How to add wireless AP to ASA DMZ

cisco24seven · ‎05-03-2012

I would like to add a Meraki MR16 AP to our DMZ which is on our ASA 5510. I use a switch connected to the DMZ port of the ASA and that is where my webserver is plugged in. I want to keep the traffic completely seperate from our internal LAN. What is the best way to do this and the most secure. I will connect the AP to the DMZ switch. Below is the config:

ASA Version 8.2(1)

!

hostname fw

domain-name xxxxx

enable password k4HlcGX2lC1ypFOm encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address xxx.xxx.xxx.xxx 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.16.75.254 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

nameif DMZ

security-level 50

ip address 192.168.75.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name xxxxxxxxxxxxxxxxxxxxxxxx

access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq www

access-list DMZtoInside extended permit tcp host 192.168.75.5 host 192.168.5.xx eq 1433

access-list DMZtoInside extended deny ip any 192.168.0.0 255.255.255.0

access-list DMZtoInside extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (DMZ) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 0.0.0.0 0.0.0.0

nat (management) 1 0.0.0.0 0.0.0.0

static (DMZ,outside) tcp xxx.xxx.xxx.xxx www 192.168.75.5 www netmask 255.255.255.255

static (DMZ,outside) tcp xxx.xxx.xxx.xxx https 192.168.75.5 https netmask 255.255.255.255

static (inside,DMZ) 192.168.5.xx 192.168.5.xx netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group DMZtoInside in interface DMZ

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

route inside 192.168.5.xx 255.255.255.255 172.16.75.253 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-reco

rd DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:e6f986d4427

504d675bb1

ca51a81534

5

: end

no asdm history enable

Thank you

Maykol Rojas · ‎05-03-2012

Hi,

Whats configured right now seems about right:

access-list DMZtoInside extended permit tcp host 192.168.75.5 host 192.168.5.xx eq 1433

access-list DMZtoInside extended deny ip any 192.168.0.0 255.255.255.0

access-list DMZtoInside extended permit ip any any

That would allow traffic to go to the outside but not to the inside.

This NAT statement

nat (DMZ) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

Would allow them to go to the internet.

Plug and play.

Mike

cisco24seven · ‎05-04-2012

Thank you for your reply. The lines:

access-list DMZtoInside extended permit tcp host 192.168.75.5 host 192.168.5.xx eq 1433

access-list DMZtoInside extended deny ip any 192.168.0.0 255.255.255.0

access-list DMZtoInside extended permit ip any any

are for my IIS web server that accesses a SQL box on the internal lan.

If I wanted to add a access pont to this config how can I add it in and ensure no users could jump over to the internal LAN?

Thanks

Maykol Rojas · ‎05-04-2012

Basically they wont access the internal LAN with that config . Right now if you plug the Access point, they will be able to access the internet with no problem (assuming that the Access point will nat the users to one of the Addresses on the DMZ)

Mike

cisco24seven · ‎05-04-2012

What should the IP address of the AP be then? Suppose I give the AP an IP address of 192.168.75.80 how should the ACL look? Meraki has the following, would I need to allow these? How should the config look? Thanks

Meraki APs must be allowed outgoing connections to the following ports and IP addresses. Make sure a web filter or firewall is not blocking these OUTBOUND connections. For simplicity, the IP network is provided (e.g. 64.x.x.x/24) where several IPs in that range are used by Meraki. If this is a highly secured network, using the individual IPs will provide more security but could require adjustments as we expand our datacenters and utilize more IPs in these ranges.

Ports

UDP 7351

UDP 9350 (if using a Meraki VPN product)

TCP 80

TCP 443

TCP 7734

TCP 7752

With Meraki hosted RADIUS server authentication

UDP 1812 or UDP 1645 depending on the UDP port your RADIUS server is listen on.

Only for Systems Manager's Remote Desktop:

TCP 60000-60100 on any of the IPs below

IPs

64.62.142.0/24

64.62.142.25

64.62.142.12

64.62.142.3

64.156.192.0/24

64.156.192.244

64.156.192.243

64.156.192.240

64.156.192.239

64.156.192.238

64.156.192.237

64.156.192.233

64.156.192.232

64.156.192.152

64.156.192.151

64.156.192.110

64.156.192.109

64.156.192.108

64.156.192.107

64.156.192.106

64.156.192.105

64.156.192.103

64.156.192.102

74.50.51.0/24

74.50.51.93

74.50.51.16

74.50.51.15

74.50.52.0/24

74.50.52.159

74.50.52.141

74.50.52.136

74.50.52.243

74.50.52.244

74.50.53.0/24

74.50.53.123

74.50.53.101

74.50.56.0/24

74.50.56.140

74.50.56.121

74.50.58.0/24

74.50.58.3

74.50.58.2

74.50.63.0/24

74.50.63.12

74.50.63.7

74.50.63.6

74.50.63.5

74.50.63.4

74.50.63.3

74.50.63.2

213.229.98.133

213.229.98.134

208.72.143.27

208.72.143.26

208.72.143.25

208.72.143.24

Maykol Rojas · ‎05-04-2012

Yes, but this configuration already provides it by using the permit IP any any at the end of the statement. Bottom line, current configuration is not going to block anything outbound besides going to the internal network.

Mike

cisco24seven · ‎05-04-2012

Okay now I got it. I will try it and let you know. Thanks for all your help on this