Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3219
Views
4
Helpful
5
Replies

ASA 5505 DMZ for Wireless Guest Access

Go to solution
savdevich
Level 1
Level 1

‎01-27-2014 11:50 AM - edited ‎03-11-2019 08:36 PM

Hello,

Here is my delima:

I'm deploying an Apple Airport Extreme BaseStation with 7 Airport Express "repeaters" throughout my network/building. The Apple only allows two wireless networks, private and public. Your can only select from 192.168.x.x, 172.13.x.x, or 10.10.x.x for each subnet. NO VLAN tagging.

This wasn't my decision... The CEO hs Apple fever.

So Im stuck on how to implement this without VLANs. The guest/public subnet just needs to be isolated outside access. While the private subnet requires to access both. 

Any suggestions would be greatly apprecaited.                   

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to savdevich

‎02-03-2014 11:26 AM 

What will the Security Plus license allow me to do?

The security plus license enables the use of trunking for the ASA 5505.  It also increases the maximum number of configurable VLANs to 20.  Allows for active/standby failover and increases the number of IPsec VPN tunnels allowed.

The problem with the base license is that you can only have 3 VLANs configured and the 3rd VLAN is a "restricted" VLAN.  That means you can not pass traffic to or from the inside VLAN to the 3rd VLAN (or DMZ VLAN if you prefer to call it that.)  So this DMZ VLAN will only be able to communicate with the internet.

So, if your private wireless network and local LAN will be on the same subnet then your public wireless can be in the 3rd VLAN.  If this is not the case you need to get the security plus license.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marius Gunnerud
VIP
VIP

‎01-30-2014 12:28 PM

First off is the 172.13.x.x a typo?  That is a public address range, the private range is 172.16.0.0/12. So 172.31.x.x would be within the range.

Anyway, I suppose you don't have issues with the private wireless network as that will most likely be a part of the existing LAN? 

VLAN tagging is only used when sending traffic over a trunk so you can use VLANs but the connection to the ASA can not be a trunk.  This means that you would need to have a physical interface on the 5505 for the guest wireless network. 

Assuming that you only have a base license for the ASA, as long as the guest wireless VLAN on the ASA is the 3rd VLAN that is configured and it will only communicate to the outside / internet then you should be fine.  If you have some machines on the ASA that will need to communicate with the inside network you will need to purchase a security plus license.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Go to solution
savdevich
Level 1
Level 1

‎02-03-2014 10:11 AM

Hi Marius,

The 172.13 was a typo and 172.16 is correct.

The issue boils down to the two wireless subnets. The private does need to access some resources on the inside. Ovbiously the public/guest only Internet. All traffic flows thru the WAN port of the base station as the extenders all connect via the LAN ports. Not a very flexible device...

What will the Security Plus license allow me to do?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to savdevich

‎02-03-2014 11:26 AM 

What will the Security Plus license allow me to do?

The security plus license enables the use of trunking for the ASA 5505.  It also increases the maximum number of configurable VLANs to 20.  Allows for active/standby failover and increases the number of IPsec VPN tunnels allowed.

The problem with the base license is that you can only have 3 VLANs configured and the 3rd VLAN is a "restricted" VLAN.  That means you can not pass traffic to or from the inside VLAN to the 3rd VLAN (or DMZ VLAN if you prefer to call it that.)  So this DMZ VLAN will only be able to communicate with the internet.

So, if your private wireless network and local LAN will be on the same subnet then your public wireless can be in the 3rd VLAN.  If this is not the case you need to get the security plus license.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
savdevich
Level 1
Level 1
In response to Marius Gunnerud

‎02-03-2014 11:36 AM

Marius,

I'll be ordering the Security Plus license. Thank you for the knowledge share.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to savdevich

‎02-03-2014 11:37 AM

Glad I could help

Thanks for the rating

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card