Solved

Cisco ASA 5505 Guest VLAN

Posted on 2013-05-15
3
904 Views
Last Modified: 2013-05-31
Hi Experts,  

I have a Cisco Aironet and a specific SSID for guest users.  I'm going to assign a VLAN to this SSID and I'd like any users that connect to it to only have access to the Internet....Not the internal network.  Being a Cisco novice, how do I do this through ASDM ?  Help is much appreciated.  Thanks.
0
Comment
Question by:polaris101
  • 2
3 Comments
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39168951
If you have the base license you need to restrict access from the inside network to the wifi network as the license only allows for a "restricted DMZ".

If you want to do this from the gui I whish you a lot of luck, from the console/ssh/telnet you can use this:

# If using a base license we need to use DMZ Restricted
# disable forwarding traffic from inside (vlan1) to dmz (vlan3)
interface Vlan1
no forward interface vlan 3
# Create DMZ interface
interface Vlan3
 nameif dmz
 security-level 50
 ip address 172.16.25.254 255.255.255.0
# Assign Ethernet 0/2 to DMZ
interface Ethernet0/2
 description DMZ
 switchport access vlan 3
 no shutdown
# configure a DHCP server for the DMZ clients
dhcpd address 172.16.25.100-172.16.25.199 dmz
dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
dhcpd enable dmz
# NAT for IPv4
object network IPv4_DMZ_NETWORK
 subnet 172.16.25.0 255.255.255.0
nat (dmz,outside) after-auto source dynamic IPv4_DMZ_NETWORK interface
# IPv4 access rules to the internet from the DMZ network
access-list dmz_access_in extended permit icmp any any
access-list dmz_access_in extended permit udp any any eq domain
access-list dmz_access_in extended permit tcp any any eq domain
access-list dmz_access_in extended permit tcp any any eq http
access-list dmz_access_in extended permit tcp any any eq https
access-group dmz_access_in in interface dmz

Open in new window

0
 
LVL 28

Accepted Solution

by:
asavener earned 250 total points
ID: 39169471
Easy way is to just set the security level on that interface to 50.

They won't be able to access the LAN side, although if LAN users want to access devices on the Guest side then they can do so.  (Helpful in cases where Guests want to share files/screens from their devices.)
0
 
LVL 12

Assisted Solution

by:Henk van Achterberg
Henk van Achterberg earned 250 total points
ID: 39169490
that is only partly true if you do not create an access list.

You will need to add a deny rule to my access list to the local LAN network to disable access to the inside.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Can Cisco resolve internet address internally 4 44
Cisco Router / Switch - NAT 10 43
inserting an ACL line Cisco IOS XR Software, Version 5.3.3 2 42
clear arp 1 30
DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question