Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACl list confusion

Hi everyone,

I am not sure if this is a beginner question or not.  I have never quite mastered the acl list concept and I have what I beleive is a serious need for one.

I have recently added a 1252 ap to my network, it is connected to a 2950 which is connected to a 2975 stack which is connected to a 3750 stack (Router) which is connected to an ASA5510.

Currently I have no guest access for the ap, but want to setup a guest access.  What I need to ensure is that the traffic is never allowed on any of my internal subnets or vlans.  What I was thinking is I would create a sub interface on the asa and setup a vlan (Vlan 900) and then setup the vlan on the 3750 with an ip range of 10.131.90.0 /24.  I thought I would just let the asa hand out ips on this subnet (Its not handing out ip addresses for anything else at this point..)

So what I want to do is setup a public ssid on the ap, attach it to the vlan 900 and make sure it gets passed to the 3750 directly with no possibility for any traffic in that vlan to get out onto any of my other subnets, which are 10.131.10.0/24, 10.131.11.0/24, 10.131.250.0/24 and 10.131.251.0/24

Now it might be simpler to use a differnt range for the guest access perhaps to make it easier to use a acl list.  Maybe like a 192.168.90.0/24

However, I am unclear as to both how this might look and where it would be.  It seems like it can only be placed on a router such as my 3750, or perhaps my asa.  So the questions are:

1) Do I only put the acl rules for this on my core router (3750) or does it need to be elsewhere as well?

2) What are some suggestions for an acl to accomplish allowing this guest traffic from the ap all the way to the asa through my network, and blocking that specific subnet from getting any access to my other vlans or subnets?

If this is not a Getting started question, please let me know that too with perhaps a suggestion of where I might post it.

I appreciate any help that can be offered.

Sincerely,

Kevin Pulford

Systems Administrator

Harmon City, Inc.

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: ACl list confusion

Hi Kevin,

You'd gain a couple of advantages of putting the guest access right on your ASA.

Just create the VLAN on the switches but do not create a L3 interface for it. Connect the ASA to that vlan and let the ASA be the only GW for that VLAN. On the ASA interface, assign a security level of anything higher than 0 but lower than 100.

A nice rule on the ASAs is that traffic can move from high to low security interfaces without any specific rules. I.E. "Inside" interface is usually security level 100, "Outside" is level 0. Traffic can move from Inside (100) to outside (0) without any sepcific rules. If you want guest users to access your DMZ for maybe a website or somthing you can set the securiyt levely on the guest wireless to somthing above that of the DMZ but lower than any other interfaces.

Doing it like this means you don't need any additional ACLs. There are lots of fancy thigns you can do on the ASA if you want, but this will get you started. There wouldn't be any way for the traffic to get off the VLAN 900 unless the firewall routes it.


If you've already created a trunk to your AP, just make sure VLAN 900 is added to that trunk and the WAP knows how to access it.

This is how i've configured guest access on APs in the past. It's been a couple years so i'm sure the IOS versions have changed but the idea is the same:

dot11 ssid InternalAccess
    vlan 1
    authentication open eap eap_methods 
    authentication network-eap eap_methods

dot11 ssid GuestAccess
   vlan 900
   authentication open

interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode wep mandatory 
!
encryption vlan 1 mode wep mandatory 
!
ssid InternalAccess
!

ssid GuestAccesss

interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
encapsulation dot1Q 900
no ip route-cache
bridge-group 2
  bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.2
encapsulation dot1Q 900
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning

bridge-group 2 spanning-disabled

Hope to help

9 REPLIES
Bronze

Re: ACl list confusion

Hi Kevin,

You'd gain a couple of advantages of putting the guest access right on your ASA.

Just create the VLAN on the switches but do not create a L3 interface for it. Connect the ASA to that vlan and let the ASA be the only GW for that VLAN. On the ASA interface, assign a security level of anything higher than 0 but lower than 100.

A nice rule on the ASAs is that traffic can move from high to low security interfaces without any specific rules. I.E. "Inside" interface is usually security level 100, "Outside" is level 0. Traffic can move from Inside (100) to outside (0) without any sepcific rules. If you want guest users to access your DMZ for maybe a website or somthing you can set the securiyt levely on the guest wireless to somthing above that of the DMZ but lower than any other interfaces.

Doing it like this means you don't need any additional ACLs. There are lots of fancy thigns you can do on the ASA if you want, but this will get you started. There wouldn't be any way for the traffic to get off the VLAN 900 unless the firewall routes it.


If you've already created a trunk to your AP, just make sure VLAN 900 is added to that trunk and the WAP knows how to access it.

This is how i've configured guest access on APs in the past. It's been a couple years so i'm sure the IOS versions have changed but the idea is the same:

dot11 ssid InternalAccess
    vlan 1
    authentication open eap eap_methods 
    authentication network-eap eap_methods

dot11 ssid GuestAccess
   vlan 900
   authentication open

interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode wep mandatory 
!
encryption vlan 1 mode wep mandatory 
!
ssid InternalAccess
!

ssid GuestAccesss

interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
encapsulation dot1Q 900
no ip route-cache
bridge-group 2
  bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.2
encapsulation dot1Q 900
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning

bridge-group 2 spanning-disabled

Hope to help

New Member

Re: ACl list confusion

Thank you for your response.

Just to be sure I understand what your saying.

Since I currently only have one wire from my inside connecting my core to my asa, I would need to set up a subinterface on that physical connection for the vlan.  Is that right?

I do already have the ap trunked to the 2950, so that is no problem and I am already passing multiple vlans from the ap to the network.

So if I create the sub interface on the asa and assign the vlan 900 to that interface with a security level of 10 (Example) then it would still apss to the internet through the asa but not be allowed to pass back through my level 100 inside networks at all.  This makes perfect sense. Been a while since I setup the asa but I do recall these security levels on the interfaces.

If I create the sub interface on the currently used physical interface and the physical interface already has the security level of 100, that won't interfere with the lowered security leve on the sub interface?

This is much easer than I expected if I haveunderstood your repsonse correctly. I just love simple solutions.

Also I want to make sure we aren't talking about a private vlan for the vlan 900 right?  Just a standard vlan.

I want to thank you for taking te time to respond, and also for your suggestions. I will see if I can make that work shortly.

Sincerely,

Kevin Pulford

New Member

Re: ACl list confusion

I have basically setup the config discussed, but I think I am missing a route or perhaps a ip helper statement.

So I have ssid 900 connected to vlan 900 on my wap with open authentication.

I have vlan 900 setup on my entire path with no L3 setups.  So just the conf t vlan 900 settings.  No int vlan 900 settings

I have the sub interface created on my ASA and Vlan 900 assigned to it. It is also assigned an ip address of 192.168.90.254 /24

I have setup a DHCP scope on the ASA for the sub interface g 0.900  which is also assigned vlan 900

I am not sure how to tell the core router how to find the dhcp server on the asa for the vlan 900?  Since no ip addresses are basically assigned until we get to the asa.  Should I assign an ip address on the sub interface of the ap so make this work, or is there some route statement some place I am missing?

I am a little concerned about setting a route statement on the core 3750 because I really only want it to pass all of this traffic directly up to the asa.

Again thanks for any and all help on this.

Sincerely,

Kevin Pulford

Bronze

Re: ACl list confusion

THe core router doesn't need to know about the DHCP server. DHCP is broadcast, so if VLAN 900 is on all the right trunks, the ASA should see the DHCP request come in. You don't need to configure anything else on the 3750 or 2960.

New Member

Re: ACl list confusion

Thank you for your response.

I am having some trouble trying to determine where I am broken in this vlan 900.

I have setup a sub interface with a security of 10 on my asa. it is g 0/1.900 with a vlan 900 assigned.

I have set an ip address of 192.168.190.254 /24 on the sub interface.

I have setup a dhcp scope on the asa for the sub interface to hand out ip addresses from 192.168.190.10 - 250 /24.

On my core I have just run the command vlan 900 and assigned a name to it.

I have done the same on the 2 other switches in between the core and my ap.

To be clear I have not setup any int vlan 900 settings on any of the switches between the ap and the asa.

On the ap I have ssid guest assigned to vlan 900 and it is in the proper bridge group between the radios and the sub interface I think.  I looks like the vlan 300 / ssid 300 combo with a slightly different bridge group and that one works.

So when my laptop connects to the ssid guest it should be assigned to vlan 900 at the ap, then request an ip in a broadcast.  If I remember my dhcp correctly.

But the asa shows no requests fro ip on the dhcp scope so it appears the broadcast isn't getting to the asa.

Should I be creating the vlans on the switched as int vlan 900 and just not assign an ip address?

I believe all of my trunks are allowing all vlans up to 4096.  But not sure how to tell if this is the case.

When I run a show vlan on each switch 900 show as active.

Any further help will be appreciated.

Sincerely,

Kevin Pulford

Bronze

Re: ACl list confusion

If you manually assign an IP, are you able to get to the web? Just take DHCP out of the equation for now and let's try to verify the path.

New Member

Re: ACl list confusion

Thank you for your response.

I have tried that and it doesn't work either.  in fact I can't ping the asa from a client assigned to the guest sssid

on the ap.

Maybe I will set ips on the vlan int of the 2950 and try to ping to that first to see if I get past the first trunk.

I really appreciate your time and help with this issue.

Sincerely,

Kevin Pulford

New Member

Re: ACl list confusion

Dear Kevin ,

Can you update us what Configuration you applied over the Access Point for VLAN 900 other than the Normal Procedures to add New Vlan:

1 - Add VLAN 900 to the already assigned VLANS

2 - Assign SSID for this VLAN

3 - Conifgure this SSID as Broadcasted SSID.

Awaiting your feedback.

Regards

New Member

Re: ACl list confusion

Sorry about the delay in update.

So the setup I have is a combination of things mentioned in this thread.

1) I did create a Vlan 900 and matched an SSID on my 1252 to is called Guest.

2) I created a sub iterface / Vlan 900 on my aa inside interface with a security-level of 10.

Now all of this was created basically after the first or second reply.  The problem is that I was not getting connected to the asa to get a DHCP ip address to the SSID on the AP.I went back and verified that vlan 900 was created on all of the switches in between the asa and the ap.  I didn't assigned any interfaces on any of the switches, because I wanted to avoid needing any ACL.

What ended up being the solution to the last issue which was getting traffic all the way to the asa was to create a trunk between my core switch / router and the asa.  The reply to this thread suggested that solution as the correct solution, but my big problem was the way my consultant setup the comm between the core and the asa.

We used a vlan called 251 for traffic between the asa and the core.  These are the only two ip addresses or pieces of equipment in the vlan 251.  So instead of creating a trunk on a on-trafficed vlan I made vlan 251 the native vlan.

What this did, which makes perfect sense now, is allow my vlan 900 tagged traffic to pass to the sub interface  on the asa properly, and still allow my internal traffic to pass on the native vlan to the asa.  I believe because I made the security-level 10on the vlan 900 sub interface, t ensures private traffic on the my native vlan 251, which prevents any guest access from getting to the vlan 251 traffic and visa versa.

The other tem I needed to do, is to create a dynamic NAT statement in the asa to NA my vlan 900 traffic to go out one of my external ip addresses to allow my ISP DNS servers to be used.

1) So once the vlan 900 was created in the network, I applied the SSID to the vlan on ap as a normal routine.  Nothing special in this at all.

2) When ever a sub interface is created on te asa it automatically kicks the interface the sub interface is on into trunking mode and shows everything

      else as "Native". While raffic seemed to work fine on my normal vlan 251 between the core and the asa, the vlan 900 traffic was not reaching the

     asa at this point.

3) I put the 3750 core switch/router interface into a trunk mode with vlan 251 as the native vlan to the asa.  This was done on the physical interface of

     the 3750 conected to the asa.  This just looked lke:  switchport trunk encapsulation dot1q  switchport mode trunk and switchport trunk native vlan

      251.

4) Added a dynamic NAt statement to the asa for the sub inerface. With nat (Guest_Access) 1 192.168.190.0 255.255.255.0  where "1" is my outside

     IP address already configured in the asa.

As a final item, I am using DHCP on te asa to hand out ip addresses to the vlan 900 and this is just setup normally.

As setup all tests work perfectly and I can not access traffic from my inside vlan's to the vlan 900 and visa versa, whcih is exactly what I wanted to be.

I think in the future I would prefer to have my native vlan be a non ip'd /assigned vlan, but this will require a small amount of downtime so who knows when this will actually happen.

Many thanks to all here who have helped me to get this working.

Sincerely,

Kevin Pulford

628
Views
0
Helpful
9
Replies
CreatePlease login to create content