Solved: ASA5506 New VLAN for Guest WIFI

saids3 · ‎04-02-2020

Hello

I need to create new VLAN02 for guest WIFI and set up some rules to restrict access to some IP address.

My ASA5506 is in BVI mode.

The current ASA interfaces are like this;

BVI1 – inside

GIG1/1 - outside -

GIG1/2 - inside_1 -

GIG1/3 - inside_2 -

GIG1/4 - inside_3 -

GIG1/5 - inside_4 -

GIG1/6 - inside_5 -

GIG1/7 - inside_6 -

GIG1/8 - inside_7 -

Management1/1 -

I want to assign GIG1/5 for VLAN02 as guest Wi-Fi and assign and IP address for this new VLAN.

What is the best practice to do it? Please.

Is it possible to demonstrate the setting from ASDM?

Marius Gunnerud · ‎04-28-2020

You just need to configure a second BVI interface with an IP in the range that VLAN2 has.

for example:

interface bvi 1

nameif inside

security-level 100

ip address 10.1.2.1 255.255.255.0 standby 10.1.2.2

interface bvi 2

nameif GUEST-WIFI

security-level 0

ip address 10.1.3.1 255.255.255.0 standby 10.1.3.2

interface Gig1/1

description LOCAL_LAN

bridge-group 1

interface Gig1/5

description GUEST_WIFI

bridge-group 2

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎04-28-2020

Assuming that you will have more than one VLAN on the link between ASA and the switch, you can do the following (I am assuming you are following best practice and not using VLAN 1 and therefore I am using VLAN 2 and 3 in this example):

ASA:

int Gi1/2

no shut

intGi1/2.2

vlan 2

nameif WIFI-GUEST

security-level 5

ip address 10.1.2.1 255.255.255.0 standby 10.1.2.2

int Gi1/2.3

vlan 3

nameif INSIDE

security-level 100

ip address 10.1.3.1 255.255.255.0 standby 10.1.3.2

object network WIFI-GUEST-SUBNET

subnet 10.1.2.0 255.255.255.0

nat(WIFI-GUEST,OUTSIDE) dynamic interface

object network INSIDE-SUBNET

subnet 10.1.3.0 255.255.255.0

nat(INSIDE,OUTSIDE) dynamic interface

Switch:

int Gi1/24

switchport mode trunk

switchport trunk allowed vlan add 2,3

no shut

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

saids3 · ‎04-27-2020

Hello All

Any feedback? please.

I have created "DMZ Name of interface GigabitEthernet1/6.2"

Interface GigabitEthernet1/6.2 "DMZ", is down, line protocol is down
Hardware is Accelerator rev01, BW 1000 Mbps, DLY 10 usec
VLAN identifier 2
MAC address 7488.bb16.a323, MTU 1500
IP address 10.207.177.1, subnet mask 255.255.255.0
Traffic Statistics for "DMZ":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped

How to make it active and assign port in cisco switch sg300?

basically for wifi guest.

Marius Gunnerud · ‎04-28-2020

You just need to configure a second BVI interface with an IP in the range that VLAN2 has.

for example:

interface bvi 1

nameif inside

security-level 100

ip address 10.1.2.1 255.255.255.0 standby 10.1.2.2

interface bvi 2

nameif GUEST-WIFI

security-level 0

ip address 10.1.3.1 255.255.255.0 standby 10.1.3.2

interface Gig1/1

description LOCAL_LAN

bridge-group 1

interface Gig1/5

description GUEST_WIFI

bridge-group 2

--
Please remember to select a correct answer and rate helpful posts

saids3 · ‎04-28-2020

Thank you -

I need to assign port to this new BVI2

I have cisco switch sg300 28port -

Steps -

switchbb2d3c#configure t
switchbb2d3c(config)#interface ge24
switchbb2d3c(config-if)#switchport mode trunk
switchbb2d3c(config-if)#switchport trunk allowed vlan add 2
switchbb2d3c(config-if)#end

switchbb2d3c#configure t
switchbb2d3c(config)#interface ge 5
switchbb2d3c(config-if)#switchport mode access
switchbb2d3c(config-if)#switchport access vlan 2
switchbb2d3c(config-if)#end

switchbb2d3c#conf t
switchbb2d3c(config)#interface ge5
switchbb2d3c(config-if)#shutdown
switchbb2d3c(config-if)#no shutdown

Marius Gunnerud · ‎04-28-2020

In the example for the BVI interface the switch interface should be an access port. If you want to trunk the switch interface you need to configure subinterfaces on the ASA, assign them to the correct VLAN and add the bridge-group ID.

--
Please remember to select a correct answer and rate helpful posts

saids3 · ‎04-28-2020

So from the firewall side is good so far.

Can you please list the steps for the switch, what I should do?
Ge24 is the main interface between Asa and switch.

example I want to assign ge5 to BVI2?

Marius Gunnerud · ‎04-28-2020

What is the reason for using BVI? BVI interface is mainly used when you want to bridge two or more interfaces on the ASA. It is so you can use the ASA interfaces as a switch (of sorts). If you are not using the ASA interfaces as a "switch" then I would suggest not using BVI and just use regular interface configuration.

--
Please remember to select a correct answer and rate helpful posts

saids3 · ‎04-28-2020

Yes, you are right, basically the ASA came with BVI interfaces, I can add normal interface no problem, my question is how to link the switch to the ASA interface assuming the new interface is (VLAN2)?

appreciated

Marius Gunnerud · ‎04-28-2020

Assuming that you will have more than one VLAN on the link between ASA and the switch, you can do the following (I am assuming you are following best practice and not using VLAN 1 and therefore I am using VLAN 2 and 3 in this example):

ASA:

int Gi1/2

no shut

intGi1/2.2

vlan 2

nameif WIFI-GUEST

security-level 5

ip address 10.1.2.1 255.255.255.0 standby 10.1.2.2

int Gi1/2.3

vlan 3

nameif INSIDE

security-level 100

ip address 10.1.3.1 255.255.255.0 standby 10.1.3.2

object network WIFI-GUEST-SUBNET

subnet 10.1.2.0 255.255.255.0

nat(WIFI-GUEST,OUTSIDE) dynamic interface

object network INSIDE-SUBNET

subnet 10.1.3.0 255.255.255.0

nat(INSIDE,OUTSIDE) dynamic interface

Switch:

int Gi1/24

switchport mode trunk

switchport trunk allowed vlan add 2,3

no shut

--
Please remember to select a correct answer and rate helpful posts

saids3 · ‎04-28-2020

Hello -

Thank you for the support, I will make a test and let you know the results.

saids3 · ‎04-29-2020

Hello -

90% of work is completed, I can see the new IP Address in the computer -

Things not working,

1. No Internet network access

2. The IPV4 default gateway is showing different IP Address

3. I'm not able to ping the new IP.

Marius Gunnerud · ‎04-29-2020

Could you please post the full running configuration of the ASA (remember to remove any public IPs, usernames and passwords).

Post the output of show route

Which IP are you not able to ping? The default route IP or the WIFI-GUEST IP?

--
Please remember to select a correct answer and rate helpful posts

saids3 · ‎04-29-2020

at this point, I will have to enter the gate manually -

thank you for the collaboration and excellent support

gerardothink · ‎04-28-2020

agree