cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
785
Views
0
Helpful
20
Replies

ASA5510 base config for guest wireless network

Steve Coady
Level 1
Level 1

Hello

I am partitioning off my guest wireless traffic out a new connection.

I have a WISM and a 5508 controller. The WISM will anchor the subnets to the specific controller.

AP - WISM - 5508 - FW - Cable link - Internet

Can anyone assist in implementing a base config so only traffic originating inside can get out, nothing from outside getting in.

The external link will be via cable and I want to configure their static on my outside int,

Where would be the best place to ratelimit the subnet(s)?

sMc       

sMc
9 Accepted Solutions

Accepted Solutions

This is a very basic setup that you can do, just change interface number, name and IP, and NAT as needed:

int gig0/1

  description INSIDE interface

  security-level 100

  nameif inside

  ip add 172.16.1.1 255.255.255.0

  no shut

int gig0/2

  description OUTSIDE interface

  security-level 0

  nameif outside

  ip add 191.1.1.1 255.255.255.252

no shut

object network LAN

  subnet 172.16.1.0 255.255.255.0

  nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 191.1.1.2

Traffic is permitted from a higher security level to a lower security level by default.  A lower security level to higher security level is not permitted.  Once you apply an ACL to the interface the security levels have no meaning any more...until the ACL is removed that is.  So for a basic setup allowing only traffic from inside to outside you do not need any ACLs.

Keep in mind that the nat statement should be configured while you are under the LAN network object.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

ah you are running 8.2.

then it would be like this:

global (outside) 1 interface

nat (inside) 1 172.16.1.0 255.255.255.0

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Really depends what you are trying to do, but this setup is basic but it is secure when considering connections from the internet.  No one can initiate a connection from the internet to your internal network.  Only your internal network can initiate traffic.

Of course if you want to make your internal network a little more secure you can add an ACL to the inside interface only permitting your specific subnet to initiate traffic to the internet or anywhere else for that matter.

Also, there is the case of managing the ASA, this should only be allowed from a specific subnet or IP on your inside interface.  If you want to manage the ASA from the internet you would need to connect to a VPN and then manage the ASA from that connection.  HTTPS and SSH connections to a interface with a security level of 0 is not permitted.

To do this you would need to add config similar to the following:

access-list LAN extended permit ip 172.16.1.0 255.255.255.0 any

access-group LAN in interface inside

crypto key generate rsa modulus 2048

ssh 172.16.1.10 255.255.255.255 inside

asdm image

http server enable

http 172.16.1.10 255.255.255.255 inside

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

ip access-list 10 permit ip 172.16.16.0 255.255.255.0 eq 80

ip access-list 10 permit ip 172.16.16.0 255.255.255.0 eq 443

These are router configurations and would not work on the ASA.  To do this the ACL config would need to look like this:

access-list LAN extended permit ip 172.16.16.0 255.255.255.0 any eq 80

access-list LAN extended permit ip 172.16.16.0 255.255.255.0 any eq 443

access-group LAN in interface inside

Keep in mind that you can change the ACL name (LAN) to anything you want it to be.  You could apply the ACL in the outbound direction but this is very unusual to do on the ASA and I do not suggest doing it unless you have a specific reason for doing so.

Also, to make sure this subnet has no access to inside services, what would be needed?

Not exactly sure where you are going with this.  Is this subnet also located on the inside interface? or on a different interface?

If it is located on a different interface, then all you have to do is either give it a lower security level than that of the inside interface (lets say 90 for example), or add an ACL that denies traffic to the inside network subnet and then under that rule have an entery permitting traffic to any.

Keep in mind that the ACLs are checked top to bottom and there is an implicit deny any rule at the bottom of all ACLs.  If this ASA is version 8.3 or higher the implicit deny can be seen in the global ACL in the ASDM.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

OK, how do you plan or connecting these subnets to the ASA? will there be a router behind the ASA that routes these subnets to the ASA or will there be VLANs that connect to the ASA? Will the ASA be routing between these subnets?

Depending on how your subnets are allocated you might be able to summarize some of the subnets.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

So the ASA will be doing the routing.  Then you will need to create subinterfaces on the ASA to accomodate the VLANs...there are other options but that could end up becoming very complicated.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Have you subneted the network or are they all located on the /21 network?  If they are all in the same network (all have the same subnet mask) then no you do not have to create sub-interfaces.

But then you will also run into the issue that traffic will not go through the ASA when going between the hosts as they will all be seen as being part of the same network and the switches will just forward traffic accordingly.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

If they will all be part of the /21 network then the ASA will never see traffic that goes between the hosts. That means that any resrtictions for access would need to be configured on the hosts themselves.

As for AAA, you would only configure this for managemt of the ASA. So if you will be using the local user database on the ASA for management then the AAA commands I provided in an earlier post would be enough for access to the ASA.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Sorry my bad, you need to add tcp instead of ip:

Access-list LAN extended permit tcp 172.16.16.0 255.255.255.0 any eq 80

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

20 Replies 20

Steve Coady
Level 1
Level 1

Followup

I want to PAT all internal addresses to the static given by ISP

sMc

sMc

Steve Coady
Level 1
Level 1

ANother detail

DHCP pool will be configured on the 5508

sMc

sMc

This is a very basic setup that you can do, just change interface number, name and IP, and NAT as needed:

int gig0/1

  description INSIDE interface

  security-level 100

  nameif inside

  ip add 172.16.1.1 255.255.255.0

  no shut

int gig0/2

  description OUTSIDE interface

  security-level 0

  nameif outside

  ip add 191.1.1.1 255.255.255.252

no shut

object network LAN

  subnet 172.16.1.0 255.255.255.0

  nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 191.1.1.2

Traffic is permitted from a higher security level to a lower security level by default.  A lower security level to higher security level is not permitted.  Once you apply an ACL to the interface the security levels have no meaning any more...until the ACL is removed that is.  So for a basic setup allowing only traffic from inside to outside you do not need any ACLs.

Keep in mind that the nat statement should be configured while you are under the LAN network object.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Marius

Thank you for the response.

I am having trouble getting the NAT statement to work

"Keep in mind that the nat statement should be configured while you are under the LAN network object"

There is no NAT option

     Cisco Adaptive Security Appliance Software Version 8.2(5)

Please advise.

sMc

sMc

ah you are running 8.2.

then it would be like this:

global (outside) 1 interface

nat (inside) 1 172.16.1.0 255.255.255.0

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

     Marius

"very cool", thank you!

Are there any other considerations that would "tighten this config up"?

sMc

sMc

Really depends what you are trying to do, but this setup is basic but it is secure when considering connections from the internet.  No one can initiate a connection from the internet to your internal network.  Only your internal network can initiate traffic.

Of course if you want to make your internal network a little more secure you can add an ACL to the inside interface only permitting your specific subnet to initiate traffic to the internet or anywhere else for that matter.

Also, there is the case of managing the ASA, this should only be allowed from a specific subnet or IP on your inside interface.  If you want to manage the ASA from the internet you would need to connect to a VPN and then manage the ASA from that connection.  HTTPS and SSH connections to a interface with a security level of 0 is not permitted.

To do this you would need to add config similar to the following:

access-list LAN extended permit ip 172.16.1.0 255.255.255.0 any

access-group LAN in interface inside

crypto key generate rsa modulus 2048

ssh 172.16.1.10 255.255.255.255 inside

asdm image

http server enable

http 172.16.1.10 255.255.255.255 inside

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Maruis

So

ip access-list 10 permit ip 172.16.16.0 255.255.255.0 eq 80

ip access-list 10 permit ip 172.16.16.0 255.255.255.0 eq 443

Then apply this to the inside interface in/out, would only allow that subnet to originate traffic?

Also, to make sure this subnet has no access to inside services, what would be needed?

sMc

sMc

ip access-list 10 permit ip 172.16.16.0 255.255.255.0 eq 80

ip access-list 10 permit ip 172.16.16.0 255.255.255.0 eq 443

These are router configurations and would not work on the ASA.  To do this the ACL config would need to look like this:

access-list LAN extended permit ip 172.16.16.0 255.255.255.0 any eq 80

access-list LAN extended permit ip 172.16.16.0 255.255.255.0 any eq 443

access-group LAN in interface inside

Keep in mind that you can change the ACL name (LAN) to anything you want it to be.  You could apply the ACL in the outbound direction but this is very unusual to do on the ASA and I do not suggest doing it unless you have a specific reason for doing so.

Also, to make sure this subnet has no access to inside services, what would be needed?

Not exactly sure where you are going with this.  Is this subnet also located on the inside interface? or on a different interface?

If it is located on a different interface, then all you have to do is either give it a lower security level than that of the inside interface (lets say 90 for example), or add an ACL that denies traffic to the inside network subnet and then under that rule have an entery permitting traffic to any.

Keep in mind that the ACLs are checked top to bottom and there is an implicit deny any rule at the bottom of all ACLs.  If this ASA is version 8.3 or higher the implicit deny can be seen in the global ACL in the ASDM.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Marius

Thanks again for you guidance.

"Is this subnet also located on the inside interface?

     Yes the inside int is in the same subnet as the nat pool

"or add an ACL that denies traffic to the inside network subnet"

     There are many subnets inside, that acl could be extensive

sMc

sMc

OK, how do you plan or connecting these subnets to the ASA? will there be a router behind the ASA that routes these subnets to the ASA or will there be VLANs that connect to the ASA? Will the ASA be routing between these subnets?

Depending on how your subnets are allocated you might be able to summarize some of the subnets.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Marius

The topology will lok like:

AP > WISM > 5508 (Subnet/DHCP server created here) > ASA > ISP link

sMc

sMc

So the ASA will be doing the routing.  Then you will need to create subinterfaces on the ASA to accomodate the VLANs...there are other options but that could end up becoming very complicated.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

The Subnet has the following:

172.16.10.20 - 172.16.14.254 _ the first 20 aqre for statics

172.16.10.0 255.255.248.0

Would I still need to create a sub-int?

sMc

sMc
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: