comment

by:jloiseau
ID: 34094562
What kind of Linksys WiFi Router do you have?

Most Linksys WiFi routers gives you the ability to use Encryption to deter unwarranted guest.

Also, you mentioned that you have an ASA FW, depending on your setup, you can use that as a buffer.

To make like easy, if the only purpose of the WiFi is to access the Internet, then place the IP address of the WiFi on a different segment as your LAN IP. For example, if you LAN is 10.10..200.1, make your WLAN 192.168.100.1, this way users on the WiFi will not be able to see anything on your LAN.
0
New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

 
LVL 1

Author Comment

by:jrojas1213
ID: 34094916
zgiuffria:

Yes my concern would be Files, databases, etc.

Mighty:  
Thank you for your suggestion.  I could throw up another wireless router and add that to a vlan on the cisco box.  I dont want to setup a vpn internally just because I can here the complaints from the users if they have to go through an extra step to access resources because they need a vpn client.  
do you also handle web filtering through your linksys because I was just thinking just because I give guest internet access does not mean that I want them to start downloading movies, music, or visiting adult material and possibly infecting the network.

With a VLAN do they stilll get asigned an ip from the lan.  Can I create a new network segment ?  I have never setup a vlan so I dont know what that entails
0
 
LVL 4

Expert Comment

by:zgiuffria
ID: 34095046
If you have active directory they should have to authenticate to things like files and database.  Maybe a radius server would help?
0
 
LVL 2

Expert Comment

by:mwblsz
ID: 34095144
I think the simplest solution will be get another wireless router, get them into different vlan, use one of them for Internal users with hidden SSID, and the other for guests with broadcast SSID. You can apply rules at ASA to give different access to different wireless router(vlan).
0
 
LVL 1

Expert Comment

by:Mighty_
ID: 34095147
jrojas,

The users of the wifi connection from the wifi are subjected to the same firewall/content filtering as our internal LAN users connected directly to our gateway which holds that configuration. However, we also further add constraints to the wifi users by configuring the firewall/content filtering of the wifi router, yes.

Since your wifi device actually needs to communicate with your front line cisco appliance, you will need to have them both in the same IP scope unlike what jloiseau suggested. So the WAN port of the wifi device would be in the same IP scope as the lan adressing of your cisco device. Unless you can assign two static LAN IP which I doubt is the case. And if you were to make routes between lets say 192.168.x.x and 172.16.x.x well, you could make both device communicate but, also both lan segments which would defeat the purpose of the question.

Wifi user will receive and IP from the wifi device's DHCP and in the same scope.

As for vlan configuration, in my gateway, it is as simple as going on the Port Management Tab and select on which VLAN I want port number X to be.

That is all nice and well for the visitor's setup but if you want your users to have wifi and still be able to use lan resources than unfortunately, I think you'll need to install a regular wifi access point to provide that.

0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
OSPF Cost 2 51
Auto Smartport macro for Dell and HP laptops 2 53
Internet problem with a router wifi in our iPhone 31 79
How DHCP Works in Wired/Wireless network 21 84
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now