03-05-2014 11:59 AM - edited 03-11-2019 08:54 PM
Hello
I am partitioning off my guest wireless traffic out a new connection.
I have a WISM and a 5508 controller. The WISM will anchor the subnets to the specific controller.
AP - WISM - 5508 - FW - Cable link - Internet
Can anyone assist in implementing a base config so only traffic originating inside can get out, nothing from outside getting in.
The external link will be via cable and I want to configure their static on my outside int,
Where would be the best place to ratelimit the subnet(s)?
sMc
Solved! Go to Solution.
03-05-2014 02:24 PM
Have you subneted the network or are they all located on the /21 network? If they are all in the same network (all have the same subnet mask) then no you do not have to create sub-interfaces.
But then you will also run into the issue that traffic will not go through the ASA when going between the hosts as they will all be seen as being part of the same network and the switches will just forward traffic accordingly.
--
Please remember to rate and select a correct answer
03-05-2014 02:27 PM
Marius
They will al be part of the /21
As long as none of them have access to any inside services, I am ok with them going between hosts.
sMc
03-05-2014 02:29 PM
Marius
What aaa commands should I include?
sMc
03-05-2014 11:40 PM
If they will all be part of the /21 network then the ASA will never see traffic that goes between the hosts. That means that any resrtictions for access would need to be configured on the hosts themselves.
As for AAA, you would only configure this for managemt of the ASA. So if you will be using the local user database on the ASA for management then the AAA commands I provided in an earlier post would be enough for access to the ASA.
03-06-2014 08:10 AM
Hello
I have tried to implement the acl as specified however, there is no option to add "eq" etc.. for specific port
access-list GUEST line 1 extended permit ip object-group GUEST_Wireless any ?
configure mode commands/options:
inactive Keyword for disabling an ACL element
log Keyword for enabling log option on this ACL element
time-range Keyword for attaching time-range option to this ACL element
At your earliest convenience, please advise on what I am doing wrong.
03-06-2014 08:25 AM
Sorry my bad, you need to add tcp instead of ip:
Access-list LAN extended permit tcp 172.16.16.0 255.255.255.0 any eq 80
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: