cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3589
Views
0
Helpful
8
Replies

Configuring "Guest Wi-Fi" VLAN on ASA 5512

tlwoodstx
Level 1
Level 1

I'm attempting to setup a new vlan on my Cisco ASA 5512 running version 8.6(1)2.  This vlan will provide access for wireless "guest" AP's in my network.  I have the guest vlan setup through to my switches, I'm able to dedicate a switch port to VLAN 40 and aquire an IP address in the 10.40.10.0/24 network.  Below is excerpt of what I think is the relevent config information.  I'm trying to route guest traffic out my "outside" interface.

Obvious to me I'm missing another command in here.  Any help would be greatling appreciated. If more the running-config is needed please advise.  Thanks in advance!

_________________________________________________________

interface GigabitEthernet0/1.40

description Guest Wireless Network

vlan 40

nameif guestwireless

security-level 50

ip address 10.40.10.5 255.255.255.0

route outside 0.0.0.0 0.0.0.0 X.X.X.X 1  (public IP at X.X.X.X)

access-list guestwireless_access_in extended permit ip 10.40.10.0 255.255.255.0 interface outside

mtu guestwireless 1500

access-group guestwireless_access_in in interface guestwireless

dhcpd address 10.40.10.50-10.40.10.250 guestwireless

dhcpd dns 8.8.8.8 interface guestwireless

dhcpd enable guestwireless

________________________________________________________

1 Accepted Solution

Accepted Solutions

Here is the killing part

interface GigabitEthernet0/0

description ISP Interface

nameif outside

security-level 100

Change it to

interface GigabitEthernet0/0

security level 0

You do not want the most insecure interface with the highest security level hehe

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

8 Replies 8

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

This is not needed (and it's actually wrong)

access-list guestwireless_access_in extended permit ip 10.40.10.0 255.255.255.0 interface outside

Now you are missing the NAT I guess

nat (guestwirelless,outside) after-auto source dynamic any interface

Give it a try!

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I removed

access-list guestwireless_access_in extended permit ip 10.40.10.0 255.255.255.0 interface outside

added

nat (guestwireless,outside) after-auto source dynamic any interface dns

included the DNS piece.

Still not able to reach outside internet.

Thanks for the quick reply

You are doing NAT on the wireless right??

No need to include the DNS in the NAT

cap guest interface guestwireless match icmp any host 4.2.2.2

cap capout interface outside match icmp any host 4.2.2.2

Then from a PC ping 4.2.2.2 and provide

show cap guest

show cap capout

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

show cap guest

4 packets captured

   1: 18:00:08.100229 802.1Q vlan#40 P0 10.40.10.50 > 4.2.2.2: icmp: echo request

   2: 18:00:12.853440 802.1Q vlan#40 P0 10.40.10.50 > 4.2.2.2: icmp: echo request

   3: 18:00:17.845705 802.1Q vlan#40 P0 10.40.10.50 > 4.2.2.2: icmp: echo request

   4: 18:00:22.853547 802.1Q vlan#40 P0 10.40.10.50 > 4.2.2.2: icmp: echo request

4 packets shown

ASA# sh cap  capout

0 packet captured

0 packet shown

ASA#

Hello,

Can you share entire configuration please

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Stripped out some config pertaining to crypto and credentials

--------------Config Below-----------------------------------

: Saved

:

ASA Version 8.6(1)2

!

hostname ASA

domain-name company.local

names

!

interface GigabitEthernet0/0

description ISP Interface

nameif outside

security-level 100

ip address ##.##.###.### 255.255.255.248

!

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1.40

description Guest Wireless Network

vlan 40

nameif guestwireless

security-level 50

ip address 10.40.10.5 255.255.255.0

!

interface GigabitEthernet0/2

nameif inside-tempnet

security-level 0

ip address 172.29.0.252 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

nameif management

security-level 100

no ip address

management-only

!

boot system disk0:/asa861-2-smp-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name company.local

same-security-traffic permit inter-interface

object network NETWORK_OBJ_10.100.10.0_24

subnet 10.100.10.0 255.255.255.0

access-list outside_access_in extended permit ip object NETWORK_OBJ_10.100.10.0_24 any

access-list inside-tempnet_access_in extended permit ip 172.29.0.0 255.255.255.0 object NETWORK_OBJ_10.100.10.0_24

access-list Split_Tunnel_List standard permit 172.29.0.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu guestwireless 1500

mtu inside-tempnet 1500

mtu management 1500

ip local pool ClientVPN-DHCP-Pool 10.100.10.50-10.100.10.250 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-66114.bin

asdm history enable

arp timeout 14400

nat (inside-tempnet,outside) source static any any destination static NETWORK_OBJ_10.100.10.0_24 NETWORK_OBJ_10.100.10.0_24 no-proxy-arp route-lookup

!

nat (guestwireless,outside) after-auto source dynamic any interface

access-group outside_access_in in interface outside

access-group inside-tempnet_access_in in interface inside-tempnet

route outside 0.0.0.0 0.0.0.0 ##.##.###.### 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

http server enable

http 0.0.0.0 0.0.0.0 inside-tempnet

http 172.29.0.0 255.255.255.0 inside-tempnet

http redirect inside-tempnet 80

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

dhcpd address 10.40.10.50-10.40.10.250 guestwireless

dhcpd dns 8.8.8.8 interface guestwireless

dhcpd enable guestwireless

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption aes256-sha1 aes128-sha1 3des-sha1

ssl trust-point ASDM_TrustPoint0 outside

ssl trust-point ASDM_TrustPoint0 inside-tempnet

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2

anyconnect profiles VPNConnect disk0:/vpnconnect.xml

anyconnect enable

tunnel-group-list enable

group-policy "GroupPolicy_VPN Connect" internal

group-policy "GroupPolicy_VPN Connect" attributes

wins-server none

dns-server value #.#.#.#

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_List

default-domain value company.local

webvpn

  anyconnect profiles value VPNConnect type user

tunnel-group "VPN Connect" type remote-access

tunnel-group "VPN Connect" general-attributes

address-pool ClientVPN-DHCP-Pool

authentication-server-group compnay.LOCAL LOCAL

default-group-policy "GroupPolicy_VPN Connect"

tunnel-group "VPN Connect" webvpn-attributes

group-alias "VPN Connect" enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

: end

Here is the killing part

interface GigabitEthernet0/0

description ISP Interface

nameif outside

security-level 100

Change it to

interface GigabitEthernet0/0

security level 0

You do not want the most insecure interface with the highest security level hehe

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Doh....I swapped Gig intefaces when I initially set it up and must have over looked that....good thing this isn't in production yet.  I've made the change I'll verify tomorrow.

Thanks again!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: