topic Re: ASA5506 New VLAN for Guest WIFI in Network Security

ASA5506 New VLAN for Guest WIFI

saids3 — Fri, 03 Apr 2020 05:43:49 GMT

Hello

I need to create new VLAN02 for guest WIFI and set up some rules to restrict access to some IP address.

My ASA5506 is in BVI mode.

The current ASA interfaces are like this;

BVI1 – inside

GIG1/1 - outside -

GIG1/2 - inside_1 -

GIG1/3 - inside_2 -

GIG1/4 - inside_3 -

GIG1/5 - inside_4 -

GIG1/6 - inside_5 -

GIG1/7 - inside_6 -

GIG1/8 - inside_7 -

Management1/1 -

I want to assign GIG1/5 for VLAN02 as guest Wi-Fi and assign and IP address for this new VLAN.

What is the best practice to do it? Please.

Is it possible to demonstrate the setting from ASDM?

Re: ASA5506 New VLAN for Guest WIFI

saids3 — Mon, 27 Apr 2020 15:41:44 GMT

Hello All

Any feedback? please.

I have created "DMZ Name of interface GigabitEthernet1/6.2"

Interface GigabitEthernet1/6.2 "DMZ", is down, line protocol is down
Hardware is Accelerator rev01, BW 1000 Mbps, DLY 10 usec
VLAN identifier 2
MAC address 7488.bb16.a323, MTU 1500
IP address 10.207.177.1, subnet mask 255.255.255.0
Traffic Statistics for "DMZ":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped

How to make it active and assign port in cisco switch sg300?

basically for wifi guest.

Re: ASA5506 New VLAN for Guest WIFI

Marius Gunnerud — Tue, 28 Apr 2020 11:41:00 GMT

You just need to configure a second BVI interface with an IP in the range that VLAN2 has.

for example:

interface bvi 1

nameif inside

security-level 100

ip address 10.1.2.1 255.255.255.0 standby 10.1.2.2

interface bvi 2

nameif GUEST-WIFI

security-level 0

ip address 10.1.3.1 255.255.255.0 standby 10.1.3.2

interface Gig1/1

description LOCAL_LAN

bridge-group 1

interface Gig1/5

description GUEST_WIFI

bridge-group 2

Re: ASA5506 New VLAN for Guest WIFI

saids3 — Tue, 28 Apr 2020 11:59:57 GMT

Thank you -

I need to assign port to this new BVI2

I have cisco switch sg300 28port -

Steps -

switchbb2d3c#configure t
switchbb2d3c(config)#interface ge24
switchbb2d3c(config-if)#switchport mode trunk
switchbb2d3c(config-if)#switchport trunk allowed vlan add 2
switchbb2d3c(config-if)#end

switchbb2d3c#configure t
switchbb2d3c(config)#interface ge 5
switchbb2d3c(config-if)#switchport mode access
switchbb2d3c(config-if)#switchport access vlan 2
switchbb2d3c(config-if)#end

switchbb2d3c#conf t
switchbb2d3c(config)#interface ge5
switchbb2d3c(config-if)#shutdown
switchbb2d3c(config-if)#no shutdown

Re: ASA5506 New VLAN for Guest WIFI

Marius Gunnerud — Tue, 28 Apr 2020 13:36:39 GMT

In the example for the BVI interface the switch interface should be an access port. If you want to trunk the switch interface you need to configure subinterfaces on the ASA, assign them to the correct VLAN and add the bridge-group ID.

Re: ASA5506 New VLAN for Guest WIFI

saids3 — Tue, 28 Apr 2020 13:59:24 GMT

So from the firewall side is good so far.

Can you please list the steps for the switch, what I should do?
Ge24 is the main interface between Asa and switch.

example I want to assign ge5 to BVI2?

Re: ASA5506 New VLAN for Guest WIFI

Marius Gunnerud — Tue, 28 Apr 2020 14:36:04 GMT

What is the reason for using BVI? BVI interface is mainly used when you want to bridge two or more interfaces on the ASA. It is so you can use the ASA interfaces as a switch (of sorts). If you are not using the ASA interfaces as a "switch" then I would suggest not using BVI and just use regular interface configuration.

Re: ASA5506 New VLAN for Guest WIFI

saids3 — Tue, 28 Apr 2020 15:26:12 GMT

Yes, you are right, basically the ASA came with BVI interfaces, I can add normal interface no problem, my question is how to link the switch to the ASA interface assuming the new interface is (VLAN2)?

appreciated

Re: ASA5506 New VLAN for Guest WIFI

Marius Gunnerud — Tue, 28 Apr 2020 16:53:11 GMT

Assuming that you will have more than one VLAN on the link between ASA and the switch, you can do the following (I am assuming you are following best practice and not using VLAN 1 and therefore I am using VLAN 2 and 3 in this example):

ASA:

int Gi1/2

no shut

intGi1/2.2

vlan 2

nameif WIFI-GUEST

security-level 5

ip address 10.1.2.1 255.255.255.0 standby 10.1.2.2

int Gi1/2.3

vlan 3

nameif INSIDE

security-level 100

ip address 10.1.3.1 255.255.255.0 standby 10.1.3.2

object network WIFI-GUEST-SUBNET

subnet 10.1.2.0 255.255.255.0

nat(WIFI-GUEST,OUTSIDE) dynamic interface

object network INSIDE-SUBNET

subnet 10.1.3.0 255.255.255.0

nat(INSIDE,OUTSIDE) dynamic interface

Switch:

int Gi1/24

switchport mode trunk

switchport trunk allowed vlan add 2,3

no shut

Re: ASA5506 New VLAN for Guest WIFI

gerardothink — Tue, 28 Apr 2020 20:28:02 GMT

agree

Re: ASA5506 New VLAN for Guest WIFI

saids3 — Wed, 29 Apr 2020 06:53:48 GMT

Hello -

Thank you for the support, I will make a test and let you know the results.

Re: ASA5506 New VLAN for Guest WIFI

saids3 — Wed, 29 Apr 2020 08:49:37 GMT

Hello -

90% of work is completed, I can see the new IP Address in the computer -

Things not working,

1. No Internet network access

2. The IPV4 default gateway is showing different IP Address

3. I'm not able to ping the new IP.

Re: ASA5506 New VLAN for Guest WIFI

Marius Gunnerud — Wed, 29 Apr 2020 11:58:09 GMT

Could you please post the full running configuration of the ASA (remember to remove any public IPs, usernames and passwords).

Post the output of show route

Which IP are you not able to ping? The default route IP or the WIFI-GUEST IP?

Re: ASA5506 New VLAN for Guest WIFI

saids3 — Wed, 29 Apr 2020 13:21:51 GMT

at this point, I will have to enter the gate manually -

thank you for the collaboration and excellent support