Solved

want to set up a guest wireless network

Posted on 2011-02-15
6
1,188 Views
Last Modified: 2013-12-09
I manage a network at our corporate office.  Basically we have corporate computers that connect to our lan through wired connections.  However, we occasionally have guests come that need wireless access and just to the internet.  I don't want them to have access to anything else on our network.  I have a cisco 1100 series access point that I'd like to use for the wireless guest access.  In addition, we have a cisco asa 5510 firewall.  The firewall has 4 interfaces aside from the management interface (outside, inside, backup internet line, and unused).  I was thinking of putting the cisco 1100 ap on the unused interface on the asa firewall and setup the firewall to perform dhcp on that interface of course setting up a different ip subnet on that interface.  I briefly played around with this but wasn't able to get this to work.  I heard some people mentioning using vlans to do this type of thing  as well.  Since I don't do this type of thing on a daily basis, I wanted to get some assistance as to what might be the best way to do this and how to do it.  I attached parts of the asa config.  Please send some advice.  Thanks!
cisco-asa.txt
0
Comment
Question by:mikael6
  • 2
  • 2
6 Comments
 
LVL 4

Expert Comment

by:RobertParten
ID: 34901087
You need to setup a vlan (name it DMZ or something) setup your global and then NAT it. Here is an example cofig from my ASA

global (outside) 10 some.ip.add.ress netmask 255.255.255.255

nat (dmz) 10 10.0.0.0 255.255.255.0

access-group dmz_access_in in interface dmz
access-group dmz_access_out out interface dmz

access-list dmz_access_in extended permit ip any any
access-list dmz_access_out extended permit ip any any

You are essentially creating a Dynamic NAT pool and then create an access group for that new interface and then setting up ip any any acls for inbound and outbound access. There is no ACL for allowing traffic from the DMZ vlan to the inside VLAN as you have noticed
0
 
LVL 4

Expert Comment

by:RobertParten
ID: 34901099
Please, take that down and clean up the ip addressing for your security sake
0
 
LVL 3

Expert Comment

by:mikegatti
ID: 34920530
I think the key here for you is to configure trunking between your access-point and your switch. and have your firewall with an interface connected to each vlan or with a trunk interface as well.
You can configure the access-point to have a SSID per vlan. We run AP1231's and we have about 4 different vlans on them, each with it's own SSID and all the filtering is done at the firewall.
Your firewall config would not have anything special in terms of configuration, you would simply setup your interface connected to the "GUESS" vlan with a lower security level than your inside interace an IP address, NAT and some filters.
Here is a document that explains how to setup trunking on your AP's:
http://www.cisco.com/en/US/partner/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml
0
 

Accepted Solution

by:
mikael6 earned 0 total points
ID: 35108290
I simply put the cisco waps on another (extra) interface on my cisco asa firewall and setup the interface to do dhcp.  The waps get an ip address from the cisco asa.  I have the waps setup for wpa encryption with a password I give out to users who need access to the wireless network.  The cisco asa rules are set to only allow traffice from the interface with the waps out to the internet and no access to the internal lan.  I set the default route on this interface to be the line going out to the intenret.  All set.
0
 

Author Closing Comment

by:mikael6
ID: 35145323
I figured out a different way to do it which was easier for me.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

With the purchase of CloudCommand by Comcast customers are left in a bind as subscriptions expire and render the AP's disabled. The following will explain how to flash your Ubiquiti AP's with CloudCommand firmware back to Ubiquiti firmware. HOWTO…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question