WLC sitting in a DMZ zone on an ASA

Unanswered Question
Jun 23rd, 2009

I am trying to figure out a way to do a Guest Network without using an ACL tied to the SSID. (Customer's request) Its a layer 3 network and they suggested creating a DMZ zone off their ASA and connecting the WLC there that way its outside their network and can go straight to the internet.

I have never done this before ... so does anyone know if this would work? Any config guides or explanations would be great.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ericgarnel Tue, 06/23/2009 - 08:59

The wlan/vlan combo for the guests can reside in the dmz and use the ASA dmz interface as the gateway

The wlc port will connect to a switch via trunk and only the necessary vlans can be allowed over the trunk

mjohnson1914 Tue, 06/23/2009 - 09:03

So the WLC itself doesn't have to reside outside the Core SW ... it can still be connected to the Core SW via a trunk config to allow only the wlan vlans and just have the guest interface be configured to use the ASA dmz interface as the DF Gateway ... is this correct?

Darren Ramsey Tue, 06/23/2009 - 09:58

We run port 1 of the guest anchor on the trusted network, and port 2 is connected to a "DMZ" type zone. Foreign anchor traffic terminates on port 1, and guest internet traffic flows out port 2. Not sure if this is officially supported by Cisco, but it works.

weterry Tue, 06/23/2009 - 18:59

Often times, when you hear about a controller in the DMZ, it is part of a pair of internal/external controllers. The internal controller sits within your network and a guest wlan tunnels to the external(dmz) controller (which doesn't actually have any APs on it).

If you have only one controller, then doing either the trunked vlan, or port 2 straight to the DMZ will work.

I often see the guest in VLAN 10 (for example), and instead of vlan 10 having a routed interface on the network, it is only layer 2 with a port in access vlan10 that connects to the DMZ of the firewall.

mjohnson1914 Fri, 06/26/2009 - 07:10

I only have one controller and installing 30 - 40 APs so if I use one port to connect to the DMZ wouldn't I lose 25 APs?

Darren Ramsey Fri, 06/26/2009 - 10:23

Seems like the old rule was 48 APs per port. Alternatively you could LAG both ports and dot1q your guest traffic.


This Discussion



Trending Topics - Security & Network