Guest Wireless with ASA 5505 and HP Procurve Switches

Hello all,
     We have our ASA and modem on the second floor which is on Vlan 2. Our ASA inside interface is on the default Vlan. We plan to have our ASA act as a dhcp server for the guest network and push out our modem DNS addresses.  I want this guest wireless network be able to reach our ASA to get Internet access.  The guest wireless will be broadcast on Vlan 18 only.

The general topology is as follows:

Modem---> ASA ---> Vlan 2 Hp switch ---> Core Switch ---> Vlan 18 HP Switch ---> Cisco 1200 WAP (Corporate and guest wireless)


I'm assuming from the Cisco WAP to the HP Switch would need to be tagged. Also, the HP switches will need to have the new vlan created. The the uplink port on the 18 access switch, that connects to the Core switch, will need to be tagged as well.  Then the Core Switch port going to the Vlan 2 access HP switch will need to be tagged.
Finally, do to my current ASA license, I have a port on the ASA that is untagged for guest wireless Vlan going to the 2fl HP switch. The port on the 2nd floor HP switch, the ASA is connect to, is untagged for the guest wireless. Please let me know if this will work. Thanks ahead of time!

Modem ---> ASA ---guest Vlan untagged port ---> 2nd fl HP switch ---Tagged Guest wireless--> Core Switch ---> uplink to 18th fl is tagged for guest wireless ---> 18th floor switch   ---tagged port for guest wireless ---> Cisco WAP (Corporate and Guest Wireless)
RenoGryphonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Craig BeckCommented:
Sounds good to me... just remember though that the ASA will only do DHCP for a maximum /24 subnet - no more, so you're limited to 253 guests per DHCP pool.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Fred MarshallPrincipalCommented:
I'm a little confused by:
We plan to have our ASA act as a dhcp server for the guest network and push out our modem DNS addresses.
Is the ASA not doing NAT then?  Is the modem not doing DHCP then?  What are the ASA WAN and LAN IP addresses?  So far this doesn't seem right to me.
0
Craig BeckCommented:
It sounds fine to me...

The clients will use the ASA as their default gateway and will receive their IP addresses from it too, not the modem.  The ASA will also tell the clients what DNS server addresses to use, again via DHCP

I don't see a problem to be honest!?
0
Learn SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

RenoGryphonAuthor Commented:
The Asa handles ou vpn backup and will be the dhcp server for the guest wireless.  The asa is doing nat as well.
0
AkinsdNetwork AdministratorCommented:
Modem ---> ASA ---guest Vlan untagged port ---> 2nd fl HP switch ---Tagged Guest wireless--> Core Switch ---> uplink to 18th fl is tagged for guest wireless ---> 18th floor switch   ---tagged port for guest wireless ---> Cisco WAP (Corporate and Guest Wireless)

I can't visualize the topology from the above.

Your setup should work. Only I didn't see any mention of IP helper configuration if the ASA is the default gateway for that vlan. I will assume that you have other DHCP servers, or is your ASA the only DHCP server?
0
Craig BeckCommented:
The ASA is the DHCP server for this subnet and also has an interface on each VLAN in the required subnet, so no helper is required.
0
RenoGryphonAuthor Commented:
For the Corporate wireless we use our our domain controller for DHCP. Our ASA will only be the DHCP server for the guest wireless vlan.

Thank again everyone for all the input. I'm going to try to implement the necessary configurations tomorrow.
0
RenoGryphonAuthor Commented:
Well this is turning into a bigger pickle then I expected.  Before I could even think of configuring the guest wireless fully I realize their are issue with the general ASA configuration. Lol I can't remote into the ASA yet.
 The ASA inside interface is configured with a default vlan address and it connected to an HP switch and this switch is uplink to our core switch. Any input would be greatly appreciated. Thanks again to all of you!!

Default Vlan subnet: 172.18.0.0 /24

Vlan 2 subnet: 172.18.2.0/24

Vlan 18 subnet: 172.18.18.0/24

__________________________
HP Switch configs:
ASA to switch 

port 48 config (connected to Eth0/1 on ASA)- 
Default vlan- untagged, vlan 2-forbid

Port 47 config (connected to Eth0/6 on ASA)-
Default Vlan- No untagged, Corporate and guest wireless are tagged.

 Port 51 config (uplink to core switch)-
Default Vlan- untagged, Vlan 2 forbid, Corporate and guest wireless - no untagged.

Now just looking at the above port configuration I can see one problem. Our ASA license cannot do trunking, so I would assume our guest wireless vlan would need to be untagged on there as well.



ASA configs:



Guest Wireless subnet: 192.168.20.0 /24


interface Vlan1
 nameif inside
 security-level 100
 ip address 172.18.0.22 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address X.X.X.X 255.255.255.252 
!
interface Vlan173
 no forward interface Vlan1
 nameif 260Guest
 security-level 50
 ip address 192.168.20.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 173
!
interface Ethernet0/7
 switchport access vlan 173
!
ftp mode passive
clock timezone est -5
clock summer-time est recurring
dns server-group DefaultDNS
 domain-name unity.local
access-list ____ extended permit ip 172.18.0.0 255.255.0.0 10.0.0.0 255.254.0.0 
access-list _____ extended permit ip 172.18.0.0 255.255.0.0 10.200.1.0 255.255.255.240 
access-list _____ extended permit ip 172.18.0.0 255.255.0.0 172.16.0.0 255.255.0.0 
access-list ______ extended permit ip 172.18.96.0 255.255.224.0 10.6.0.0 255.255.254.0 
access-list nonat extended permit ip 172.18.0.0 255.255.0.0 10.0.0.0 255.254.0.0 
access-list nonat extended permit ip 172.18.0.0 255.255.0.0 10.200.1.0 255.255.255.240 
access-list nonat extended permit ip 172.18.0.0 255.255.0.0 172.16.0.0 255.255.0.0 
access-list nonat extended permit ip 172.18.96.0 255.255.224.0 10.6.0.0 255.255.254.0 
access-list outside-in extended permit icmp any any echo 
access-list outside-in extended permit icmp any any echo-reply 
access-list outside-in extended permit icmp any any traceroute 
access-list outside-in extended permit icmp any any unreachable 
access-list outside-in extended permit icmp any any time-exceeded 
access-list outside-in extended permit icmp any any source-quench 
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging trap warnings
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu 260Guest 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 172.18.0.0 255.255.0.0
nat (260Guest) 1 192.168.20.0 255.255.255.0
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
aaa authentication enable console LOCAL 
aaa authentication http console LOCAL

Open in new window

0
Craig BeckCommented:
If you can't do trunking you need a separate interface for each VLAN on the ASA.  That makes the HP switchport config easy - they are all just untagged in whichever VLAN you connect to on the ASA.
0
AkinsdNetwork AdministratorCommented:
You can save a lot of effort by just creating an additional VLAN on your switch or router that you currently use for the other vlans. Configure IP helper to your dhcp server from the default gateway. Create a new scope on the dhcp server.
Create an access list that blocks traffic from the guest VLAN from accessing the internal network.

 A diagram would be better to see what your topology looks like.
0
Craig BeckCommented:
Guest wireless doesn't usually use DHCP from an internal or corporate DHCP server in my experience.  DHCP for this purpose is usually dealt with by the gateway, firewall or dedicated DHCP server.

This is especially the case where Guest wireless terminates in a DMZ, where routed access to the DHCP server isn't possible.
0
RenoGryphonAuthor Commented:
I was of the same mind. I want the Guest wireless on a different vlan that is separated from our internal network.
I plan to make our ASA the default gateway and dhcp server. I'll work on getting together a diagram of our current topology. Thanks again!
0
AkinsdNetwork AdministratorCommented:
Are you familiar with private vlans

When you have a DMZ, yes. From the author's description, I don't see any DMZ in place.
Moreso DMZ should be within 2 different firewalls, not using your firewall 1 side with your network and 1 side for DMZ........lol......it's like 2 strangers sharing a corridor....who are you kidding.

Best design is you don't even want your gateway issuing ip addresses to strangers.

People use firewalls because they don't know any easier way to separate the vlans.

Ask yourself this. There are millions of users that ISPs assign IP addresses to and yet their networks are hidden from one another. With your method, ISPs will have to install a firewall in their office for every customer that signs up.

The easiest way usually is not the best way in life, occasionally it is, but more often than not, it is not.
0
Craig BeckCommented:
@Akinsd - You don't generally use private VLANs for Guest wireless services.  There's no need for private VLANs if your WLAN solution can isolate clients from one-another and it just doesn't work as desired if the AP doesn't provide isolation as clients can talk to each other across the same AP.

I can't say that people use Firewalls because they don't know any easier way to separate VLANs.  I don't know why you'd think that, as the easiest way to separate VLANs is to simply not route between them.

A traditional DMZ is not actually within 2 different firewalls.  A DMZ is behind a dedicated firewall or port and is outside of the corporate firewall - that means it's not within the corporate firewall; it's more like at the side.

Ask yourself this. There are millions of users that ISPs assign IP addresses to and yet their networks are hidden from one another. With your method, ISPs will have to install a firewall in their office for every customer that signs up.
I am unsure as to where you're going with that statement but I don't see the relevance in ISPs issuing DHCP addresses!?

There's absolutely nothing wrong with your gateway or firewall issuing IP addresses to guest users, especially if it's not the same gateway as your corporate.  Many installations that I've designed or worked on use a dedicated firewall for guest wireless, especially in a Cisco LWAPP/CAPWAP environment.  It's the recommended design approach and it ensures that guest traffic is completely off the internal network.

In this scenario it's not ideal, but it's completely acceptable for a VLAN to be configured on the corporate switches (which isn't a PVLAN) which uses the ASA as the default-gateway and DHCP server.  It's exactly how I would suggest to configure this with the equipment available and I wouldn't be worried about guest users being able to access anything they shouldn't on the corporate network
0
AkinsdNetwork AdministratorCommented:
@Craigbeck

Agreed, I only used the firewall as illustration for an ideal situation with DMZ

The set up you described is okay for many networks but a NO NO in others.

Private vlans configured properly in network environments integrated with wireless works contrary to your comments. You're keeping your internal vlan private and isolating public networks.

DMZ
DMZ2
0
Craig BeckCommented:
I disagree regarding private VLANs.  There's absolutely nothing to stop traffic from the private VLAN being routed back into your corporate network from an upstream router.  Don't be fooled into thinking a PVLAN is secure all the way across your network - it's not, it's only providing L2 separation within the same L2 domain.
0
RenoGryphonAuthor Commented:
Hello All, I apologize for not responding sooner. As always, work is quite busy. But, I wanted to say the implementation was a success!!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.