Solved

LINKSYS WIRELESS ROUTER AND CISCO ASA5505

Posted on 2010-11-09
7
760 Views
Last Modified: 2012-05-10
Hello all and thank you for your time.  I have a cisco asa 5505 appliance with one static IP for the LAN and a LINKSYS WIRELESS ROUTER in my conference room which OBVIOUSLY PROVIDES WIFI ACCESS to the network.  my concern is that guest who sign on using the WiFi could potentially access network resources that they should not have access to.  

the boss uses the WiFi so he can sit with his laptop and access our resources without jacking in.  I need to continue with his access but also secure the access if clients are using our wifi for internet access. the current linksys router has no security features as far as creating multiple ssid's, guest accounts, etc. obviously I could purchase a new WiFi router with guest access, web filtering , etc.  is their anything I could do  to secure the access for guest  and still maintane access fro internal users
0
Comment
Question by:jrojas1213
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 4

Expert Comment

by:zgiuffria
ID: 34094472
What are you worrying about them accessing?  Files on a server?  Database?  
0
 
LVL 1

Accepted Solution

by:
Mighty_ earned 125 total points
ID: 34094534
Hello,

We have a similar setup. We have our wireless router available for visitors and it's WAN port is connected to a LAN port of our Linksys Gateway. We've put the linksys lan port on a separate VLAN and that successfully prevents consultants/visitors from accessing our LAN resources all the while allowing them access to the net via wifi. Internal users that want to benefit from the wifi have to use VPN to access LAN resources, which works great through PPTP or IPSEC.
0
 
LVL 3

Expert Comment

by:jloiseau
ID: 34094562
What kind of Linksys WiFi Router do you have?

Most Linksys WiFi routers gives you the ability to use Encryption to deter unwarranted guest.

Also, you mentioned that you have an ASA FW, depending on your setup, you can use that as a buffer.

To make like easy, if the only purpose of the WiFi is to access the Internet, then place the IP address of the WiFi on a different segment as your LAN IP. For example, if you LAN is 10.10..200.1, make your WLAN 192.168.100.1, this way users on the WiFi will not be able to see anything on your LAN.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 1

Author Comment

by:jrojas1213
ID: 34094916
zgiuffria:

Yes my concern would be Files, databases, etc.

Mighty:  
Thank you for your suggestion.  I could throw up another wireless router and add that to a vlan on the cisco box.  I dont want to setup a vpn internally just because I can here the complaints from the users if they have to go through an extra step to access resources because they need a vpn client.  
do you also handle web filtering through your linksys because I was just thinking just because I give guest internet access does not mean that I want them to start downloading movies, music, or visiting adult material and possibly infecting the network.

With a VLAN do they stilll get asigned an ip from the lan.  Can I create a new network segment ?  I have never setup a vlan so I dont know what that entails
0
 
LVL 4

Expert Comment

by:zgiuffria
ID: 34095046
If you have active directory they should have to authenticate to things like files and database.  Maybe a radius server would help?
0
 
LVL 2

Expert Comment

by:mwblsz
ID: 34095144
I think the simplest solution will be get another wireless router, get them into different vlan, use one of them for Internal users with hidden SSID, and the other for guests with broadcast SSID. You can apply rules at ASA to give different access to different wireless router(vlan).
0
 
LVL 1

Expert Comment

by:Mighty_
ID: 34095147
jrojas,

The users of the wifi connection from the wifi are subjected to the same firewall/content filtering as our internal LAN users connected directly to our gateway which holds that configuration. However, we also further add constraints to the wifi users by configuring the firewall/content filtering of the wifi router, yes.

Since your wifi device actually needs to communicate with your front line cisco appliance, you will need to have them both in the same IP scope unlike what jloiseau suggested. So the WAN port of the wifi device would be in the same IP scope as the lan adressing of your cisco device. Unless you can assign two static LAN IP which I doubt is the case. And if you were to make routes between lets say 192.168.x.x and 172.16.x.x well, you could make both device communicate but, also both lan segments which would defeat the purpose of the question.

Wifi user will receive and IP from the wifi device's DHCP and in the same scope.

As for vlan configuration, in my gateway, it is as simple as going on the Port Management Tab and select on which VLAN I want port number X to be.

That is all nice and well for the visitor's setup but if you want your users to have wifi and still be able to use lan resources than unfortunately, I think you'll need to install a regular wifi access point to provide that.

0

Featured Post

Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question