cisco asa 5505 and wap4410n

Hi Experts,
in our office I have a cisco asa 5505 and a wireless unit, the WAP4410N access point.
The ASA5505 is connected to our main office via VPN.
The WAP4410N is connected to the ASA5505.
How to seperate the network for guests ?
If a guest comes in, I just want to give him pure internet access but not the office network.
Eprs_AdminSystem ArchitectAsked:
Who is Participating?
 
FideliusConnect With a Mentor Commented:
You don't have active interface in VLAN 1.
Only Eth0/0 and Eth0/6 are up.
I assume Eth0/0 is Vlan2, and Eth0/6 is Vlan21.

Plug something in port configured for VLAN1 and it will go up.
0
 
SouljaCommented:
I believe that model AP allows you to create multiple BSSID's. You could create a separate "Guest" BSSID and map it to a VLAN that has internet only access.
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
ok, you mean I have to create a seperate SSID network on the AP.
Then I need a VLAN. But I have just one LAN here.
Can I create a VLAN with the ASA 5505 ?
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
Cheever000Commented:
You can create VLANs on a 5505, example the inside interface is usually VLAN 1



!
interface Vlan1
 description Inside_Network
 nameif inside
 security-level 100
 ip address X.X.X.X Y.Y.Y.Y
!
interface Vlan2
 description Outside_network
 nameif outside
 security-level 0
 ip address X.X.X.X Y.Y.Y.Y
!
interface Vlan21
 nameif Guest
 security-level 55
 ip address X.X.X.X Y.Y.Y.Y
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport trunk allowed vlan 1, 21
 switchport trunk native vlan 1
 switchport mode trunk

Connect the AP trunked port to the ethernet port 0/7 and that should handle the traffic for the guest and regular networks.

All you have to do from there is, get the AP configured up.

In this example though the Guest network is VLAN 21
 
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
I will try this.
But can you explain this section ?

interface Ethernet0/7
 switchport trunk allowed vlan 1, 21
 switchport trunk native vlan 1
 switchport mode trunk
0
 
Cheever000Commented:
The trunk port there carries the internal wireless VLAN and the guest vlan, if you do not need 2 ssids on the wireless than you don't need the trunk settings.  The native vlan statment helps with the ASAs as they don't seem to handle the native vlan easy.  Now if you aren't trunking 2 different vlans in that one port say from a access point hosting a corporate and guest wireless networks.  Just set the port to access in this example vlan 21 and that.  Remember to set up a global dynamic nat for the second vlan interface, in this example it is vlan 21.
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
I have seen I can crate 4 different SSID's. So is it better to have an extra SSID for the guests ?
0
 
FideliusCommented:
What license do you have on ASA? Basic or Security Plus?
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
Basic
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
Hi,
we face one problem with our DNS server.
The asa 5505 is connected via vpn tunnel to our main office.
So the dns settings needs to be from our main office.
On the wireless unit we entered the dns of the provider but then all shares not working over the tunnel.
But we want to enter on the wireless unit the dns from the provider just for internet.
Why the wireless unit does use the entered dns server ?
0
 
FideliusCommented:
OK, one thing to note if you doesn't know it already:
ASA5505 with basic license has limitation in interface functionality. You can have only 3 VLANs and you can have only two full featured interfaces (inside and outside), and one DMZ which is limited to communication to only lower security interface (commonly outside interface).
http://www.networkstraining.com/cisco-asa-5505-vlans-and-licensing/

So, if you want to connect guests to DMZ, they will not be able to access any resource on the inside network. Also access from the inside to DMZ will not be achievable.

Regarding WAP4410N, it doesn't have built-in DHCP server.
http://www6.nohold.net/Cisco2/ukp.aspx?pid=80&login=1&app=search&vw=1&articleid=16869
So you will need one in guest VLAN to provide IP, GW and DNS to the clients.

Using DHCP server you can provide different DNS settings to different SSIDs (assuming you maped SSID to VLAN). Other option is to manually enter IP configuration on every host.

With current Basic ASA license you can have only two VLANs on WAP4410N - inside VLAN and DMZ VLAN for guests.
Also you will be unable to use DHCP server on inside VLAN for DMZ VLAN (traffic limitation because of license).

Regards!
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
Hi Fidelius:

thanks for the good information.
But for me it is not so easy to understand.
In the beginning, we just wanted to spit the network but we just had one outside IP address.
Now we have more addresses available, so we can give the the WAP4410N an extra IP address.

Our main IP is:  72.178.217.14
The gateway for this address is: 72.178.217.1

The new range for the WAP is from: 112.186.219.25 - 30
So this is a complete different range. I want to use the IP : 112.186.219.25 for the WAP4410N.

But how to route this network to our main IP in the asa5505 ?
We already have one outside route for all traffic:
       route outside 0.0.0.0 0.0.0.0 72.178.217.1 1

Do you know how to setup the new route ?
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
Hey Cheever000:

I entered your config and I cannot create the trunk, because of the basic license.
So I cannot use your config.
0
 
FideliusCommented:
I don't think you can do it with basic license. You will need to upgrade license to Security Plus.

Also WAP4410N is not a router, it is just access point. So from security aspect it is not good to put public IP on it.

Here is simple topology. Please confirm, if that is what you want to achieve.
 ASA5505 topology
This pictured scenario is achievable with basic license with limitation that DMZ and inside cannot communicate.
Please post ASA config so we can help you more precisely.

Thanks!
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
Hi Fidelius:

this is exactly what we want.
If we can do this with the basic license that would help us a lot.

 asa5505-alibi-config.txt
0
 
FideliusCommented:
Configure one more VLAN, add it to interface and create PAT for DMZ network:

interface Vlan21
 description guest wireless
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/7
 switchport access vlan 21
!
nat (dmz) 1 0.0.0.0 0.0.0.0

Configure IP on WAP4410N: 192.168.1.2 255.255.255.0
For DNS use your ISP provider DNS servers.
Configure clients with same settings as WAP4410N if you don't have dedicated DHCP server i VLAN 21.

That should be enough for wireless clients to reach Internet, and because you have basic license they are unable to communicate to inside network.

Regards!
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
Hey Fidelius:
thanks for the info.
But on Thursday I tried to create another vlan but I had problems with the interface and the license.
I cannot make nameif for vlan21 because of license issues.

Are you sure to setup the config like this with the basic license ?
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
ERROR:

ERROR: This license does not allow configuring more than 2 interfaces with
nameif and without a "no forward" command on this interface or on 1 interface(s)
with nameif already configured.
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
What can I do to solve this issue ?

ERROR: This license does not allow configuring more than 2 interfaces with
nameif and without a "no forward" command on this interface or on 1 interface(s)
with nameif already configured.
0
 
FideliusCommented:
Sorry, I've missed one command.
Configure VLAN 21 like this:

interface Vlan21
 description guest wireless
 no forward interface vlan 1
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0
!

Regards!
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
ok, can we use also another IP range of your example ?
ip address 192.168.1.1 255.255.255.0
0
 
FideliusCommented:
You can use any range you like. This was just an example.
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
Great.
I will go on this week and let you know.
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
Do we have to enter a gateway into the WAP4410 ?
We choosed the range 11.0.0.1 255.255.255.0
The WAP4410 has the IP 11.0.0.2

But what kind of gateway we have to enter.
0
 
FideliusCommented:
I assume that ASA has 11.0.0.1 address, so you should put it as gateway into WAP4410.
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
Hi experts, we have some strange problems here.
The internet is working with the ip 11.0.0.1 for vlan21 and 11.0.0.2 for the WAP4410N.

But sometimes the wireless is dropping and we loose connection.
What can it be ?


0
 
Eprs_AdminSystem ArchitectAuthor Commented:
sometimes internet is running 5 minutes and sometimes 3 minutes, and it is reconnecting itself.
Is it a configuration error ? But I don't think so. Because internet is working sometimes.

0
 
Eprs_AdminSystem ArchitectAuthor Commented:
Hi Fidelius:

Like your config, we just changed the the range, but in the same way like you used it.

VLAN21 has IP 11.0.0.1
WAP4410N has IP 11.0.0.2

We used now ip 2 as Gateway and we have internet connection.
What do you recommend IP 1 or IP 2 ?
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
ok , I think we fixed it.
The wireless signal was interferred by the wireless phone and the antennas now set correctly.

Now I have the final question:
How we can reach the AP from our network ?
Because the AP has the IP 11.0.0.2 and our network is 198.64.185.0
Can we create a route to connect remotely to the AP ?
0
 
FideliusCommented:
Is your network behind inside or outside ASA interface?

If it is behind inside, then you can't access AP (license limitation we discussed earlier).
If it is behind outside, you will need to create static NAT translation for AP address.

static (dmz,outside) <public IP different form outside IP> 11.0.0.2 netmask 255.255.255.255

OR (if you have only one IP, you can use port forwarding):

static (dmz,outside) tcp <outside IP> 1111 11.0.0.2 www netmask 255.255.255.255

0
 
Eprs_AdminSystem ArchitectAuthor Commented:
Hi, now after the asa is reloaded we have a problem with vlan1, it is down.
how to bring it up ?
0
 
FideliusCommented:
Please post following output:
# show int ip brie
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
Interface                  IP-Address      OK? Method Status                Protocol
Internal-Data0/0           unassigned      YES unset  up                    up  
Internal-Data0/1           unassigned      YES unset  administratively down up  
Loopback0                  127.0.0.1       YES unset  up                    up  
Vlan1                      198.64.195.1    YES CONFIG down                  down
Vlan2                      72.178.217.14   YES CONFIG up                    up  
Vlan21                     11.0.0.1        YES CONFIG up                    up  
Ethernet0/0                unassigned      YES unset  up                    up  
Ethernet0/1                unassigned      YES unset  down                  down
Ethernet0/2                unassigned      YES unset  down                  down
Ethernet0/3                unassigned      YES unset  down                  down
Ethernet0/4                unassigned      YES unset  down                  down
Ethernet0/5                unassigned      YES unset  down                  down
Ethernet0/6                unassigned      YES unset  up                    up  
Ethernet0/7                unassigned      YES unset  down                  down
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
Dear Fidelius,
You were right, the problems was that we were doing the config remote.
The user at the other end did not connect properly the cable.
I am now on site, and connected thew cable and everything came up.
Thanks for your support in this matter.

Regards,
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.