Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1196
  • Last Modified:

want to set up a guest wireless network

I manage a network at our corporate office.  Basically we have corporate computers that connect to our lan through wired connections.  However, we occasionally have guests come that need wireless access and just to the internet.  I don't want them to have access to anything else on our network.  I have a cisco 1100 series access point that I'd like to use for the wireless guest access.  In addition, we have a cisco asa 5510 firewall.  The firewall has 4 interfaces aside from the management interface (outside, inside, backup internet line, and unused).  I was thinking of putting the cisco 1100 ap on the unused interface on the asa firewall and setup the firewall to perform dhcp on that interface of course setting up a different ip subnet on that interface.  I briefly played around with this but wasn't able to get this to work.  I heard some people mentioning using vlans to do this type of thing  as well.  Since I don't do this type of thing on a daily basis, I wanted to get some assistance as to what might be the best way to do this and how to do it.  I attached parts of the asa config.  Please send some advice.  Thanks!
cisco-asa.txt
0
mikael6
Asked:
mikael6
  • 2
  • 2
1 Solution
 
RobertPartenCommented:
You need to setup a vlan (name it DMZ or something) setup your global and then NAT it. Here is an example cofig from my ASA

global (outside) 10 some.ip.add.ress netmask 255.255.255.255

nat (dmz) 10 10.0.0.0 255.255.255.0

access-group dmz_access_in in interface dmz
access-group dmz_access_out out interface dmz

access-list dmz_access_in extended permit ip any any
access-list dmz_access_out extended permit ip any any

You are essentially creating a Dynamic NAT pool and then create an access group for that new interface and then setting up ip any any acls for inbound and outbound access. There is no ACL for allowing traffic from the DMZ vlan to the inside VLAN as you have noticed
0
 
RobertPartenCommented:
Please, take that down and clean up the ip addressing for your security sake
0
 
mikegattiCommented:
I think the key here for you is to configure trunking between your access-point and your switch. and have your firewall with an interface connected to each vlan or with a trunk interface as well.
You can configure the access-point to have a SSID per vlan. We run AP1231's and we have about 4 different vlans on them, each with it's own SSID and all the filtering is done at the firewall.
Your firewall config would not have anything special in terms of configuration, you would simply setup your interface connected to the "GUESS" vlan with a lower security level than your inside interace an IP address, NAT and some filters.
Here is a document that explains how to setup trunking on your AP's:
http://www.cisco.com/en/US/partner/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml
0
 
mikael6Author Commented:
I simply put the cisco waps on another (extra) interface on my cisco asa firewall and setup the interface to do dhcp.  The waps get an ip address from the cisco asa.  I have the waps setup for wpa encryption with a password I give out to users who need access to the wireless network.  The cisco asa rules are set to only allow traffice from the interface with the waps out to the internet and no access to the internal lan.  I set the default route on this interface to be the line going out to the intenret.  All set.
0
 
mikael6Author Commented:
I figured out a different way to do it which was easier for me.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now