I am wondering if someone can shed some light on this for me. I have a new ASA 5505 with a somewhat simple config. I want to set up a guest VLAN on it for a guest wireless connection.

I set up the ASA with the VLAN, made a trunk port, set up DHCP (on the ASA) on the guest VLAN, configured NAT, etc. Everything seem to be working with that. Guests are getting address on the correct subnet, etc.

The only issue I have is that the Guest VLAN (192.168.22.0) can get to the secure (VLAN1 - 172.16.0.0). I set up the guest VLAN (VLAN 5) with a security level of 10, the secure with a level of 100. I figured that would be enough. To stop the guest from accessing the secure, I had to throw on an ACL (access-list Guest-VLAN_access_in line 1 extended deny ip any 172.16.0.0 255.255.255.0)

Can someone  show me what I did wrong?

Thank you for any help!

-------------------------------------------------------------

To create the VLAN, I did the following:

int vlan5

nameif Guest-VLAN

security-level 10

ip address 192.168.22.1 255.255.255.0

no shutdown

int Ethernet0/1

switchport trunk allowed vlan 1 5

switchport trunk native vlan 1

switchport mode trunk

no shutdown

below is the whole config.

Result of the command: "sho run"

: Saved

:

ASA Version 9.1(3)

!

hostname ciscoasa

enable password zGs7.eQ/0VxLuSIs encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport trunk allowed vlan 1,5

switchport trunk native vlan 1

switchport mode trunk

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 172.16.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address <External IP/Mask>

!

interface Vlan5

nameif Guest-VLAN

security-level 10

ip address 192.168.22.1 255.255.255.0

!

boot system disk0:/asa913-k8.bin

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network Inside_Server1_80

host <Inside_server1_IP>

object network Inside_Server1_25

host <Inside_server1_IP>

object network Inside_Server1_443

host <Inside_server1_IP>

object network Inside_Server1_RDP

host <Inside_server1_IP>

object service RDP

service tcp destination eq 3389

object network Outside_Network1

host <Outside_Network_IP>

object network Outside_Network2

host <Outside_Network_IP>

object network Outside_Network2

host <Outside_Network_IP>

object network TERMINALSRV_RDP

host <Inside_server2_IP>

object network Inside_Server2_RDP

host <Inside_Server2_IP>

object-group network Outside_Network

network-object object Outside_Network1

network-object object Outside_Network2

object-group network RDP_Allowed

description Group used for hosts allowed to RDP to Inside_Server1

network-object object <Outside_Network_3>

group-object Outside_Network

object-group network SBS_Services

network-object object Inside_Server1_25

network-object object Inside_Server1_443

network-object object Inside_Server1_80

object-group service SBS_Service_Ports

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq smtp

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit object-group SBS_Service_Ports any object-group SBS_Services

access-list outside_access_in extended permit object RDP any object TERMINALSRV_RDP

access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server1_RDP

access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server2_RDP

access-list Guest-VLAN_access_in extended deny ip any 172.16.0.0 255.255.255.0

access-list Guest-VLAN_access_in extended permit ip any any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu Guest-VLAN 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network obj_any

nat (inside,outside) dynamic interface

object network Inside_Server1_80

nat (inside,outside) static interface service tcp www www

object network Inside_Server1_25

nat (inside,outside) static interface service tcp smtp smtp

object network Inside_Server1_443

nat (inside,outside) static interface service tcp https https

object network Inside_Server1_RDP

nat (inside,outside) static interface service tcp 3389 3389

object network TERMINALSRV_RDP

nat (inside,outside) static <TerminalSRV_outside)IP> service tcp 3389 3389

object network Inside_Server2_RDP

nat (inside,outside) static interface service tcp 3389 3390

!

nat (Guest-VLAN,outside) after-auto source dynamic obj_any interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group Guest-VLAN_access_in in interface Guest-VLAN

route outside 0.0.0.0 0.0.0.0 <Public_GW> 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 172.16.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.22.50-192.168.22.100 Guest-VLAN

dhcpd dns 8.8.8.8 4.2.2.2 interface Guest-VLAN

dhcpd lease 43200 interface Guest-VLAN

dhcpd enable Guest-VLAN

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 129.6.15.30 prefer

username <Username> VAn7VeaGHX/c7zWW encrypted privilege 15

!

class-map global-class

match default-inspection-traffic

!

!

policy-map global-policy

class global-class

  inspect icmp

  inspect icmp error

  inspect pptp

!

service-policy global-policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:7f5d70668ebeb94f49f312612f76c943

: end