?
Solved

cisco asa 5505 and wap4410n

Posted on 2011-05-03
34
Medium Priority
?
1,661 Views
Last Modified: 2012-05-11
Hi Experts,
in our office I have a cisco asa 5505 and a wireless unit, the WAP4410N access point.
The ASA5505 is connected to our main office via VPN.
The WAP4410N is connected to the ASA5505.
How to seperate the network for guests ?
If a guest comes in, I just want to give him pure internet access but not the office network.
0
Comment
Question by:Eprs_Admin
  • 21
  • 10
  • 2
  • +1
34 Comments
 
LVL 26

Expert Comment

by:Soulja
ID: 35512791
I believe that model AP allows you to create multiple BSSID's. You could create a separate "Guest" BSSID and map it to a VLAN that has internet only access.
0
 

Author Comment

by:Eprs_Admin
ID: 35512858
ok, you mean I have to create a seperate SSID network on the AP.
Then I need a VLAN. But I have just one LAN here.
Can I create a VLAN with the ASA 5505 ?
0
 
LVL 9

Expert Comment

by:Cheever000
ID: 35513038
You can create VLANs on a 5505, example the inside interface is usually VLAN 1



!
interface Vlan1
 description Inside_Network
 nameif inside
 security-level 100
 ip address X.X.X.X Y.Y.Y.Y
!
interface Vlan2
 description Outside_network
 nameif outside
 security-level 0
 ip address X.X.X.X Y.Y.Y.Y
!
interface Vlan21
 nameif Guest
 security-level 55
 ip address X.X.X.X Y.Y.Y.Y
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport trunk allowed vlan 1, 21
 switchport trunk native vlan 1
 switchport mode trunk

Connect the AP trunked port to the ethernet port 0/7 and that should handle the traffic for the guest and regular networks.

All you have to do from there is, get the AP configured up.

In this example though the Guest network is VLAN 21
 
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 

Author Comment

by:Eprs_Admin
ID: 35696827
I will try this.
But can you explain this section ?

interface Ethernet0/7
 switchport trunk allowed vlan 1, 21
 switchport trunk native vlan 1
 switchport mode trunk
0
 
LVL 9

Expert Comment

by:Cheever000
ID: 35700946
The trunk port there carries the internal wireless VLAN and the guest vlan, if you do not need 2 ssids on the wireless than you don't need the trunk settings.  The native vlan statment helps with the ASAs as they don't seem to handle the native vlan easy.  Now if you aren't trunking 2 different vlans in that one port say from a access point hosting a corporate and guest wireless networks.  Just set the port to access in this example vlan 21 and that.  Remember to set up a global dynamic nat for the second vlan interface, in this example it is vlan 21.
0
 

Author Comment

by:Eprs_Admin
ID: 35726702
I have seen I can crate 4 different SSID's. So is it better to have an extra SSID for the guests ?
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 35749674
What license do you have on ASA? Basic or Security Plus?
0
 

Author Comment

by:Eprs_Admin
ID: 35822398
Basic
0
 

Author Comment

by:Eprs_Admin
ID: 35822428
Hi,
we face one problem with our DNS server.
The asa 5505 is connected via vpn tunnel to our main office.
So the dns settings needs to be from our main office.
On the wireless unit we entered the dns of the provider but then all shares not working over the tunnel.
But we want to enter on the wireless unit the dns from the provider just for internet.
Why the wireless unit does use the entered dns server ?
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 35824502
OK, one thing to note if you doesn't know it already:
ASA5505 with basic license has limitation in interface functionality. You can have only 3 VLANs and you can have only two full featured interfaces (inside and outside), and one DMZ which is limited to communication to only lower security interface (commonly outside interface).
http://www.networkstraining.com/cisco-asa-5505-vlans-and-licensing/

So, if you want to connect guests to DMZ, they will not be able to access any resource on the inside network. Also access from the inside to DMZ will not be achievable.

Regarding WAP4410N, it doesn't have built-in DHCP server.
http://www6.nohold.net/Cisco2/ukp.aspx?pid=80&login=1&app=search&vw=1&articleid=16869
So you will need one in guest VLAN to provide IP, GW and DNS to the clients.

Using DHCP server you can provide different DNS settings to different SSIDs (assuming you maped SSID to VLAN). Other option is to manually enter IP configuration on every host.

With current Basic ASA license you can have only two VLANs on WAP4410N - inside VLAN and DMZ VLAN for guests.
Also you will be unable to use DHCP server on inside VLAN for DMZ VLAN (traffic limitation because of license).

Regards!
0
 

Author Comment

by:Eprs_Admin
ID: 35829669
Hi Fidelius:

thanks for the good information.
But for me it is not so easy to understand.
In the beginning, we just wanted to spit the network but we just had one outside IP address.
Now we have more addresses available, so we can give the the WAP4410N an extra IP address.

Our main IP is:  72.178.217.14
The gateway for this address is: 72.178.217.1

The new range for the WAP is from: 112.186.219.25 - 30
So this is a complete different range. I want to use the IP : 112.186.219.25 for the WAP4410N.

But how to route this network to our main IP in the asa5505 ?
We already have one outside route for all traffic:
       route outside 0.0.0.0 0.0.0.0 72.178.217.1 1

Do you know how to setup the new route ?
0
 

Author Comment

by:Eprs_Admin
ID: 35838999
Hey Cheever000:

I entered your config and I cannot create the trunk, because of the basic license.
So I cannot use your config.
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 35840620
I don't think you can do it with basic license. You will need to upgrade license to Security Plus.

Also WAP4410N is not a router, it is just access point. So from security aspect it is not good to put public IP on it.

Here is simple topology. Please confirm, if that is what you want to achieve.
 ASA5505 topology
This pictured scenario is achievable with basic license with limitation that DMZ and inside cannot communicate.
Please post ASA config so we can help you more precisely.

Thanks!
0
 

Author Comment

by:Eprs_Admin
ID: 35840826
Hi Fidelius:

this is exactly what we want.
If we can do this with the basic license that would help us a lot.

 asa5505-alibi-config.txt
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 35861456
Configure one more VLAN, add it to interface and create PAT for DMZ network:

interface Vlan21
 description guest wireless
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/7
 switchport access vlan 21
!
nat (dmz) 1 0.0.0.0 0.0.0.0

Configure IP on WAP4410N: 192.168.1.2 255.255.255.0
For DNS use your ISP provider DNS servers.
Configure clients with same settings as WAP4410N if you don't have dedicated DHCP server i VLAN 21.

That should be enough for wireless clients to reach Internet, and because you have basic license they are unable to communicate to inside network.

Regards!
0
 

Author Comment

by:Eprs_Admin
ID: 35872863
Hey Fidelius:
thanks for the info.
But on Thursday I tried to create another vlan but I had problems with the interface and the license.
I cannot make nameif for vlan21 because of license issues.

Are you sure to setup the config like this with the basic license ?
0
 

Author Comment

by:Eprs_Admin
ID: 35872945
ERROR:

ERROR: This license does not allow configuring more than 2 interfaces with
nameif and without a "no forward" command on this interface or on 1 interface(s)
with nameif already configured.
0
 

Author Comment

by:Eprs_Admin
ID: 35872947
What can I do to solve this issue ?

ERROR: This license does not allow configuring more than 2 interfaces with
nameif and without a "no forward" command on this interface or on 1 interface(s)
with nameif already configured.
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 35873062
Sorry, I've missed one command.
Configure VLAN 21 like this:

interface Vlan21
 description guest wireless
 no forward interface vlan 1
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0
!

Regards!
0
 

Author Comment

by:Eprs_Admin
ID: 35873136
ok, can we use also another IP range of your example ?
ip address 192.168.1.1 255.255.255.0
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 35873282
You can use any range you like. This was just an example.
0
 

Author Comment

by:Eprs_Admin
ID: 35873432
Great.
I will go on this week and let you know.
0
 

Author Comment

by:Eprs_Admin
ID: 35922017
Do we have to enter a gateway into the WAP4410 ?
We choosed the range 11.0.0.1 255.255.255.0
The WAP4410 has the IP 11.0.0.2

But what kind of gateway we have to enter.
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 35922281
I assume that ASA has 11.0.0.1 address, so you should put it as gateway into WAP4410.
0
 

Author Comment

by:Eprs_Admin
ID: 35922300
Hi experts, we have some strange problems here.
The internet is working with the ip 11.0.0.1 for vlan21 and 11.0.0.2 for the WAP4410N.

But sometimes the wireless is dropping and we loose connection.
What can it be ?


0
 

Author Comment

by:Eprs_Admin
ID: 35922312
sometimes internet is running 5 minutes and sometimes 3 minutes, and it is reconnecting itself.
Is it a configuration error ? But I don't think so. Because internet is working sometimes.

0
 

Author Comment

by:Eprs_Admin
ID: 35922328
Hi Fidelius:

Like your config, we just changed the the range, but in the same way like you used it.

VLAN21 has IP 11.0.0.1
WAP4410N has IP 11.0.0.2

We used now ip 2 as Gateway and we have internet connection.
What do you recommend IP 1 or IP 2 ?
0
 

Author Comment

by:Eprs_Admin
ID: 35923785
ok , I think we fixed it.
The wireless signal was interferred by the wireless phone and the antennas now set correctly.

Now I have the final question:
How we can reach the AP from our network ?
Because the AP has the IP 11.0.0.2 and our network is 198.64.185.0
Can we create a route to connect remotely to the AP ?
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 35924114
Is your network behind inside or outside ASA interface?

If it is behind inside, then you can't access AP (license limitation we discussed earlier).
If it is behind outside, you will need to create static NAT translation for AP address.

static (dmz,outside) <public IP different form outside IP> 11.0.0.2 netmask 255.255.255.255

OR (if you have only one IP, you can use port forwarding):

static (dmz,outside) tcp <outside IP> 1111 11.0.0.2 www netmask 255.255.255.255

0
 

Author Comment

by:Eprs_Admin
ID: 35924782
Hi, now after the asa is reloaded we have a problem with vlan1, it is down.
how to bring it up ?
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 35925927
Please post following output:
# show int ip brie
0
 

Author Comment

by:Eprs_Admin
ID: 35929660
Interface                  IP-Address      OK? Method Status                Protocol
Internal-Data0/0           unassigned      YES unset  up                    up  
Internal-Data0/1           unassigned      YES unset  administratively down up  
Loopback0                  127.0.0.1       YES unset  up                    up  
Vlan1                      198.64.195.1    YES CONFIG down                  down
Vlan2                      72.178.217.14   YES CONFIG up                    up  
Vlan21                     11.0.0.1        YES CONFIG up                    up  
Ethernet0/0                unassigned      YES unset  up                    up  
Ethernet0/1                unassigned      YES unset  down                  down
Ethernet0/2                unassigned      YES unset  down                  down
Ethernet0/3                unassigned      YES unset  down                  down
Ethernet0/4                unassigned      YES unset  down                  down
Ethernet0/5                unassigned      YES unset  down                  down
Ethernet0/6                unassigned      YES unset  up                    up  
Ethernet0/7                unassigned      YES unset  down                  down
0
 
LVL 12

Accepted Solution

by:
Fidelius earned 2000 total points
ID: 35929742
You don't have active interface in VLAN 1.
Only Eth0/0 and Eth0/6 are up.
I assume Eth0/0 is Vlan2, and Eth0/6 is Vlan21.

Plug something in port configured for VLAN1 and it will go up.
0
 

Author Comment

by:Eprs_Admin
ID: 35929832
Dear Fidelius,
You were right, the problems was that we were doing the config remote.
The user at the other end did not connect properly the cable.
I am now on site, and connected thew cable and everything came up.
Thanks for your support in this matter.

Regards,
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question