Solved

LINKSYS WIRELESS ROUTER AND CISCO ASA5505

Posted on 2010-11-09
7
749 Views
Last Modified: 2012-05-10
Hello all and thank you for your time.  I have a cisco asa 5505 appliance with one static IP for the LAN and a LINKSYS WIRELESS ROUTER in my conference room which OBVIOUSLY PROVIDES WIFI ACCESS to the network.  my concern is that guest who sign on using the WiFi could potentially access network resources that they should not have access to.  

the boss uses the WiFi so he can sit with his laptop and access our resources without jacking in.  I need to continue with his access but also secure the access if clients are using our wifi for internet access. the current linksys router has no security features as far as creating multiple ssid's, guest accounts, etc. obviously I could purchase a new WiFi router with guest access, web filtering , etc.  is their anything I could do  to secure the access for guest  and still maintane access fro internal users
0
Comment
Question by:jrojas1213
7 Comments
 
LVL 4

Expert Comment

by:zgiuffria
ID: 34094472
What are you worrying about them accessing?  Files on a server?  Database?  
0
 
LVL 1

Accepted Solution

by:
Mighty_ earned 125 total points
ID: 34094534
Hello,

We have a similar setup. We have our wireless router available for visitors and it's WAN port is connected to a LAN port of our Linksys Gateway. We've put the linksys lan port on a separate VLAN and that successfully prevents consultants/visitors from accessing our LAN resources all the while allowing them access to the net via wifi. Internal users that want to benefit from the wifi have to use VPN to access LAN resources, which works great through PPTP or IPSEC.
0
 
LVL 3

Expert Comment

by:jloiseau
ID: 34094562
What kind of Linksys WiFi Router do you have?

Most Linksys WiFi routers gives you the ability to use Encryption to deter unwarranted guest.

Also, you mentioned that you have an ASA FW, depending on your setup, you can use that as a buffer.

To make like easy, if the only purpose of the WiFi is to access the Internet, then place the IP address of the WiFi on a different segment as your LAN IP. For example, if you LAN is 10.10..200.1, make your WLAN 192.168.100.1, this way users on the WiFi will not be able to see anything on your LAN.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 1

Author Comment

by:jrojas1213
ID: 34094916
zgiuffria:

Yes my concern would be Files, databases, etc.

Mighty:  
Thank you for your suggestion.  I could throw up another wireless router and add that to a vlan on the cisco box.  I dont want to setup a vpn internally just because I can here the complaints from the users if they have to go through an extra step to access resources because they need a vpn client.  
do you also handle web filtering through your linksys because I was just thinking just because I give guest internet access does not mean that I want them to start downloading movies, music, or visiting adult material and possibly infecting the network.

With a VLAN do they stilll get asigned an ip from the lan.  Can I create a new network segment ?  I have never setup a vlan so I dont know what that entails
0
 
LVL 4

Expert Comment

by:zgiuffria
ID: 34095046
If you have active directory they should have to authenticate to things like files and database.  Maybe a radius server would help?
0
 
LVL 2

Expert Comment

by:mwblsz
ID: 34095144
I think the simplest solution will be get another wireless router, get them into different vlan, use one of them for Internal users with hidden SSID, and the other for guests with broadcast SSID. You can apply rules at ASA to give different access to different wireless router(vlan).
0
 
LVL 1

Expert Comment

by:Mighty_
ID: 34095147
jrojas,

The users of the wifi connection from the wifi are subjected to the same firewall/content filtering as our internal LAN users connected directly to our gateway which holds that configuration. However, we also further add constraints to the wifi users by configuring the firewall/content filtering of the wifi router, yes.

Since your wifi device actually needs to communicate with your front line cisco appliance, you will need to have them both in the same IP scope unlike what jloiseau suggested. So the WAN port of the wifi device would be in the same IP scope as the lan adressing of your cisco device. Unless you can assign two static LAN IP which I doubt is the case. And if you were to make routes between lets say 192.168.x.x and 172.16.x.x well, you could make both device communicate but, also both lan segments which would defeat the purpose of the question.

Wifi user will receive and IP from the wifi device's DHCP and in the same scope.

As for vlan configuration, in my gateway, it is as simple as going on the Port Management Tab and select on which VLAN I want port number X to be.

That is all nice and well for the visitor's setup but if you want your users to have wifi and still be able to use lan resources than unfortunately, I think you'll need to install a regular wifi access point to provide that.

0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

Suggested Solutions

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now