cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1016
Views
5
Helpful
4
Replies

How would I contain guest Wifi network in firewall?

Mark Mattix
Level 2
Level 2

I would like to implement a guest wifi network on my preexisting private network and can't figure out the security on my firewall. Currently the link connecting my private network to the internet is functioning fine and I really don't want to change this link into a trunk as I believe trying to reconfigure the trunk and security lists in the firewall would cause downtime. I would like to use a second interface on the firewall (5520 ASA with 8.2 software) as a trunk interface for my guest network and any other new VLAN in the future. My main concern is at the Core of my network the default gateway is the private IP for my internal firewall connection. If the guest network is connected to my core device going to the ASA, how do I specify a second default gateway on the core for the guest network on the ASA?

After writing this I realized, what if i connected a switch directly to the second trunk interface on my ASA and then used this IP as the default gateway for the guest network? I believe this should work but this leads me to one more question:

Say I wanted to allow my quest network access to a specific server on my internal network, would a proper configuration be to setup the ACLs on the firewall, allowing them to communicate to my inside network?

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Yeah I suppose changing the existing interface to a Trunk would not be possible without somekind of downtime unless you used an untypical configuration.

Sadly, my personal knowledge of wireless networks and the devices is almost nonexistent as we have different people to handle setting up those.

But I would imagine you can use a separate Vlan for the Guest Wifi and bring that Vlan to the new ASA interface only. If your actual core switch is doing routing, in other words if its acting as a L3 switch then you should probably add the Guest Wifi Vlan only as L2 to the core switch and configure it all the way to the new ASA Trunk. Default gateway as you say would be the IP address configured on the ASA itself.

Controlling the traffic from the new interface on the ASA should be pretty simple.

access-list GUEST-WIFI remark Allow traffic to internal server

access-list GUEST-WIFI permit tcp host eq

access-list GUEST-WIFI remark Deny All traffic to Internal networks

access-list GUEST-WIFI deny ip any

access-list GUEST-WIFI remark Allow All other traffic

access-list GUEST-WIFI permit ip any

access-group GUEST-WIFI in interface

The above ACL first allows some traffic to a certain internal server with a certain service. It then blocks all other traffic to the internal network. Finally it allows all other traffic. That would be all traffic destined to external public networks.

Naturally you would need possibly Static Identity NAT configurations (since you are using 8.2 software) to enable connections from the Guest Wifi to Internal network.

- Jouni

View solution in original post

4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Yeah I suppose changing the existing interface to a Trunk would not be possible without somekind of downtime unless you used an untypical configuration.

Sadly, my personal knowledge of wireless networks and the devices is almost nonexistent as we have different people to handle setting up those.

But I would imagine you can use a separate Vlan for the Guest Wifi and bring that Vlan to the new ASA interface only. If your actual core switch is doing routing, in other words if its acting as a L3 switch then you should probably add the Guest Wifi Vlan only as L2 to the core switch and configure it all the way to the new ASA Trunk. Default gateway as you say would be the IP address configured on the ASA itself.

Controlling the traffic from the new interface on the ASA should be pretty simple.

access-list GUEST-WIFI remark Allow traffic to internal server

access-list GUEST-WIFI permit tcp host eq

access-list GUEST-WIFI remark Deny All traffic to Internal networks

access-list GUEST-WIFI deny ip any

access-list GUEST-WIFI remark Allow All other traffic

access-list GUEST-WIFI permit ip any

access-group GUEST-WIFI in interface

The above ACL first allows some traffic to a certain internal server with a certain service. It then blocks all other traffic to the internal network. Finally it allows all other traffic. That would be all traffic destined to external public networks.

Naturally you would need possibly Static Identity NAT configurations (since you are using 8.2 software) to enable connections from the Guest Wifi to Internal network.

- Jouni

Thank you for your help Jouni!

Yes my core device is functioning in Layer 3. When you mentioned,  "then you should probably add the Guest Wifi Vlan only as L2 to the core switch and configure it all the way to the new ASA Trunk"

To configure the Guest wifi vlan as layer 2, could I simply create the VLAN on the core and not assign an IP to the SVI? Sounds easy enough, not sure why I didn't think of that. Thanks again

Hi,

Yes, you should create the actual Vlan. You can create the Vlan interface also but it doesnt really serve a purpose I guess since you cant really configure an IP address to it.

The reason why you shouldnt configure an IP address to it is specifically for the traffic between your Guest Wifi and Internal Network. IF your Internal network is using the L3 switch as its gateway and there was an SVI with IP address for the Guest Wifi Vlan also then the traffic flow would be so that ASA wouldnt see all traffic between these hosts and would start to block them.

I use VRF:s a lot in my work and that is an easy way to separate different Vlans to their own routing tables on a L3 switch or other Router. You can for example have several Vlans grouped to a certain VRF (their own routing table) and some other Vlans to their own VRF. This would mean that you could have default routes on the L3 switch for each of those VRF separately. Its an easy way to separate networks on a single device.

Sadly I also dont handle the Routers and Switches in my work other than configure them. I am not sure how the Cisco licensing is regarding Routers and Switches. I would imagine that VRFs might require separate licensing on some platforms but I am not sure.

Naturally such a change would require downtime also but it would be an easy way to create separate routing tables for different Vlans if there was a need for such a setup.

- Jouni

Thanks Jouni, I'll have to do some research on VRF!

Review Cisco Networking for a $25 gift card