Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Is it OK to put guest wireless through dmz port on my corporate firewall

Hi all

I am implementing a guest wireless solution at my office, I have a cisco ASA, is it ok to plug my wireless lan controller into the DMZ in my company firewall?

cheers

Carl

7 REPLIES
Cisco Employee

Re: Is it OK to put guest wireless through dmz port on my corpor

I don't see why you can't connect the wireless controller to the firewall DMZ. However, just make sure that you only configure specific ACL to allow those guest network to access specific things that you would like them to access. I guess if you just want to provide internet access for them, I would configure ACL to deny access from the wireless subnet to anything towards your internal networks, and then allow the internet access.

Community Member

Re: Is it OK to put guest wireless through dmz port on my corpor

Thanks for that

Where is it best to apply this access list? would I apply it outbound on the outside interface, allowing all traffic sourced from the dmz addresses? or do I apply it inbound into the dmz interface, add a deny statement first to any internal addresses, then allow dmz source to anywhere?

please help

cheers

Carl

Re: Is it OK to put guest wireless through dmz port on my corpor

Apply it in the DMZ inbound..

Cisco Employee

Re: Is it OK to put guest wireless through dmz port on my corpor

I would recommend applying it inbound to the DMZ, as you have said earlier, denying all DMZ access to the internal networks, then allowing access to anything on the Internet. It would also be good if you can have the second lowest security level applied to this wireless DMZ connection. Assuming that your outside interface has security level of 0, then you would want to apply just a slightly better security level for DMZ (with DMZ security level being the lowest compared to all other internal network interfaces).

Community Member

Re: Is it OK to put guest wireless through dmz port on my corpor

hi there

So is it OK to have my security level, 100 for inside, dmz 50, 0 for outside as standard ?

Re: Is it OK to put guest wireless through dmz port on my corpor

Sure,

Normally the outside has a security level of 0, the inside of 100 and if having a single DMZ a security level of 50.

If having more DMZs, you can assign between (1-99)

Federico.

Cisco Employee

Re: Is it OK to put guest wireless through dmz port on my corpor

yes, 50 sounds good to me.

As Federico said, if it's just a single DMZ, then you can use any number between 1-99.

1480
Views
0
Helpful
7
Replies
CreatePlease to create content