ASA5505 Configuration for WAP4410 with multiple VLans

Hi, I am trying to determine the best way to configure a WAP4410N, with our ASA5505, so that the WAP will have 3 SSIDs. 1, "Wireless-Inside" will allow internal users to connect to the internal network, 2 "Guest-DMZ" will allow guests access to the internet and not the internal network, and 3 "TimeClock-DMZ", which will only allow our timeclock to connect over the internet to its web instance.

interface Ethernet0/7
 switchport access vlan 30
 switchport trunk allowed vlan 1,15,30
 switchport mode trunk
!

*Inside: This network has Static IP Addresses
interface Vlan1
       nameif inside
       security-level 100
       ip address 192.168.50.140 255.255.255.0
      !
      access-list Inside-to-any extended permit ip 192.168.50.0 255.255.255.0 any
      nat (inside) 2 192.168.50.0 255.255.255.0

interface Vlan15
       description Internal Wireless
       nameif Wireless-Inside
       security-level 100
       ip address 192.168.60.254 255.255.255.0
      !
        access-list Wireless-Inside_access_in extended permit ip 192.168.60.0 255.255.255.0 any
      access-list Wireless-Inside_access_in extended permit icmp 192.168.60.0 255.255.255.0 any
      nat (Wireless-Inside) 2 0.0.0.0 0.0.0.0
      access-group Wireless-Inside_access_in in interface Wireless-Inside
            
      dhcpd address 192.168.60.100-192.168.60.200 Wireless-Inside
      dhcpd dns 192.168.50.50 interface Wireless-Inside
      dhcpd enable Wireless-Inside

interface Vlan30
       description Guest
       no forward interface Vlan1
       nameif Guest-DMZ
       security-level 50
       ip address 192.168.10.1 255.255.255.0
      !
      access-list Guest-DMZ_access_in extended permit ip 192.168.10.0 255.255.255.0 any
      access-list Guest-DMZ_access_in extended permit icmp 192.168.10.0 255.255.255.0 any
      nat (Guest-DMZ) 2 0.0.0.0 0.0.0.0
      access-group Guest-DMZ_access_in in interface Guest-DMZ

      dhcpd address 192.168.10.100-192.168.10.200 Guest-DMZ
      dhcpd dns 8.8.8.8 8.8.4.4 interface Guest-DMZ
      dhcpd enable Guest-DMZ


WAP4410 Network Setup
      Local IP: 192.168.10.10
      subnet mask: 255.255.255.0
      Default Gateway: 192.168.10.1
      Primary DNS: 8.8.8.8
      Secondary DNS: 8.8.4.4

      [VLAN SETUP]
      Default VLAN ID: 1
      AP Management VLAN: 1
      VLAN Tag: Untagged
      
      [SSID Names:]
      Guest - VLAN: 30
      WIFI - VLAN: 15
      TimeClock - VLAN: 30



QUESTIONS:
1) Should the IP address for my WAP4410N be on the same subnet as my Internal network?
2) I am having trouble getting the inside Wifi to connect to the internal network and I cannot access internet
3) I just want to make sure the setup will not allow the Guest or Time clock SSID's access to the internal network . If there is a best practice for the setup I am try to setup, I would like to use it

Thanks, Ian
mcsdguyianAsked:
Who is Participating?
 
masnrockCommented:
1) Should the IP address for my WAP4410N be on the same subnet as my Internal network?
Doesn't matter at the end of the day. However, the upside of having the subnets differ is for troubleshooting and isolation.
2) I am having trouble getting the inside Wifi to connect to the internal network and I cannot access internet
Did you make sure that the inside wireless VLAN is allowed to access the internal network subnet? Have you attempting a ping? If not, then we need to take a look at that. Might need to tweak your ACL. I don't see anything that appears to explicitly allow traffic from VLAN 15 to VLAN 1.
3) I just want to make sure the setup will not allow the Guest or Time clock SSID's access to the internal network . If there is a best practice for the setup I am try to setup, I would like to use it
From what I'm seeing, it looks like it should accomplish that without issue.
1
 
mcsdguyianAuthor Commented:
Thanks for your help! I had the Wireless-Internal SSID's on the WAP set to the wrong VLan. Whoops.  :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.