Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2550
Views
0
Helpful
7
Replies

Is it OK to put guest wireless through dmz port on my corporate firewall

carl_townshend
Spotlight
Spotlight

‎06-29-2010 01:26 AM - edited ‎03-11-2019 11:05 AM

Hi all

I am implementing a guest wireless solution at my office, I have a cisco ASA, is it ok to plug my wireless lan controller into the DMZ in my company firewall?

cheers

Carl

Labels:
0 Helpful
7 Replies 7

Jennifer Halim
Cisco Employee
Cisco Employee

‎06-29-2010 04:19 AM

I don't see why you can't connect the wireless controller to the firewall DMZ. However, just make sure that you only configure specific ACL to allow those guest network to access specific things that you would like them to access. I guess if you just want to provide internet access for them, I would configure ACL to deny access from the wireless subnet to anything towards your internal networks, and then allow the internet access.

0 Helpful

carl_townshend
Spotlight
Spotlight
In response to Jennifer Halim

‎06-29-2010 07:31 AM

Thanks for that

Where is it best to apply this access list? would I apply it outbound on the outside interface, allowing all traffic sourced from the dmz addresses? or do I apply it inbound into the dmz interface, add a deny statement first to any internal addresses, then allow dmz source to anywhere?

please help

cheers

Carl

0 Helpful

Diego Armando Cambronero Arias
Level 3
Level 3
In response to carl_townshend

‎06-29-2010 08:14 AM

Apply it in the DMZ inbound..

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to carl_townshend

‎06-29-2010 03:00 PM

I would recommend applying it inbound to the DMZ, as you have said earlier, denying all DMZ access to the internal networks, then allowing access to anything on the Internet. It would also be good if you can have the second lowest security level applied to this wireless DMZ connection. Assuming that your outside interface has security level of 0, then you would want to apply just a slightly better security level for DMZ (with DMZ security level being the lowest compared to all other internal network interfaces).

0 Helpful

carl_townshend
Spotlight
Spotlight
In response to Jennifer Halim

‎06-29-2010 04:02 PM

hi there

So is it OK to have my security level, 100 for inside, dmz 50, 0 for outside as standard ?

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to carl_townshend

‎06-29-2010 05:18 PM

Sure,

Normally the outside has a security level of 0, the inside of 100 and if having a single DMZ a security level of 50.

If having more DMZs, you can assign between (1-99)

Federico.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to carl_townshend

‎06-29-2010 06:05 PM

yes, 50 sounds good to me.

As Federico said, if it's just a single DMZ, then you can use any number between 1-99.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card