Solved: Hi,

msewell · ‎08-04-2016

Hello Cisco Community,

In my new job I have Cisco devices, of which I'm not familiar with (I've always had Sonicwall firewalls). We have an ASA 5505 as our firewall. It is currently set up using 3 interfaces: one for the WAN, one for the LAN, and one for the DMZ. We have the Security Plus license.

My charge is to set up a separate (not on the corporate LAN) wireless network for guests. Obviously the only access this network should have is the internet. The easy way is to bring in a separate internet connection, but I want to see if it can be done through the ASA 5505 first.

I've done some research, tried, and thought I had it, but not only did it not work, it caused problems for the corporate LAN so I undid everything I did. So I'm back to square one and thought I'd ask for some help.

Can anybody tell me if this is possible or not, and if so, how to do it, step by step? I am using ASDM for configuration.

Also, I'm not quite sure which forum this should go in, so if it's in the wrong one, I apologize in advance.

Thanks very much.

Sam Smiley · ‎08-09-2016

Sorry I can't help with the ASA config, however it seems that you are approaching this from the wrong direction. Building a guest wifi isn't really a product of the router/firewall. It is simply a matter of segmenting the network. The router/firewall's job is to route traffic blocking traffic that isn't supposed to be there. You didn't go into details about your network other than the ASA. Here are the concepts of creating a guest wifi:

For the sake of this discussion lets say you have the ASA, a managed switch and a wireless access point (WAP) capable of multiple SSIDs. The concept is that you create multiple VLANs to divide the traffic in the switch; to keep things simple VLAN 1 will be the corporate LAN while VLAN 2 will be a guest wifi. To start configure the switch with VLAN 1 & 2, assign LAN ports to VLAN 1 and ports connected to access points as trunk ports, configure the access point with multiple SSIDs assigning one to VLAN 1 and assign the guest SSID to VLAN 2. Once this is done assign an access list to VLAN 2 in the switch permitting traffic to the Internet while blocking traffic to the LAN. At this point the job of the ASA is to route the traffic of both VLANs to the Internet; it would need to have appropriate routes for both segments.

The below link will give you an overview of this; this example is using a wireless LAN controller. working with autonomous access points use the same concepts.

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-vlan/70937-guest-internal-wlan.html

Properly configured traceroute should look like this...

C:\>tracert www.cisco.com

Tracing route to e144.dscb.akamaiedge.net [23.195.105.39]
over a maximum of 30 hops:

1     1 ms     1 ms     1 ms 10.19.9.129
2     1 ms     3 ms     4 ms 10.13.13.1
3     7 ms     5 ms     6 ms 64-238-112-101.customerip.birch.net [64.238.112.101]
^C

C:\>tracert 10.13.13.1

Tracing route to 10.13.13.1 over a maximum of 30 hops

1 10.19.9.129 reports: Destination net unreachable.

Trace complete.

10.13.13.1 is my router (ASA), 10.19.9.129 is the switch interface.

Regards,

Sam

View solution in original post

Reza Sharifi · ‎08-04-2016

Hi,

Is the firewall the default gateway for all your subnet? Not sure what the network looks like, but you can connect all your APs and controller to a switch and than uplink the switch to the firewall, put the gateway for the wireless guest vlan on the firewall and restrict it to have access to Internet only and not internal resources. You could also use the firewall to assign dynamic IPs to guest vlan.

HTH

msewell · ‎08-05-2016

Hi Reza,

Thanks for replying.

Yes, the firewall is the default gateway for our LAN and DMZ. In theory I get what you're saying on how to set it up, and in fact I did just that but it didn't work. Also, it negatively affected internet access for our LAN. So, I came to the conclusion that I just didn't do it right and I was hoping the get some detailed help on setting it up.

We're using interface 0 for 'outside', interface 1 for 'inside', and interface 2 for 'dmz.' I wanted to use interface 5 for 'guest wifi.' I enabled that and gave it a different subnet than the others. I set up DHCP on that interface. I created access rules for any > guest and guest to outside. I set my wireless router to act as an access point, giving it an IP address that is on the same subnet as interface 5. I connected that to a switch and then connected the switch to interface 5. I connected wirelessly to the AP but couldn't get out to the internet, or get an IP address. In the meantime, users couldn't get out to certain sites on the internet. So I undid everything.

Clearly something wasn't done right on the firewall so I was hoping for help.

Thanks.

Reza Sharifi · ‎08-05-2016

Hi,

Thanks for the explanation. I am not sure if you have seen this post, but it seems that the OP is trying to accomplish the same thing as you do except with sub-interfaces.

This is a post from the firewall section of the forum.

https://supportforums.cisco.com/discussion/11547516/asa-5510-guest-wireless-network

http://www.packetu.com/2011/12/19/using-an-asa-to-establish-a-guest-network/

HTH

msewell · ‎08-05-2016

Reza,

I have not seen those posts, but they are only mildly helpful since they are using the CLI instead of ASDM. I'm completely unfamiliar with the CLI commands.

The second post sounds exactly like what I am trying to accomplish, but it says to use the DMZ interface. We are already using the DMZ interface for our web server. Will another interface work just the same?

Thanks again.

Reza Sharifi · ‎08-05-2016

Hi,

I would think if you try another port and call it say "wireless guest" give it the proper security level, it should work the same way.

HTH

msewell · ‎08-05-2016

Reza,

I would think so as well. Would you know, using ASDM, the exact steps I would have to take so that it works and doesn't negatively affect the current LAN and DMZ configurations? I don't have a test lab so I am working on a live firewall.

Anybody?

Thanks!

Sam Smiley · ‎08-09-2016

Sorry I can't help with the ASA config, however it seems that you are approaching this from the wrong direction. Building a guest wifi isn't really a product of the router/firewall. It is simply a matter of segmenting the network. The router/firewall's job is to route traffic blocking traffic that isn't supposed to be there. You didn't go into details about your network other than the ASA. Here are the concepts of creating a guest wifi:

For the sake of this discussion lets say you have the ASA, a managed switch and a wireless access point (WAP) capable of multiple SSIDs. The concept is that you create multiple VLANs to divide the traffic in the switch; to keep things simple VLAN 1 will be the corporate LAN while VLAN 2 will be a guest wifi. To start configure the switch with VLAN 1 & 2, assign LAN ports to VLAN 1 and ports connected to access points as trunk ports, configure the access point with multiple SSIDs assigning one to VLAN 1 and assign the guest SSID to VLAN 2. Once this is done assign an access list to VLAN 2 in the switch permitting traffic to the Internet while blocking traffic to the LAN. At this point the job of the ASA is to route the traffic of both VLANs to the Internet; it would need to have appropriate routes for both segments.

The below link will give you an overview of this; this example is using a wireless LAN controller. working with autonomous access points use the same concepts.

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-vlan/70937-guest-internal-wlan.html

Properly configured traceroute should look like this...

C:\>tracert www.cisco.com

Tracing route to e144.dscb.akamaiedge.net [23.195.105.39]
over a maximum of 30 hops:

1     1 ms     1 ms     1 ms 10.19.9.129
2     1 ms     3 ms     4 ms 10.13.13.1
3     7 ms     5 ms     6 ms 64-238-112-101.customerip.birch.net [64.238.112.101]
^C

C:\>tracert 10.13.13.1

Tracing route to 10.13.13.1 over a maximum of 30 hops

1 10.19.9.129 reports: Destination net unreachable.

Trace complete.

10.13.13.1 is my router (ASA), 10.19.9.129 is the switch interface.

Regards,

Sam

msewell · ‎08-09-2016

Sam,

Thanks very much for the great answer. That makes entirely too much sense and I guess I was approaching it from the wrong direction. We do have the ASA and a Cisco managed switch where we segment our LAN and DMZ (VLAN1 and VLAN2). So I could create a VLAN3 on the switch, connect the WAP to a VLAN3 port on the switch, use an unused interface on the ASA assigning it VLAN3, connect that to a VLAN3 port on the switch, add the routes on the ASA, and I should be good to go?

Thanks again!

Mike

Sam Smiley · ‎08-09-2016

That is over engineering just a bit; there is really no need to add another connection to the ASA. In my network I have a 2851 connected to a 3560E; the only thing you need to do to prevent access to the corporate LAN is assign an access list to the guest wireless VLAN. This access will block traffic to the LAN while giving access to the Internet.

If you aren't using an access point with multiple SSID capabilities simple plug in the guest access WAP assign the VLAN as you mentioned and add the access list to the VLAN interface. You will also have to have a DHCP server for the guest WLAN. Here are the relative config all in the 3560E.:

DHCP for the guest access:

ip dhcp excluded-address 10.19.9.129 10.19.9.134
!
ip dhcp pool guest-wlan
network 10.19.9.128 255.255.255.192
default-router 10.19.9.129
netbios-node-type b-node
domain-name guest.cisco.com
dns-server 64.238.96.12 66.180.96.12
lease 0 10

Interface commands for switchport connected to Cisco 1252 WAP:

interface GigabitEthernet0/34
description AP1252-201
switchport trunk encapsulation dot1q
switchport trunk native vlan 900
switchport trunk allowed vlan 500,550,900
switchport mode trunk
switchport nonegotiate
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust cos
macro description cisco-wireless
auto qos trust
spanning-tree bpduguard enable

VLAN interface for guest VLAN:

interface Vlan550
description GUEST WIRELESS
ip address 10.19.9.129 255.255.255.192
ip access-group 155 in
no ip route-cache
no ip mroute-cache

Access list for VLAN interface:

access-list 155 deny ip 10.19.9.128 0.0.0.63 10.0.0.0 0.255.255.255
access-list 155 deny ip 10.19.9.128 0.0.0.63 172.16.0.0 0.15.255.255
access-list 155 permit ip any any

The Cisco 1252 does have two SSIDs assigned to it; VLAN 500 (Corp Wifi) and VLAN 550.(Guest Wifi). Therefore you see a trunk connection to the WAP.

Regards,

Sam

msewell · ‎08-09-2016

OK, that's even better. I'll give it a go.

Thanks again Sam for taking the time and helping me out. Much appreciated.

Mike

Segregated Guest WiFi on ASA 5505