cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11788
Views
0
Helpful
7
Replies

ASA 5510 & Guest Wireless Network

paulrkern
Level 1
Level 1

Hello,

I have been tasked with setting up a guest wireless network for a remote office.  They would prefer that the guest network be on a different VLAN than the trusted network, and they want to use a different outside IP address for the guest network.  I am trying to figure out how to configure the ASA so that it supports two different LANS, each with it's own outside IP address.  Is this possible?  Could someone provide a config example that would show how this could be encomplished?  The firewall in question is using software rev 8.2(4).  Thanks.

2 Accepted Solutions

Accepted Solutions

Hi Paul,

You are on the right path. 

If you have one  one switch only you can do ALL  vlans in one switch   for all your interfaces  on the firewall.   In my personal experience  I  recommend  to always avoid single points of failture, so  a second switch would be ideal to terminate your   private and public WIFI  vlans .   Call the switch  DMZ switch ,  if additional switch is not available you can use  the same switch you use for the inside interface.   You will also need  to dot1q trunk your WIFI device with your switch,  so your WIFI AP LAN connection to the switch will house two  additional VLANs one for each WIFI   subne  etc.. 

Here is a preliminary example - I am sure you will get this example and continue develop the script.

Lets use port2 on your ASA   as an example

  • (LAN switch ) Create your vlans on the switch

vlan 8

name DMZ8_172.16.8.0/24_Private_WIFI

vlan 9

name DMZ9_172.16.9.0/24_Guest_WIFI

  • (LAN switch )      Allocate a port to connect your ASA5510 port 2 and configure dot1q trunking - also a port for your WIFI AP device - remember that also on your WIFI you will need to create the same VLAN 8 and 9   just as you did on the LAN switch

interface FastEthernet0/XX

description Connection to ASA5510_Ethernet2

switchport trunk encapsulation dot1q

switchport trunk allowed vlans 8,9

switchport mode trunk

speed 100

duplex full

no cdp enable

interface FastEthernet0/1

description WIFI AP Wireless_VLAN8_VLAN9

switchport access vlan 8

switchport trunk encapsulation dot1q

switchport trunk native vlan 8

switchport mode trunk

spanning-tree portfast

  • On your firewall - Allocate a port   to dot1q   the connection to your switch

interface Ethernet0/2

speed 100

duplex full

no nameif

no security-level

no ip address

no shutdown

  • On your firewall create sub-interfaces for each   WIFI subnet

interface Ethernet0/2.8

description Connection to DMZ8_Private_Wireless_Network

vlan 8

nameif DMZ8

security-level 100

ip address 172.16.8.1  255.255.255.0

no shutdown

interface Ethernet0/2.9

description Connection to DMZ9_Guest_Wireless_Network

vlan 9

nameif DMZ9

security-level 5

ip address 172.16.9.1 255.55.255.0

no shutdown

  • DHCP for both subnets - can be done by ASA5510

dhcpd address 172.16.8.50-172.16.8.254 DMZ8

dhcpd dns < Secondary Local DNS IP > interface DMZ8

dhcpd enable DMZ8

dhcpd address 172.16.9.50-172.16.9.254 DMZ8

dhcpd dns < Secondary Public DNS IP > interface DMZ9

dhcpd enable DMZ9

  • On firewall   create your NAT rules and access list    for the private WIFI   -   since it is trusted subnet  I would suggest use a nat exempt rule and allow rfc1918  towards your inside LAN so you do not have to keep adding subnets every time your inside network adds a new subnet , but it is up to you to just allow single subnets if you are not using large internal networks.

access-list inside_nat0_outbound extended permit ip 172.16.8.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list inside_nat0_outbound extended permit ip 172.16.8.0 255.255.255.0 172.16.0.0 255.255.240.0

access-list inside_nat0_outbound extended permit ip 172.16.8.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.16.8.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.240.0 172.16.8.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 172.16.8.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

access-list DMZ8_access_in extended permit ip any any

access-group DMZ8_access_in in interface DMZ8

For outbound internet traffic   - if you have spare public IPs to allocate for each WIFI subnet  then would make things easier, this way you can   monitor which wifi is consuming most bandwidth.

global (outside) 2  

Nat (DMZ8 ) 2 172.16.8.0 255.255.255.0

Repeat the same principle for DMZ9     Guest WIFI but DO NOT    include in NAT exempt RULES because this will be your Guest WIFI which will ONLY have access to the internet.

If I have time  I will check if you need additional help, but cannot promise as I could be busy again.

Regards

Jorge Rodriguez

View solution in original post

Hi paul,

You can use the sub interface on the inside lan model for this... that would be the better option..... make sure that you have the proper acl's created and assigned to the subinterface appropriately.....

You can use ACL based PAT like the below example

access-list LAN permit ip any

access-list Guest permit tcp any eq 80

access-list Guest permit tcp any eq 443

!

global (outside) 1

global (outside) 2

!

nat (inside) 1 access-list LAN

nat (inside) 2 access-list Guest

!

apart from these proper ACL's also should be configured for both the sub interfaces and assigned appropriately..... with the proper route....

View solution in original post

7 Replies 7

paulrkern
Level 1
Level 1

I think I understand what needs to be done on the inside interface.  I am guessing I would need to create a subinterface for the guest VLAN, set up NAT for this VLAN, trunk the ASA-facing port on the switch and then allow the new VLAN through.  What I am not sure about is the outside interface.  I am guessing I would also use subinterfaces here as well?

Hi Paul,

You are on the right path. 

If you have one  one switch only you can do ALL  vlans in one switch   for all your interfaces  on the firewall.   In my personal experience  I  recommend  to always avoid single points of failture, so  a second switch would be ideal to terminate your   private and public WIFI  vlans .   Call the switch  DMZ switch ,  if additional switch is not available you can use  the same switch you use for the inside interface.   You will also need  to dot1q trunk your WIFI device with your switch,  so your WIFI AP LAN connection to the switch will house two  additional VLANs one for each WIFI   subne  etc.. 

Here is a preliminary example - I am sure you will get this example and continue develop the script.

Lets use port2 on your ASA   as an example

  • (LAN switch ) Create your vlans on the switch

vlan 8

name DMZ8_172.16.8.0/24_Private_WIFI

vlan 9

name DMZ9_172.16.9.0/24_Guest_WIFI

  • (LAN switch )      Allocate a port to connect your ASA5510 port 2 and configure dot1q trunking - also a port for your WIFI AP device - remember that also on your WIFI you will need to create the same VLAN 8 and 9   just as you did on the LAN switch

interface FastEthernet0/XX

description Connection to ASA5510_Ethernet2

switchport trunk encapsulation dot1q

switchport trunk allowed vlans 8,9

switchport mode trunk

speed 100

duplex full

no cdp enable

interface FastEthernet0/1

description WIFI AP Wireless_VLAN8_VLAN9

switchport access vlan 8

switchport trunk encapsulation dot1q

switchport trunk native vlan 8

switchport mode trunk

spanning-tree portfast

  • On your firewall - Allocate a port   to dot1q   the connection to your switch

interface Ethernet0/2

speed 100

duplex full

no nameif

no security-level

no ip address

no shutdown

  • On your firewall create sub-interfaces for each   WIFI subnet

interface Ethernet0/2.8

description Connection to DMZ8_Private_Wireless_Network

vlan 8

nameif DMZ8

security-level 100

ip address 172.16.8.1  255.255.255.0

no shutdown

interface Ethernet0/2.9

description Connection to DMZ9_Guest_Wireless_Network

vlan 9

nameif DMZ9

security-level 5

ip address 172.16.9.1 255.55.255.0

no shutdown

  • DHCP for both subnets - can be done by ASA5510

dhcpd address 172.16.8.50-172.16.8.254 DMZ8

dhcpd dns < Secondary Local DNS IP > interface DMZ8

dhcpd enable DMZ8

dhcpd address 172.16.9.50-172.16.9.254 DMZ8

dhcpd dns < Secondary Public DNS IP > interface DMZ9

dhcpd enable DMZ9

  • On firewall   create your NAT rules and access list    for the private WIFI   -   since it is trusted subnet  I would suggest use a nat exempt rule and allow rfc1918  towards your inside LAN so you do not have to keep adding subnets every time your inside network adds a new subnet , but it is up to you to just allow single subnets if you are not using large internal networks.

access-list inside_nat0_outbound extended permit ip 172.16.8.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list inside_nat0_outbound extended permit ip 172.16.8.0 255.255.255.0 172.16.0.0 255.255.240.0

access-list inside_nat0_outbound extended permit ip 172.16.8.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.16.8.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.240.0 172.16.8.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 172.16.8.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

access-list DMZ8_access_in extended permit ip any any

access-group DMZ8_access_in in interface DMZ8

For outbound internet traffic   - if you have spare public IPs to allocate for each WIFI subnet  then would make things easier, this way you can   monitor which wifi is consuming most bandwidth.

global (outside) 2  

Nat (DMZ8 ) 2 172.16.8.0 255.255.255.0

Repeat the same principle for DMZ9     Guest WIFI but DO NOT    include in NAT exempt RULES because this will be your Guest WIFI which will ONLY have access to the internet.

If I have time  I will check if you need additional help, but cannot promise as I could be busy again.

Regards

Jorge Rodriguez

Hi,

I suggest you to use a different PAT IP for internet access for Guest Users.... But y do u want to use a different outside address connecting to internet.....

paulrkern
Level 1
Level 1

Hi Karthikeyan,

I probably did not word my question correctly.  A different PAT IP for Internet access is what I was really looking for.  I am struggling with that configuration.  I was hoping to set up a DMZ on the ASA for the wireless guest network, but I believe I need to have a free physical port for this.  Unfortunately, the ASA 5510 only has five ports, and they are all in use.  Inside, Outside, State Failover, LAN Failover and Management.

Hi paul,

You can use the sub interface on the inside lan model for this... that would be the better option..... make sure that you have the proper acl's created and assigned to the subinterface appropriately.....

You can use ACL based PAT like the below example

access-list LAN permit ip any

access-list Guest permit tcp any eq 80

access-list Guest permit tcp any eq 443

!

global (outside) 1

global (outside) 2

!

nat (inside) 1 access-list LAN

nat (inside) 2 access-list Guest

!

apart from these proper ACL's also should be configured for both the sub interfaces and assigned appropriately..... with the proper route....

Perfect.  I think this answers my question.  Thank you very much for your assistance!

Hello,

I had a follow up question regarding this.  The firewall in question is the active device in an active/standby pair.  When I build the subinterface, will this cause the LAN to drop and as a result cause firewall to failover?  I am trying to cover all of my bases, and I have no test environment to work with.  This will be a hot configuration.  Any advice would be appreciated.  Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: