Thanks for replying George.

We don't have a controller, just four APs that are basically identical in their configuration.  Each connects to the same switch, then to a router, and then to an ASA 5510. I'm a little fuzzy on how the Guest wireless works.  Shouldn't it work like any other VLAN?  Or does identifying it as a Guest network do something special in the way of security.  My thought was just to create a second non-guest SSID and control it using ACLs so that can only reach the Internet and our mail server, but that seems like it should be unnecessary since the Guest wireless network is already in place and working (with the exception of reaching the internal mail server).

Greg,

You hit the nail on the head. We need to dig into how the guest network is confgured. It can be handle a number of ways.

It could be a vlan that has a GW on the ASA. It could be a ACL blocking it ... ETC

Can you dig into how the guest is configured? This will help in understanding what the next steps are ...Of course your idea is vaild about adding another SSID. But it would be best to see how guest is configured as this may not be needed ... Make sense?

The configuration adds to my confusion.  I inherited this part of our network, I did not configure it.  We have a VLAN for the guest wireless on our switches which is trunked through the network, however what I find confusing is that there is no mention of it on the router (we only have one).  It seems to just use the default gateway to reach the ASA and ultimately the Internet.  Guest clients also get DHCP from the ASA so these requests are passing through the router, but without the aid of any IP helper statement.  There are also no ACLs on the router or ASA regarding the network.  To me it doesn't seem like it should work at all, which leads me to believe that I don't fully understand what identifying the network as a guest network on the APs does.  Does it somehow piggyback on the wireless VLAN?

Hi,

This is how it is done.

AP has a Guest Vlan say 100.

The port that the AP is connected to is set up with ether Access Vlan 100 or Trunk.

The 100 Vlan is created on the Router, say 3750 with no IP address and on the ASA with IP say 10.10.100.1 VTP is set on the 3750 as server all other is set to client. All other vlan is configured with IP say x.x.x.254, all connected devices in each routed vlan has there GW set to the 3750. Vlan 20 GW 10.10.20.254, Vlan 30 GW 10.10.30.254 and so on. Route to ASA is done by adding o.o.o.o o.o.o.o 10.10.1.1 to the switch then L3 will happend on the 3750. 10.10.1.1 is the IP on the sub interface for transporting each vlan on the ASA, say vlan 55. Q1 trunking is set on the port connected to the ASA. What will happend is that all traffick destinatin for vlan 30 to 20 and 20 to 30 will route on the 3750 with no ACL or security, vlan 100 will be sendt to the ASA interface 0.1.100 and get there DHCP there if it is set up correctly. Route back from the asa has to be set to each vlan.

1. Look at your port info on the switch that the AP is connected to.

2. Look at how your vlan is configured on the router/L 3 switch.

3. Check your default GW on the router and for each vlan.

4. Check your port info for the connected port to the ASA on both side.

4. Check the NAT and ACL on ASA

Read Intervlan routing on 3750G from Cisco and this will explain most of what you are looking for.

Remember NOT to set GW on any untrusted Vlan configured on L3 switch without ACL also, if you do so then you open up the untrusted vlan for access to trusted vlan.

Sent from Cisco Technical Support iPad App