topic ASA5510 base config for guest wireless network in Network Security

ASA5510 base config for guest wireless network

Steve Coady — Tue, 12 Mar 2019 03:54:05 GMT

Hello

I am partitioning off my guest wireless traffic out a new connection.

I have a WISM and a 5508 controller. The WISM will anchor the subnets to the specific controller.

AP - WISM - 5508 - FW - Cable link - Internet

Can anyone assist in implementing a base config so only traffic originating inside can get out, nothing from outside getting in.

The external link will be via cable and I want to configure their static on my outside int,

Where would be the best place to ratelimit the subnet(s)?

sMc

ASA5510 base config for guest wireless network

Steve Coady — Wed, 05 Mar 2014 20:06:51 GMT

Followup

I want to PAT all internal addresses to the static given by ISP

sMc

ASA5510 base config for guest wireless network

Steve Coady — Wed, 05 Mar 2014 20:23:39 GMT

ANother detail

DHCP pool will be configured on the 5508

sMc

Re: ASA5510 base config for guest wireless network

Marius Gunnerud — Wed, 05 Mar 2014 21:02:09 GMT

This is a very basic setup that you can do, just change interface number, name and IP, and NAT as needed:

int gig0/1

description INSIDE interface

security-level 100

nameif inside

ip add 172.16.1.1 255.255.255.0

no shut

int gig0/2

description OUTSIDE interface

security-level 0

nameif outside

ip add 191.1.1.1 255.255.255.252

no shut

object network LAN

subnet 172.16.1.0 255.255.255.0

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 191.1.1.2

Traffic is permitted from a higher security level to a lower security level by default. A lower security level to higher security level is not permitted. Once you apply an ACL to the interface the security levels have no meaning any more...until the ACL is removed that is. So for a basic setup allowing only traffic from inside to outside you do not need any ACLs.

Keep in mind that the nat statement should be configured while you are under the LAN network object.

--
Please remember to rate and select a correct answer

ASA5510 base config for guest wireless network

Steve Coady — Wed, 05 Mar 2014 21:13:12 GMT

Marius

Thank you for the response.

I am having trouble getting the NAT statement to work

"Keep in mind that the nat statement should be configured while you are under the LAN network object"

There is no NAT option

Cisco Adaptive Security Appliance Software Version 8.2(5)

Please advise.

sMc

ASA5510 base config for guest wireless network

Marius Gunnerud — Wed, 05 Mar 2014 21:15:43 GMT

ah you are running 8.2.

then it would be like this:

global (outside) 1 interface

nat (inside) 1 172.16.1.0 255.255.255.0

--
Please remember to rate and select a correct answer

ASA5510 base config for guest wireless network

Steve Coady — Wed, 05 Mar 2014 21:19:05 GMT

Marius

"very cool", thank you!

Are there any other considerations that would "tighten this config up"?

sMc

ASA5510 base config for guest wireless network

Marius Gunnerud — Wed, 05 Mar 2014 21:27:45 GMT

Really depends what you are trying to do, but this setup is basic but it is secure when considering connections from the internet. No one can initiate a connection from the internet to your internal network. Only your internal network can initiate traffic.

Of course if you want to make your internal network a little more secure you can add an ACL to the inside interface only permitting your specific subnet to initiate traffic to the internet or anywhere else for that matter.

Also, there is the case of managing the ASA, this should only be allowed from a specific subnet or IP on your inside interface. If you want to manage the ASA from the internet you would need to connect to a VPN and then manage the ASA from that connection. HTTPS and SSH connections to a interface with a security level of 0 is not permitted.

To do this you would need to add config similar to the following:

access-list LAN extended permit ip 172.16.1.0 255.255.255.0 any

access-group LAN in interface inside

crypto key generate rsa modulus 2048

ssh 172.16.1.10 255.255.255.255 inside

asdm image

http server enable

http 172.16.1.10 255.255.255.255 inside

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

--
Please remember to rate and select a correct answer

ASA5510 base config for guest wireless network

Steve Coady — Wed, 05 Mar 2014 21:34:16 GMT

Maruis

ip access-list 10 permit ip 172.16.16.0 255.255.255.0 eq 80

ip access-list 10 permit ip 172.16.16.0 255.255.255.0 eq 443

Then apply this to the inside interface in/out, would only allow that subnet to originate traffic?

Also, to make sure this subnet has no access to inside services, what would be needed?

sMc

ASA5510 base config for guest wireless network

Marius Gunnerud — Wed, 05 Mar 2014 21:43:19 GMT

ip access-list 10 permit ip 172.16.16.0 255.255.255.0 eq 80

ip access-list 10 permit ip 172.16.16.0 255.255.255.0 eq 443

These are router configurations and would not work on the ASA. To do this the ACL config would need to look like this:

access-list LAN extended permit ip 172.16.16.0 255.255.255.0 any eq 80

access-list LAN extended permit ip 172.16.16.0 255.255.255.0 any eq 443

access-group LAN in interface inside

Keep in mind that you can change the ACL name (LAN) to anything you want it to be. You could apply the ACL in the outbound direction but this is very unusual to do on the ASA and I do not suggest doing it unless you have a specific reason for doing so.

Also, to make sure this subnet has no access to inside services, what would be needed?

Not exactly sure where you are going with this. Is this subnet also located on the inside interface? or on a different interface?

If it is located on a different interface, then all you have to do is either give it a lower security level than that of the inside interface (lets say 90 for example), or add an ACL that denies traffic to the inside network subnet and then under that rule have an entery permitting traffic to any.

Keep in mind that the ACLs are checked top to bottom and there is an implicit deny any rule at the bottom of all ACLs. If this ASA is version 8.3 or higher the implicit deny can be seen in the global ACL in the ASDM.

--
Please remember to rate and select a correct answer

ASA5510 base config for guest wireless network

Steve Coady — Wed, 05 Mar 2014 21:48:54 GMT

Marius

Thanks again for you guidance.

"Is this subnet also located on the inside interface?

Yes the inside int is in the same subnet as the nat pool

"or add an ACL that denies traffic to the inside network subnet"

There are many subnets inside, that acl could be extensive

sMc

ASA5510 base config for guest wireless network

Marius Gunnerud — Wed, 05 Mar 2014 21:53:15 GMT

OK, how do you plan or connecting these subnets to the ASA? will there be a router behind the ASA that routes these subnets to the ASA or will there be VLANs that connect to the ASA? Will the ASA be routing between these subnets?

Depending on how your subnets are allocated you might be able to summarize some of the subnets.

--
Please remember to rate and select a correct answer

ASA5510 base config for guest wireless network

Steve Coady — Wed, 05 Mar 2014 21:59:09 GMT

Marius

The topology will lok like:

AP > WISM > 5508 (Subnet/DHCP server created here) > ASA > ISP link

sMc

ASA5510 base config for guest wireless network

Marius Gunnerud — Wed, 05 Mar 2014 22:04:10 GMT

So the ASA will be doing the routing. Then you will need to create subinterfaces on the ASA to accomodate the VLANs...there are other options but that could end up becoming very complicated.

--
Please remember to rate and select a correct answer

ASA5510 base config for guest wireless network

Steve Coady — Wed, 05 Mar 2014 22:18:53 GMT

The Subnet has the following:

172.16.10.20 - 172.16.14.254 _ the first 20 aqre for statics

172.16.10.0 255.255.248.0

Would I still need to create a sub-int?

sMc

ASA5510 base config for guest wireless network

Marius Gunnerud — Wed, 05 Mar 2014 22:24:01 GMT

Have you subneted the network or are they all located on the /21 network? If they are all in the same network (all have the same subnet mask) then no you do not have to create sub-interfaces.

But then you will also run into the issue that traffic will not go through the ASA when going between the hosts as they will all be seen as being part of the same network and the switches will just forward traffic accordingly.

--
Please remember to rate and select a correct answer

ASA5510 base config for guest wireless network

Steve Coady — Wed, 05 Mar 2014 22:27:11 GMT

Marius

They will al be part of the /21

As long as none of them have access to any inside services, I am ok with them going between hosts.

sMc

ASA5510 base config for guest wireless network

Steve Coady — Wed, 05 Mar 2014 22:29:39 GMT

Marius

What aaa commands should I include?

sMc

ASA5510 base config for guest wireless network

Marius Gunnerud — Thu, 06 Mar 2014 07:40:01 GMT

If they will all be part of the /21 network then the ASA will never see traffic that goes between the hosts. That means that any resrtictions for access would need to be configured on the hosts themselves.

As for AAA, you would only configure this for managemt of the ASA. So if you will be using the local user database on the ASA for management then the AAA commands I provided in an earlier post would be enough for access to the ASA.

ASA5510 base config for guest wireless network

Steve Coady — Thu, 06 Mar 2014 16:10:33 GMT

Hello

I have tried to implement the acl as specified however, there is no option to add "eq" etc.. for specific port

access-list GUEST line 1 extended permit ip object-group GUEST_Wireless any ?

configure mode commands/options:

inactive Keyword for disabling an ACL element

log Keyword for enabling log option on this ACL element

time-range Keyword for attaching time-range option to this ACL element

At your earliest convenience, please advise on what I am doing wrong.