07-09-2012 11:24 AM - edited 03-11-2019 04:28 PM
Hello,
I have been tasked with setting up a guest wireless network for a remote office. They would prefer that the guest network be on a different VLAN than the trusted network, and they want to use a different outside IP address for the guest network. I am trying to figure out how to configure the ASA so that it supports two different LANS, each with it's own outside IP address. Is this possible? Could someone provide a config example that would show how this could be encomplished? The firewall in question is using software rev 8.2(4). Thanks.
Solved! Go to Solution.
07-09-2012 02:48 PM
Hi Paul,
You are on the right path.
If you have one one switch only you can do ALL vlans in one switch for all your interfaces on the firewall. In my personal experience I recommend to always avoid single points of failture, so a second switch would be ideal to terminate your private and public WIFI vlans . Call the switch DMZ switch , if additional switch is not available you can use the same switch you use for the inside interface. You will also need to dot1q trunk your WIFI device with your switch, so your WIFI AP LAN connection to the switch will house two additional VLANs one for each WIFI subne etc..
Here is a preliminary example - I am sure you will get this example and continue develop the script.
Lets use port2 on your ASA as an example
vlan 8
name DMZ8_172.16.8.0/24_Private_WIFI
vlan 9
name DMZ9_172.16.9.0/24_Guest_WIFI
interface FastEthernet0/XX
description Connection to ASA5510_Ethernet2
switchport trunk encapsulation dot1q
switchport trunk allowed vlans 8,9
switchport mode trunk
speed 100
duplex full
no cdp enable
interface FastEthernet0/1
description WIFI AP Wireless_VLAN8_VLAN9
switchport access vlan 8
switchport trunk encapsulation dot1q
switchport trunk native vlan 8
switchport mode trunk
spanning-tree portfast
interface Ethernet0/2
speed 100
duplex full
no nameif
no security-level
no ip address
no shutdown
interface Ethernet0/2.8
description Connection to DMZ8_Private_Wireless_Network
vlan 8
nameif DMZ8
security-level 100
ip address 172.16.8.1 255.255.255.0
no shutdown
interface Ethernet0/2.9
description Connection to DMZ9_Guest_Wireless_Network
vlan 9
nameif DMZ9
security-level 5
ip address 172.16.9.1 255.55.255.0
no shutdown
dhcpd address 172.16.8.50-172.16.8.254 DMZ8
dhcpd dns
dhcpd enable DMZ8
dhcpd address 172.16.9.50-172.16.9.254 DMZ8
dhcpd dns
dhcpd enable DMZ9
access-list inside_nat0_outbound extended permit ip 172.16.8.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 172.16.8.0 255.255.255.0 172.16.0.0 255.255.240.0
access-list inside_nat0_outbound extended permit ip 172.16.8.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.16.8.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.240.0 172.16.8.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 172.16.8.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
access-list DMZ8_access_in extended permit ip any any
access-group DMZ8_access_in in interface DMZ8
For outbound internet traffic - if you have spare public IPs to allocate for each WIFI subnet then would make things easier, this way you can monitor which wifi is consuming most bandwidth.
global (outside) 2
Nat (DMZ8 ) 2 172.16.8.0 255.255.255.0
Repeat the same principle for DMZ9 Guest WIFI but DO NOT include in NAT exempt RULES because this will be your Guest WIFI which will ONLY have access to the internet.
If I have time I will check if you need additional help, but cannot promise as I could be busy again.
Regards
07-10-2012 07:23 AM
Hi paul,
You can use the sub interface on the inside lan model for this... that would be the better option..... make sure that you have the proper acl's created and assigned to the subinterface appropriately.....
You can use ACL based PAT like the below example
access-list LAN permit ip
access-list Guest permit tcp
access-list Guest permit tcp
!
global (outside) 1
global (outside) 2
!
nat (inside) 1 access-list LAN
nat (inside) 2 access-list Guest
!
apart from these proper ACL's also should be configured for both the sub interfaces and assigned appropriately..... with the proper route....
07-09-2012 11:40 AM
I think I understand what needs to be done on the inside interface. I am guessing I would need to create a subinterface for the guest VLAN, set up NAT for this VLAN, trunk the ASA-facing port on the switch and then allow the new VLAN through. What I am not sure about is the outside interface. I am guessing I would also use subinterfaces here as well?
07-09-2012 02:48 PM
Hi Paul,
You are on the right path.
If you have one one switch only you can do ALL vlans in one switch for all your interfaces on the firewall. In my personal experience I recommend to always avoid single points of failture, so a second switch would be ideal to terminate your private and public WIFI vlans . Call the switch DMZ switch , if additional switch is not available you can use the same switch you use for the inside interface. You will also need to dot1q trunk your WIFI device with your switch, so your WIFI AP LAN connection to the switch will house two additional VLANs one for each WIFI subne etc..
Here is a preliminary example - I am sure you will get this example and continue develop the script.
Lets use port2 on your ASA as an example
vlan 8
name DMZ8_172.16.8.0/24_Private_WIFI
vlan 9
name DMZ9_172.16.9.0/24_Guest_WIFI
interface FastEthernet0/XX
description Connection to ASA5510_Ethernet2
switchport trunk encapsulation dot1q
switchport trunk allowed vlans 8,9
switchport mode trunk
speed 100
duplex full
no cdp enable
interface FastEthernet0/1
description WIFI AP Wireless_VLAN8_VLAN9
switchport access vlan 8
switchport trunk encapsulation dot1q
switchport trunk native vlan 8
switchport mode trunk
spanning-tree portfast
interface Ethernet0/2
speed 100
duplex full
no nameif
no security-level
no ip address
no shutdown
interface Ethernet0/2.8
description Connection to DMZ8_Private_Wireless_Network
vlan 8
nameif DMZ8
security-level 100
ip address 172.16.8.1 255.255.255.0
no shutdown
interface Ethernet0/2.9
description Connection to DMZ9_Guest_Wireless_Network
vlan 9
nameif DMZ9
security-level 5
ip address 172.16.9.1 255.55.255.0
no shutdown
dhcpd address 172.16.8.50-172.16.8.254 DMZ8
dhcpd dns
dhcpd enable DMZ8
dhcpd address 172.16.9.50-172.16.9.254 DMZ8
dhcpd dns
dhcpd enable DMZ9
access-list inside_nat0_outbound extended permit ip 172.16.8.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 172.16.8.0 255.255.255.0 172.16.0.0 255.255.240.0
access-list inside_nat0_outbound extended permit ip 172.16.8.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.16.8.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.240.0 172.16.8.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 172.16.8.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
access-list DMZ8_access_in extended permit ip any any
access-group DMZ8_access_in in interface DMZ8
For outbound internet traffic - if you have spare public IPs to allocate for each WIFI subnet then would make things easier, this way you can monitor which wifi is consuming most bandwidth.
global (outside) 2
Nat (DMZ8 ) 2 172.16.8.0 255.255.255.0
Repeat the same principle for DMZ9 Guest WIFI but DO NOT include in NAT exempt RULES because this will be your Guest WIFI which will ONLY have access to the internet.
If I have time I will check if you need additional help, but cannot promise as I could be busy again.
Regards
07-09-2012 11:34 PM
Hi,
I suggest you to use a different PAT IP for internet access for Guest Users.... But y do u want to use a different outside address connecting to internet.....
07-10-2012 06:05 AM
Hi Karthikeyan,
I probably did not word my question correctly. A different PAT IP for Internet access is what I was really looking for. I am struggling with that configuration. I was hoping to set up a DMZ on the ASA for the wireless guest network, but I believe I need to have a free physical port for this. Unfortunately, the ASA 5510 only has five ports, and they are all in use. Inside, Outside, State Failover, LAN Failover and Management.
07-10-2012 07:23 AM
Hi paul,
You can use the sub interface on the inside lan model for this... that would be the better option..... make sure that you have the proper acl's created and assigned to the subinterface appropriately.....
You can use ACL based PAT like the below example
access-list LAN permit ip
access-list Guest permit tcp
access-list Guest permit tcp
!
global (outside) 1
global (outside) 2
!
nat (inside) 1 access-list LAN
nat (inside) 2 access-list Guest
!
apart from these proper ACL's also should be configured for both the sub interfaces and assigned appropriately..... with the proper route....
07-10-2012 07:27 AM
Perfect. I think this answers my question. Thank you very much for your assistance!
07-17-2012 02:01 PM
Hello,
I had a follow up question regarding this. The firewall in question is the active device in an active/standby pair. When I build the subinterface, will this cause the LAN to drop and as a result cause firewall to failover? I am trying to cover all of my bases, and I have no test environment to work with. This will be a hot configuration. Any advice would be appreciated. Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: