ASA5505 Configuration for WAP4410 with multiple VLans

Hi, I am trying to determine the best way to configure a WAP4410N, with our ASA5505, so that the WAP will have 3 SSIDs. 1, "Wireless-Inside" will allow internal users to connect to the internal network, 2 "Guest-DMZ" will allow guests access to the internet and not the internal network, and 3 "TimeClock-DMZ", which will only allow our timeclock to connect over the internet to its web instance.

interface Ethernet0/7
 switchport access vlan 30
 switchport trunk allowed vlan 1,15,30
 switchport mode trunk
!

*Inside: This network has Static IP Addresses
interface Vlan1
       nameif inside
       security-level 100
       ip address 192.168.50.140 255.255.255.0
      !
      access-list Inside-to-any extended permit ip 192.168.50.0 255.255.255.0 any
      nat (inside) 2 192.168.50.0 255.255.255.0

interface Vlan15
       description Internal Wireless
       nameif Wireless-Inside
       security-level 100
       ip address 192.168.60.254 255.255.255.0
      !
        access-list Wireless-Inside_access_in extended permit ip 192.168.60.0 255.255.255.0 any
      access-list Wireless-Inside_access_in extended permit icmp 192.168.60.0 255.255.255.0 any
      nat (Wireless-Inside) 2 0.0.0.0 0.0.0.0
      access-group Wireless-Inside_access_in in interface Wireless-Inside
            
      dhcpd address 192.168.60.100-192.168.60.200 Wireless-Inside
      dhcpd dns 192.168.50.50 interface Wireless-Inside
      dhcpd enable Wireless-Inside

interface Vlan30
       description Guest
       no forward interface Vlan1
       nameif Guest-DMZ
       security-level 50
       ip address 192.168.10.1 255.255.255.0
      !
      access-list Guest-DMZ_access_in extended permit ip 192.168.10.0 255.255.255.0 any
      access-list Guest-DMZ_access_in extended permit icmp 192.168.10.0 255.255.255.0 any
      nat (Guest-DMZ) 2 0.0.0.0 0.0.0.0
      access-group Guest-DMZ_access_in in interface Guest-DMZ

      dhcpd address 192.168.10.100-192.168.10.200 Guest-DMZ
      dhcpd dns 8.8.8.8 8.8.4.4 interface Guest-DMZ
      dhcpd enable Guest-DMZ


WAP4410 Network Setup
      Local IP: 192.168.10.10
      subnet mask: 255.255.255.0
      Default Gateway: 192.168.10.1
      Primary DNS: 8.8.8.8
      Secondary DNS: 8.8.4.4

      [VLAN SETUP]
      Default VLAN ID: 1
      AP Management VLAN: 1
      VLAN Tag: Untagged
      
      [SSID Names:]
      Guest - VLAN: 30
      WIFI - VLAN: 15
      TimeClock - VLAN: 30



QUESTIONS:
1) Should the IP address for my WAP4410N be on the same subnet as my Internal network?
2) I am having trouble getting the inside Wifi to connect to the internal network and I cannot access internet
3) I just want to make sure the setup will not allow the Guest or Time clock SSID's access to the internal network . If there is a best practice for the setup I am try to setup, I would like to use it

Thanks, Ian
mcsdguyianAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

masnrockCommented:
1) Should the IP address for my WAP4410N be on the same subnet as my Internal network?
Doesn't matter at the end of the day. However, the upside of having the subnets differ is for troubleshooting and isolation.
2) I am having trouble getting the inside Wifi to connect to the internal network and I cannot access internet
Did you make sure that the inside wireless VLAN is allowed to access the internal network subnet? Have you attempting a ping? If not, then we need to take a look at that. Might need to tweak your ACL. I don't see anything that appears to explicitly allow traffic from VLAN 15 to VLAN 1.
3) I just want to make sure the setup will not allow the Guest or Time clock SSID's access to the internal network . If there is a best practice for the setup I am try to setup, I would like to use it
From what I'm seeing, it looks like it should accomplish that without issue.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mcsdguyianAuthor Commented:
Thanks for your help! I had the Wireless-Internal SSID's on the WAP set to the wrong VLan. Whoops.  :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VLAN

From novice to tech pro — start learning today.