want to set up a guest wireless network
I manage a network at our corporate office. Basically we have corporate computers that connect to our lan through wired connections. However, we occasionally have guests come that need wireless access and just to the internet. I don't want them to have access to anything else on our network. I have a cisco 1100 series access point that I'd like to use for the wireless guest access. In addition, we have a cisco asa 5510 firewall. The firewall has 4 interfaces aside from the management interface (outside, inside, backup internet line, and unused). I was thinking of putting the cisco 1100 ap on the unused interface on the asa firewall and setup the firewall to perform dhcp on that interface of course setting up a different ip subnet on that interface. I briefly played around with this but wasn't able to get this to work. I heard some people mentioning using vlans to do this type of thing as well. Since I don't do this type of thing on a daily basis, I wanted to get some assistance as to what might be the best way to do this and how to do it. I attached parts of the asa config. Please send some advice. Thanks!
cisco-asa.txt
cisco-asa.txt
Last Comment
Please, take that down and clean up the ip addressing for your security sake
I think the key here for you is to configure trunking between your access-point and your switch. and have your firewall with an interface connected to each vlan or with a trunk interface as well.
You can configure the access-point to have a SSID per vlan. We run AP1231's and we have about 4 different vlans on them, each with it's own SSID and all the filtering is done at the firewall.
Your firewall config would not have anything special in terms of configuration, you would simply setup your interface connected to the "GUESS" vlan with a lower security level than your inside interace an IP address, NAT and some filters.
Here is a document that explains how to setup trunking on your AP's:
http://www.cisco.com/en/US/partner/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml
You can configure the access-point to have a SSID per vlan. We run AP1231's and we have about 4 different vlans on them, each with it's own SSID and all the filtering is done at the firewall.
Your firewall config would not have anything special in terms of configuration, you would simply setup your interface connected to the "GUESS" vlan with a lower security level than your inside interace an IP address, NAT and some filters.
Here is a document that explains how to setup trunking on your AP's:
http://www.cisco.com/en/US/partner/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I figured out a different way to do it which was easier for me.
Cisco
Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).
27K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
global (outside) 10 some.ip.add.ress netmask 255.255.255.255
nat (dmz) 10 10.0.0.0 255.255.255.0
access-group dmz_access_in in interface dmz
access-group dmz_access_out out interface dmz
access-list dmz_access_in extended permit ip any any
access-list dmz_access_out extended permit ip any any
You are essentially creating a Dynamic NAT pool and then create an access group for that new interface and then setting up ip any any acls for inbound and outbound access. There is no ACL for allowing traffic from the DMZ vlan to the inside VLAN as you have noticed