Solved

LINKSYS WIRELESS ROUTER AND CISCO ASA5505

Posted on 2010-11-09
7
757 Views
Last Modified: 2012-05-10
Hello all and thank you for your time.  I have a cisco asa 5505 appliance with one static IP for the LAN and a LINKSYS WIRELESS ROUTER in my conference room which OBVIOUSLY PROVIDES WIFI ACCESS to the network.  my concern is that guest who sign on using the WiFi could potentially access network resources that they should not have access to.  

the boss uses the WiFi so he can sit with his laptop and access our resources without jacking in.  I need to continue with his access but also secure the access if clients are using our wifi for internet access. the current linksys router has no security features as far as creating multiple ssid's, guest accounts, etc. obviously I could purchase a new WiFi router with guest access, web filtering , etc.  is their anything I could do  to secure the access for guest  and still maintane access fro internal users
0
Comment
Question by:jrojas1213
7 Comments
 
LVL 4

Expert Comment

by:zgiuffria
ID: 34094472
What are you worrying about them accessing?  Files on a server?  Database?  
0
 
LVL 1

Accepted Solution

by:
Mighty_ earned 125 total points
ID: 34094534
Hello,

We have a similar setup. We have our wireless router available for visitors and it's WAN port is connected to a LAN port of our Linksys Gateway. We've put the linksys lan port on a separate VLAN and that successfully prevents consultants/visitors from accessing our LAN resources all the while allowing them access to the net via wifi. Internal users that want to benefit from the wifi have to use VPN to access LAN resources, which works great through PPTP or IPSEC.
0
 
LVL 3

Expert Comment

by:jloiseau
ID: 34094562
What kind of Linksys WiFi Router do you have?

Most Linksys WiFi routers gives you the ability to use Encryption to deter unwarranted guest.

Also, you mentioned that you have an ASA FW, depending on your setup, you can use that as a buffer.

To make like easy, if the only purpose of the WiFi is to access the Internet, then place the IP address of the WiFi on a different segment as your LAN IP. For example, if you LAN is 10.10..200.1, make your WLAN 192.168.100.1, this way users on the WiFi will not be able to see anything on your LAN.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 1

Author Comment

by:jrojas1213
ID: 34094916
zgiuffria:

Yes my concern would be Files, databases, etc.

Mighty:  
Thank you for your suggestion.  I could throw up another wireless router and add that to a vlan on the cisco box.  I dont want to setup a vpn internally just because I can here the complaints from the users if they have to go through an extra step to access resources because they need a vpn client.  
do you also handle web filtering through your linksys because I was just thinking just because I give guest internet access does not mean that I want them to start downloading movies, music, or visiting adult material and possibly infecting the network.

With a VLAN do they stilll get asigned an ip from the lan.  Can I create a new network segment ?  I have never setup a vlan so I dont know what that entails
0
 
LVL 4

Expert Comment

by:zgiuffria
ID: 34095046
If you have active directory they should have to authenticate to things like files and database.  Maybe a radius server would help?
0
 
LVL 2

Expert Comment

by:mwblsz
ID: 34095144
I think the simplest solution will be get another wireless router, get them into different vlan, use one of them for Internal users with hidden SSID, and the other for guests with broadcast SSID. You can apply rules at ASA to give different access to different wireless router(vlan).
0
 
LVL 1

Expert Comment

by:Mighty_
ID: 34095147
jrojas,

The users of the wifi connection from the wifi are subjected to the same firewall/content filtering as our internal LAN users connected directly to our gateway which holds that configuration. However, we also further add constraints to the wifi users by configuring the firewall/content filtering of the wifi router, yes.

Since your wifi device actually needs to communicate with your front line cisco appliance, you will need to have them both in the same IP scope unlike what jloiseau suggested. So the WAN port of the wifi device would be in the same IP scope as the lan adressing of your cisco device. Unless you can assign two static LAN IP which I doubt is the case. And if you were to make routes between lets say 192.168.x.x and 172.16.x.x well, you could make both device communicate but, also both lan segments which would defeat the purpose of the question.

Wifi user will receive and IP from the wifi device's DHCP and in the same scope.

As for vlan configuration, in my gateway, it is as simple as going on the Port Management Tab and select on which VLAN I want port number X to be.

That is all nice and well for the visitor's setup but if you want your users to have wifi and still be able to use lan resources than unfortunately, I think you'll need to install a regular wifi access point to provide that.

0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Aironet 1140: setting up basic SSID 12 35
Receiving wifi on an underground station 22 96
Cisco ASA blocks some https sites. 27 46
Cisco SSLVPN webpage is not loading 3 18
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question