Creating a "Guest" Wireless SSID that only has access to the internet and no other internal resources.
Given the following scenario what would be the best way to restrict the people connecting to this access point so that they can only access the internet and no other internal company resources like our exchange server, print server etc.
I have included a drawing of the setup.
I am going to use the following commands on the AP
AP# configure terminal
AP(config)# ip dhcp excluded-address 192.168.3.1 192.168.3.219
Yeah.... You can setup Guest Wireless with the different IP stack from you LAN segment say you have all 192.168.x.x used for your company LAN...... on the WAP connected Switch you can have the ACL limting the Guest Users to access LAN... and further if you want more restrictions you can have much more ACL on the next layers of devices..... etc is one option...
on the AP connected Switch
say your gues VLAN is 172.16.0.0/24 and your corporate LAN is 192.168.0.0/16
Yes. Correct... without routing the wireless LAN through metro Ethernet towards corp site to exit to internet..... You can control at 1st exit on the access point connected switch.... then you can filter in firewall as well and you can dedicate a separate NAT ip for the guest wireless.... then it will be good if you have spare public ip for that.... you have many methods.... but this is the simplest of all....
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...