cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1142
Views
0
Helpful
6
Replies

Put firewall at wireless network.

wfqk
Level 5
Level 5

Hi We have diagram like one I attached. The users need to go to internet from their PC, AP and switch etc. But we would like the first hop of user traffic is at firewall. That also means when tracert 8.8.8.8 on PC, the first one is at the firewall. Anyone can give some suggestion where we need to put the firewall? Thank you

 

6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

Firewall Generally deployed at the edge :

 

1. for securing the entire network should be perimeter that is after ASR and 7K between(thinking that after ASR it is the Internet or MPLS Cloud)

2. why you like to deploy FW at the next level, where are your WLC and other networks?

3. or is this Wireless external ? or for internal users?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thank you so much for your reply. I did not make it clear.

 

2. why you like to deploy FW at the next level, where are your WLC and other networks?

    the two WLCs are connected to the two N7K

3. or is this Wireless external ? or for internal users?

    The APs and users are internal and are behind the Switches. If the first hop of the internal user traffic is at firewall, it can prevent some insecurity issue from inside

Do you also have perimeter FW ?

 

internal users always should be trusted, not sure how your authentication for the users for wireless?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

That is because the company has guest and inside wireless vlan with the same AP . Its vlan traffic needs to go through the firewall first. so the first hop is at the firewall. The network has firewall located at between ASR and N7K. Not sure the relation of these vlans connections among N7K, firewall and switch3750 from wireless perspective.

You need to segment the traffic for the Guest users, which is not required to access internal resources (until any resource required)

 

Corporate SSID can access internal resource.

 

Either case i would suggest to have different segment FW, ASA support context-based FW, so you can do both ways to protect external and internal.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thank you very much. you are right.

Just one question: we assume no firewall in all network. if user PC try to access internet in that network, the first hop should be at the gateway, which is defined at controller guest interface, or the guest vlan interface ip address? 

Review Cisco Networking for a $25 gift card