Guest network setup using ASA 5520

Unanswered Question
Jun 18th, 2008

Looking into setting up a guest network. We would like to give a certain amount of our internet bandwidth to the guest network and setup DHCP on the ASA for the quest network. The guest network needs to be totally segmented from our corporate network.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Thu, 06/19/2008 - 04:00

"We would like to give a certain amount of our internet bandwidth to the guest network"

I don't think the ASA supports this inherently. There are third party plug-ins for this tough.



mbroberson1 Thu, 06/19/2008 - 04:59

So the configuration would be like to plug in from a switch port to the ASA port and set up DHCP for the ASA interface on the ASA and use QOS to port throttle the interface?

mbroberson1 Thu, 06/19/2008 - 05:24

So the configuration I described looks accurate? Come out of the switch port that is assigned to the guest network vlan into the interface/port on the ASA that will be for the guest network. The ASA interface/port ip address will be the default-gateway for the clients correct?

mbroberson1 Fri, 06/20/2008 - 07:17

Would we need to configure a vlan on the ASA also to coin side with the vlan on the LAN?

Farrukh Haroon Fri, 06/20/2008 - 23:57

You don't need to configure any vlans/sub-interfaces unless you require more zones than the interfaces built-in to your box (5).

You just choose any unused interface and set it up like this:

interface gig 0/2

no shut

nameif GUESTS

security-l 50

ip address



mbroberson1 Sun, 06/22/2008 - 17:25

For the host to set the interface address as their default-gateway would I need to use "dhcpd option 3 ip interface GUESTS" assuming is the ip address for interface g0/2? And for the host to route out my outside interface (to get to the internet) would I need to set a route?

Farrukh Haroon Sun, 06/22/2008 - 18:23

I would assume that is required (setting the default gateway) for a properly designed network.

For the internet you just need a default route on the box:

route outside 0 0



mbroberson1 Mon, 06/23/2008 - 04:33

From what I have looked through the DNS and WINS for this type of setup are global so the guest network users would be using the same DNS and WINS server as the clients on the corporate network. Are you familiar with this?

Farrukh Haroon Mon, 06/23/2008 - 06:23

You can even skip DNS for the guest users. All they do is access the proxy server and the proxy server will resolve DNS for them.



mbroberson1 Mon, 06/23/2008 - 07:12

So they will proxy off my corporate internal proxy server? Wouldn't you have to touch the vendor PC's to add the proxy info?

Farrukh Haroon Mon, 06/23/2008 - 08:22

Can't you ask users to put the proxy?

Anyway this was just a suggestion. You can also give them DNS access.



mbroberson1 Mon, 06/23/2008 - 08:46

What if I didn't want users on the guest network touching any servers on my nerwork. Could I point them to an external public DNS server? Do you suppose this would work?

Would this point the users on the guest network to the following DNS servers?

dhcpd dns interface vendor

Farrukh Haroon Mon, 06/23/2008 - 22:41

Yes the public ISP dns is definitely an option. There should be no issues at all.



mbroberson1 Tue, 06/24/2008 - 04:10

As far as nating goes I will need to set that up right? The guest users network will probably nat off the same interface that my corporate network is (the outside) interface. Right?


This Discussion