I would like to add a Meraki MR16 AP to our DMZ which is on our ASA 5510. I use a switch connected to the DMZ port of the ASA and that is where my webserver is plugged in. I want to keep the traffic completely seperate from our internal LAN. What is the best way to do this and the most secure. I will connect the AP to the DMZ switch. Below is the config:
ASA Version 8.2(1)
enable password k4HlcGX2lC1ypFOm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
ip address xxx.xxx.xxx.xxx 255.255.255.248
ip address 172.16.75.254 255.255.255.0
no ip address
ip address 192.168.75.1 255.255.255.0
ip address 192.168.1.1 255.255.255.0
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq www
Basically they wont access the internal LAN with that config . Right now if you plug the Access point, they will be able to access the internet with no problem (assuming that the Access point will nat the users to one of the Addresses on the DMZ)
What should the IP address of the AP be then? Suppose I give the AP an IP address of 192.168.75.80 how should the ACL look? Meraki has the following, would I need to allow these? How should the config look? Thanks
Meraki APs must be allowed outgoing connections to the following ports and IP addresses. Make sure a web filter or firewall is not blocking these OUTBOUND connections. For simplicity, the IP network is provided (e.g. 64.x.x.x/24) where several IPs in that range are used by Meraki. If this is a highly secured network, using the individual IPs will provide more security but could require adjustments as we expand our datacenters and utilize more IPs in these ranges.
UDP 9350 (if using a Meraki VPN product)
With Meraki hosted RADIUS server authentication
UDP 1812 or UDP 1645 depending on the UDP port your RADIUS server is listen on.
Yes, but this configuration already provides it by using the permit IP any any at the end of the statement. Bottom line, current configuration is not going to block anything outbound besides going to the internal network.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :