Solved

want to set up a guest wireless network

Posted on 2011-02-15
6
1,186 Views
Last Modified: 2013-12-09
I manage a network at our corporate office.  Basically we have corporate computers that connect to our lan through wired connections.  However, we occasionally have guests come that need wireless access and just to the internet.  I don't want them to have access to anything else on our network.  I have a cisco 1100 series access point that I'd like to use for the wireless guest access.  In addition, we have a cisco asa 5510 firewall.  The firewall has 4 interfaces aside from the management interface (outside, inside, backup internet line, and unused).  I was thinking of putting the cisco 1100 ap on the unused interface on the asa firewall and setup the firewall to perform dhcp on that interface of course setting up a different ip subnet on that interface.  I briefly played around with this but wasn't able to get this to work.  I heard some people mentioning using vlans to do this type of thing  as well.  Since I don't do this type of thing on a daily basis, I wanted to get some assistance as to what might be the best way to do this and how to do it.  I attached parts of the asa config.  Please send some advice.  Thanks!
cisco-asa.txt
0
Comment
Question by:mikael6
  • 2
  • 2
6 Comments
 
LVL 4

Expert Comment

by:RobertParten
Comment Utility
You need to setup a vlan (name it DMZ or something) setup your global and then NAT it. Here is an example cofig from my ASA

global (outside) 10 some.ip.add.ress netmask 255.255.255.255

nat (dmz) 10 10.0.0.0 255.255.255.0

access-group dmz_access_in in interface dmz
access-group dmz_access_out out interface dmz

access-list dmz_access_in extended permit ip any any
access-list dmz_access_out extended permit ip any any

You are essentially creating a Dynamic NAT pool and then create an access group for that new interface and then setting up ip any any acls for inbound and outbound access. There is no ACL for allowing traffic from the DMZ vlan to the inside VLAN as you have noticed
0
 
LVL 4

Expert Comment

by:RobertParten
Comment Utility
Please, take that down and clean up the ip addressing for your security sake
0
 
LVL 3

Expert Comment

by:mikegatti
Comment Utility
I think the key here for you is to configure trunking between your access-point and your switch. and have your firewall with an interface connected to each vlan or with a trunk interface as well.
You can configure the access-point to have a SSID per vlan. We run AP1231's and we have about 4 different vlans on them, each with it's own SSID and all the filtering is done at the firewall.
Your firewall config would not have anything special in terms of configuration, you would simply setup your interface connected to the "GUESS" vlan with a lower security level than your inside interace an IP address, NAT and some filters.
Here is a document that explains how to setup trunking on your AP's:
http://www.cisco.com/en/US/partner/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml
0
 

Accepted Solution

by:
mikael6 earned 0 total points
Comment Utility
I simply put the cisco waps on another (extra) interface on my cisco asa firewall and setup the interface to do dhcp.  The waps get an ip address from the cisco asa.  I have the waps setup for wpa encryption with a password I give out to users who need access to the wireless network.  The cisco asa rules are set to only allow traffice from the interface with the waps out to the internet and no access to the internal lan.  I set the default route on this interface to be the line going out to the intenret.  All set.
0
 

Author Closing Comment

by:mikael6
Comment Utility
I figured out a different way to do it which was easier for me.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now