Solved

want to set up a guest wireless network

Posted on 2011-02-15
6
1,192 Views
Last Modified: 2013-12-09
I manage a network at our corporate office.  Basically we have corporate computers that connect to our lan through wired connections.  However, we occasionally have guests come that need wireless access and just to the internet.  I don't want them to have access to anything else on our network.  I have a cisco 1100 series access point that I'd like to use for the wireless guest access.  In addition, we have a cisco asa 5510 firewall.  The firewall has 4 interfaces aside from the management interface (outside, inside, backup internet line, and unused).  I was thinking of putting the cisco 1100 ap on the unused interface on the asa firewall and setup the firewall to perform dhcp on that interface of course setting up a different ip subnet on that interface.  I briefly played around with this but wasn't able to get this to work.  I heard some people mentioning using vlans to do this type of thing  as well.  Since I don't do this type of thing on a daily basis, I wanted to get some assistance as to what might be the best way to do this and how to do it.  I attached parts of the asa config.  Please send some advice.  Thanks!
cisco-asa.txt
0
Comment
Question by:mikael6
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
6 Comments
 
LVL 4

Expert Comment

by:RobertParten
ID: 34901087
You need to setup a vlan (name it DMZ or something) setup your global and then NAT it. Here is an example cofig from my ASA

global (outside) 10 some.ip.add.ress netmask 255.255.255.255

nat (dmz) 10 10.0.0.0 255.255.255.0

access-group dmz_access_in in interface dmz
access-group dmz_access_out out interface dmz

access-list dmz_access_in extended permit ip any any
access-list dmz_access_out extended permit ip any any

You are essentially creating a Dynamic NAT pool and then create an access group for that new interface and then setting up ip any any acls for inbound and outbound access. There is no ACL for allowing traffic from the DMZ vlan to the inside VLAN as you have noticed
0
 
LVL 4

Expert Comment

by:RobertParten
ID: 34901099
Please, take that down and clean up the ip addressing for your security sake
0
 
LVL 3

Expert Comment

by:mikegatti
ID: 34920530
I think the key here for you is to configure trunking between your access-point and your switch. and have your firewall with an interface connected to each vlan or with a trunk interface as well.
You can configure the access-point to have a SSID per vlan. We run AP1231's and we have about 4 different vlans on them, each with it's own SSID and all the filtering is done at the firewall.
Your firewall config would not have anything special in terms of configuration, you would simply setup your interface connected to the "GUESS" vlan with a lower security level than your inside interace an IP address, NAT and some filters.
Here is a document that explains how to setup trunking on your AP's:
http://www.cisco.com/en/US/partner/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml
0
 

Accepted Solution

by:
mikael6 earned 0 total points
ID: 35108290
I simply put the cisco waps on another (extra) interface on my cisco asa firewall and setup the interface to do dhcp.  The waps get an ip address from the cisco asa.  I have the waps setup for wpa encryption with a password I give out to users who need access to the wireless network.  The cisco asa rules are set to only allow traffice from the interface with the waps out to the internet and no access to the internal lan.  I set the default route on this interface to be the line going out to the intenret.  All set.
0
 

Author Closing Comment

by:mikael6
ID: 35145323
I figured out a different way to do it which was easier for me.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question