Showing results for 
Search instead for 
Did you mean: 

How to add wireless AP to ASA DMZ

Level 1
Level 1

I would like to add a Meraki MR16 AP to our DMZ which is on our ASA 5510. I use a switch connected to the DMZ port of the ASA and that is where my webserver is plugged in. I want to keep the traffic completely seperate from our internal LAN. What is the best way to do this and the most secure. I will connect the AP to the DMZ switch. Below is the config:

ASA Version 8.2(1)


hostname fw

domain-name xxxxx

enable password k4HlcGX2lC1ypFOm encrypted

passwd 2KFQnbNIdI.2KYOU encrypted



interface Ethernet0/0

nameif outside

security-level 0

ip address


interface Ethernet0/1

nameif inside

security-level 100

ip address


interface Ethernet0/2


no nameif

no security-level

no ip address


interface Ethernet0/3

nameif DMZ

security-level 50

ip address


interface Management0/0

nameif management

security-level 100

ip address



ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name xxxxxxxxxxxxxxxxxxxxxxxx

access-list outside_access_in extended permit tcp any host eq www

access-list DMZtoInside extended permit tcp host host 192.168.5.xx eq 1433

access-list DMZtoInside extended deny ip any

access-list DMZtoInside extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (DMZ) 1 interface

nat (inside) 1

nat (DMZ) 1

nat (management) 1

static (DMZ,outside) tcp www www netmask

static (DMZ,outside) tcp https https netmask

static (inside,DMZ) 192.168.5.xx 192.168.5.xx netmask

access-group outside_access_in in interface outside

access-group DMZtoInside in interface DMZ

route outside 1

route inside 192.168.5.xx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00


rd DfltAccessPolicy

http server enable

http management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept



class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp


service-policy global_policy global

prompt hostname context





: end

no asdm history enable

Thank you

6 Replies 6

Maykol Rojas
Cisco Employee
Cisco Employee


Whats configured right now seems about right:

access-list DMZtoInside extended permit tcp host host 192.168.5.xx eq 1433

access-list DMZtoInside extended deny ip any

access-list DMZtoInside extended permit ip any any

That would allow traffic to go to the outside but not to the inside.

This NAT statement

nat (DMZ) 1

global (outside) 1 interface

Would allow them to go to the internet.

Plug and play.



Thank you for your reply. The lines:

access-list DMZtoInside extended permit tcp host host 192.168.5.xx eq 1433

access-list DMZtoInside extended deny ip any

access-list DMZtoInside extended permit ip any any

are for my IIS web server that accesses a SQL box on the internal lan.

If I wanted to add a access pont to this config how can I add it in and ensure no users could jump over to the internal LAN?


Basically they wont access the internal LAN with that config . Right now if you plug the Access point, they will be able to access the internet with no problem (assuming that the Access point will nat the users to one of the Addresses on the DMZ)



What should the IP address of the AP be then? Suppose I give the AP an IP address of how should the ACL look?  Meraki has the following, would I need to allow these? How should the config look?  Thanks

Meraki APs must be allowed outgoing connections to the following ports and IP addresses. Make sure a web filter or firewall is not blocking these OUTBOUND connections. For simplicity, the IP network is provided (e.g. 64.x.x.x/24) where several IPs in that range are used by Meraki. If this is a highly secured network, using the individual IPs will provide more security but could require adjustments as we expand our datacenters and utilize more IPs in these ranges.


UDP 7351

UDP 9350 (if using a Meraki VPN product)

TCP 80

TCP 443

TCP 7734

TCP 7752

With Meraki hosted RADIUS server authentication

UDP 1812 or UDP 1645 depending on the UDP port your RADIUS server is listen on.

Only for Systems Manager's Remote Desktop:

TCP 60000-60100 on any of the IPs below


Yes, but this configuration already provides it by using the permit IP any any at the end of the statement. Bottom line, current configuration is not going to block anything outbound besides going to the internal network.



Okay now I got it. I will try it and let you know.  Thanks for all your help on this

Review Cisco Networking for a $25 gift card