mcsdguyian
asked on
Cisco ASA 5505 Firewall Guest WIFI
I am trying to setup a single port on the 5505 to be dedicated to a Guest WIFI router.
Our internal network uses Static IP addresses and I want the Guest WIFI router to use DHCP for the clients.
I also do not want there to be any way for the guest Wifi to access the internal company network at ALL. This is only used so guests can access the internet while at our business.
I am not the familar with the ASA 5505 and am not sure exactly how I would configure a single port to do what I am looking at doing. I know its possible though.
Thanks
Ian
Our internal network uses Static IP addresses and I want the Guest WIFI router to use DHCP for the clients.
I also do not want there to be any way for the guest Wifi to access the internal company network at ALL. This is only used so guests can access the internet while at our business.
I am not the familar with the ASA 5505 and am not sure exactly how I would configure a single port to do what I am looking at doing. I know its possible though.
Thanks
Ian
It's pretty straight forward. Create a vlan for your guest network. Setup a dynamic nat rule for the guest-vlan intf to use your outside interface ip address.
Since we don't know what are all the devices in use here it is hard for us to give command line examples. There is a brief cookie-cutter guide in the link I pasted below. If there is anything else you need, please feel free to post it here.
http://itguy11.wordpress.com/2010/07/22/guest-wireless-access-using-a-cisco-asa-5505-with-vlan-configuration/
Hope this helps.
Since we don't know what are all the devices in use here it is hard for us to give command line examples. There is a brief cookie-cutter guide in the link I pasted below. If there is anything else you need, please feel free to post it here.
http://itguy11.wordpress.com/2010/07/22/guest-wireless-access-using-a-cisco-asa-5505-with-vlan-configuration/
Hope this helps.
ASKER
Thank you guys. Although I really need a working script only because I want to apply this during business hours and if I don't apply the configuration correctly I don't want to block our internet access or access to our live websites.
I am a novice when it comes to ASA5505. We recently upgraded from a Pix501 and we had 2 of those so I could have one live and one for testing a new configuration before moving it over. Now I am not so lucky,
I am a novice when it comes to ASA5505. We recently upgraded from a Pix501 and we had 2 of those so I could have one live and one for testing a new configuration before moving it over. Now I am not so lucky,
A few things would assist us in helping you faster:
Can you post a brief picture outlining the devices to be used aside from the firewall?
Can you post a copy of your sanitized config along with a sh ver output?
Is the guest wifi router currently connected to the firewall serving internal clients?
Let us know.
Can you post a brief picture outlining the devices to be used aside from the firewall?
Can you post a copy of your sanitized config along with a sh ver output?
Is the guest wifi router currently connected to the firewall serving internal clients?
Let us know.
ASKER
Other than the ASA5505 the guest WiFi Router is a Cisco EA6500.
The Cisco EA6500 is the dedicated Guest router and is not currently being used at all.
ASA5505 Port Information:
- Port #1: Cisco 2921 Fiber Router is connected from ISP
- Port #2: HP Switch for internal network
- Port #3,4,6-8: (Currently Not used )
- Port #5: Would like Guest Router
ASA5505 Config Information:
Result of the command: "show config"
: Saved
: Written by enable_15 at 12:43:48.359 UTC Fri Jan 17 2014
!
ASA Version 8.2(5)
!
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.140 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.XX.34 255.255.255.240
!
interface Vlan5
no nameif
security-level 50
ip address dhcp
!
ftp mode passive
dns server-group DefaultDNS
domain-name XXX
object-group network inside-subnet
access-list outside-access-in extended permit icmp any any
access-list outside-access-in extended permit tcp any host XX.XX.XX.36 eq www log
access-list outside-access-in extended permit tcp any host XX.XX.XX.35 eq www log
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 XX.XX.XX.35-XX.XX.XX.40 netmask 255.255.255.255
global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0
static (inside,outside) XX.XX.XX.35 192.168.50.131 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.40 192.168.50.245 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.36 192.168.50.135 netmask 255.255.255.255
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco rd DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.50.5-192.168.50.13 2 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password pjorBbUIyWoj7N8S encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect ip-options
inspect http
inspect ils
!
service-policy global_policy global
The Cisco EA6500 is the dedicated Guest router and is not currently being used at all.
ASA5505 Port Information:
- Port #1: Cisco 2921 Fiber Router is connected from ISP
- Port #2: HP Switch for internal network
- Port #3,4,6-8: (Currently Not used )
- Port #5: Would like Guest Router
ASA5505 Config Information:
Result of the command: "show config"
: Saved
: Written by enable_15 at 12:43:48.359 UTC Fri Jan 17 2014
!
ASA Version 8.2(5)
!
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.140 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.XX.34 255.255.255.240
!
interface Vlan5
no nameif
security-level 50
ip address dhcp
!
ftp mode passive
dns server-group DefaultDNS
domain-name XXX
object-group network inside-subnet
access-list outside-access-in extended permit icmp any any
access-list outside-access-in extended permit tcp any host XX.XX.XX.36 eq www log
access-list outside-access-in extended permit tcp any host XX.XX.XX.35 eq www log
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 XX.XX.XX.35-XX.XX.XX.40 netmask 255.255.255.255
global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0
static (inside,outside) XX.XX.XX.35 192.168.50.131 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.40 192.168.50.245 netmask 255.255.255.255
static (inside,outside) XX.XX.XX.36 192.168.50.135 netmask 255.255.255.255
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.50.5-192.168.50.13
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password pjorBbUIyWoj7N8S encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect ip-options
inspect http
inspect ils
!
service-policy global_policy global
Do you have the security plus license on this?
Sh ver
and/or
sh license all
Sh ver
and/or
sh license all
ASKER
Sorry about that. Here you go.
Result of the command: "Sh ver"
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"
QCSASA up 4 days 12 hours
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0 : address is 78da.6e5a.0c46, irq 11
1: Ext: Ethernet0/0 : address is 78da.6e5a.0c3e, irq 255
2: Ext: Ethernet0/1 : address is 78da.6e5a.0c3f, irq 255
3: Ext: Ethernet0/2 : address is 78da.6e5a.0c40, irq 255
4: Ext: Ethernet0/3 : address is 78da.6e5a.0c41, irq 255
5: Ext: Ethernet0/4 : address is 78da.6e5a.0c42, irq 255
6: Ext: Ethernet0/5 : address is 78da.6e5a.0c43, irq 255
7: Ext: Ethernet0/6 : address is 78da.6e5a.0c44, irq 255
8: Ext: Ethernet0/7 : address is 78da.6e5a.0c45, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 50
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
Serial Number: JMX1745Z131
Running Activation Key:
Configuration register is 0x1
Configuration has not been modified since last system restart.
Result of the command: "Sh ver"
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"
QCSASA up 4 days 12 hours
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0 : address is 78da.6e5a.0c46, irq 11
1: Ext: Ethernet0/0 : address is 78da.6e5a.0c3e, irq 255
2: Ext: Ethernet0/1 : address is 78da.6e5a.0c3f, irq 255
3: Ext: Ethernet0/2 : address is 78da.6e5a.0c40, irq 255
4: Ext: Ethernet0/3 : address is 78da.6e5a.0c41, irq 255
5: Ext: Ethernet0/4 : address is 78da.6e5a.0c42, irq 255
6: Ext: Ethernet0/5 : address is 78da.6e5a.0c43, irq 255
7: Ext: Ethernet0/6 : address is 78da.6e5a.0c44, irq 255
8: Ext: Ethernet0/7 : address is 78da.6e5a.0c45, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 50
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
Serial Number: JMX1745Z131
Running Activation Key:
Configuration register is 0x1
Configuration has not been modified since last system restart.
ASKER
I am not sure if we have the security plus license or not
Ian
Ian
Are you going to directly connect this to your firewall port 5 or does this have to travel via internal lan switch located on port 2? I'm trying to get a better understanding of how you intend to set this up. Obviously, if you can directly connect it via Cat 5/6 cable it would make your setup alot simpler. If you have to carve out a static route through the Hp network (If you cannot directly connect your AP to the firewall) things will get a bit more complicated. Let us know.
ASKER
Yeah I will connect it directly to the firewall port 5. Really I can connect it to any port it doesn't matter. I thought I saw something in the GUI that said vlan5 had DHCP on it.
Thanks
Ian
Thanks
Ian
ASKER
Hi The_Warlock,
Does this seem like something thats possible?
Thanks
Does this seem like something thats possible?
Thanks
Yes, since you are going to directly connect it to the ASA. Please look at the tutorials I linked below as they pretty much walk you through the step-by-step process of implementing the configuration. Since we don't have all of the Ip, and info for that wifi router, you can gather that and follow the steps in the link(s) below. It is easily done through the web gui using ASDM. If you still aren't sure let us know.
Cisco Asdm Download:
http://software.cisco.com/download/release.html?mdfid=279513399&softwareid=280775064&release=7.1.5.100&relind=AVAILABLE&rellifecycle=&reltype=latest
Setup config lInks:
http://itguy11.wordpress.com/2010/07/22/guest-wireless-access-using-a-cisco-asa-5505-with-vlan-configuration/
http://itguy11.wordpress.com/2010/07/21/guest-wireless-access-using-a-cisco-asa-5510-with-vlan-configuration/
Cisco Asdm Download:
http://software.cisco.com/download/release.html?mdfid=279513399&softwareid=280775064&release=7.1.5.100&relind=AVAILABLE&rellifecycle=&reltype=latest
Setup config lInks:
http://itguy11.wordpress.com/2010/07/22/guest-wireless-access-using-a-cisco-asa-5505-with-vlan-configuration/
http://itguy11.wordpress.com/2010/07/21/guest-wireless-access-using-a-cisco-asa-5510-with-vlan-configuration/
ASKER
Ok but looking over this it looks like I need a Security Plus License. Is that correct and if so can I do it with out one?
The problem is with the base license, you can only have up to 3 Vlans. In your config I see 3 already. With the Security Plus that numbers goes up to 20 and allows for trunking.
ASKER
Ok well the one that say vlan is not used correct?i mean I have nothing plugged into port 5 only 1 and 2. I am not sure why it's set for DHCP EITHER. Can I just reconfigure that?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
How would I configure that? Would I have to change the DHCP on the Vlan and give it a Static IP?
Then setup DHCP on that interface only.
Hope this help. There are some really good Cisco guys on here so someone may be able to give you the exact config if you tell them what ios version of 5505 you have.