Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
818
Views
0
Helpful
20
Replies

ASA5510 base config for guest wireless network

Go to solution
Steve Coady
Level 1
Level 1

‎03-05-2014 11:59 AM - edited ‎03-11-2019 08:54 PM

Hello

I am partitioning off my guest wireless traffic out a new connection.

I have a WISM and a 5508 controller. The WISM will anchor the subnets to the specific controller.

AP - WISM - 5508 - FW - Cable link - Internet

Can anyone assist in implementing a base config so only traffic originating inside can get out, nothing from outside getting in.

The external link will be via cable and I want to configure their static on my outside int,

Where would be the best place to ratelimit the subnet(s)?

sMc       

sMc
Labels:
0 Helpful
20 Replies 20

Go to solution
Marius Gunnerud
VIP
VIP
In response to Steve Coady

‎03-05-2014 02:24 PM

Have you subneted the network or are they all located on the /21 network?  If they are all in the same network (all have the same subnet mask) then no you do not have to create sub-interfaces.

But then you will also run into the issue that traffic will not go through the ASA when going between the hosts as they will all be seen as being part of the same network and the switches will just forward traffic accordingly.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Steve Coady
Level 1
Level 1
In response to Marius Gunnerud

‎03-05-2014 02:27 PM

Marius

They will al be part of the /21

As long as none of them have access to any inside services, I am ok with them going between hosts.

sMc

sMc
0 Helpful

Go to solution
Steve Coady
Level 1
Level 1
In response to Steve Coady

‎03-05-2014 02:29 PM

Marius

What aaa commands should I include?

sMc

sMc
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Steve Coady

‎03-05-2014 11:40 PM

If they will all be part of the /21 network then the ASA will never see traffic that goes between the hosts. That means that any resrtictions for access would need to be configured on the hosts themselves.

As for AAA, you would only configure this for managemt of the ASA. So if you will be using the local user database on the ASA for management then the AAA commands I provided in an earlier post would be enough for access to the ASA.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Steve Coady
Level 1
Level 1
In response to Marius Gunnerud

‎03-06-2014 08:10 AM

Hello

I have tried to implement the acl as specified however, there is no option to add "eq" etc.. for specific port

access-list GUEST line 1 extended permit ip object-group GUEST_Wireless any ?

configure mode commands/options:

  inactive    Keyword for disabling an ACL element

  log         Keyword for enabling log option on this ACL element

  time-range  Keyword for attaching time-range option to this ACL element

 

At your earliest convenience, please advise on what I am doing wrong.

sMc
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Steve Coady

‎03-06-2014 08:25 AM

Sorry my bad, you need to add tcp instead of ip:

Access-list LAN extended permit tcp 172.16.16.0 255.255.255.0 any eq 80

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card