Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
286
Views
0
Helpful
2
Replies

WAP Advice Please

johnnymac
Level 1
Level 1

‎12-20-2006 02:58 AM - edited ‎07-03-2021 01:24 PM

Hi,

My company are currently looking into providing a wireless network that external users (outside of our domain) can connect to access only the internet.

I have done a little research and i'm guessing that a cisco aironet device could be attached to an ethernet interface on our pix in it's own DMZ allowing only port 80 to achieve this?

Could someone kindly confirm if this is correct?

I would be grateful to hear from anyone that has set this up, has anyone encountered problems connecting these types of devices?

Does anyone have configuration examples or good documents i could read up on.

Many Thanks

J Mack

Labels:
0 Helpful
2 Replies 2

scottmac
Level 10
Level 10

‎12-23-2006 08:57 AM

Putting the AP in the DMZ is a good way to go in many cases.

What you give up in this scenario is multiple VLANS/SSIDs, since (I believe) the PIX does not do dot1q trunking to a less-secure interface.

You could probably get around that using a VPN client, where each "VLAN" would be described by the VPN link used by the client.

This also permits you to use whatever security you have (RADIUS, TACACS+, local database) for authentication of the client.

If you're using SSL on your web site, you may also need to open up port 443.

Good Luck

Scott

0 Helpful

momeara
Level 1
Level 1
In response to scottmac

‎12-27-2006 02:40 PM

In your case, the AP can serve more than just Internet access, which can give your users a lot of flexibility. I have set up an 1130 AP with VLAN access to two different networks in my office - one is a DMZ that only has Internet access and one is to my Inside network. The AP has access to those VLANs because we recently trunked all our switches together and they all participate in VTP - translation: every switch knows about all the VLANs, and that makes it easier.

This arrangement gives your employees access to the same (Inside) network as their desktop, and guests have access to the Internet (through the DMZ) for checking mail, doing presentations, etc. I just got it working today so I don't have security turned on - I'm still looking for a document that shows how to turn security on one SSID and not another without using a WLSE or WLC.

Here's the link to the document that shows how to use VLANs with an AP;

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml#apconfig

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card