Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WAP Advice Please


My company are currently looking into providing a wireless network that external users (outside of our domain) can connect to access only the internet.

I have done a little research and i'm guessing that a cisco aironet device could be attached to an ethernet interface on our pix in it's own DMZ allowing only port 80 to achieve this?

Could someone kindly confirm if this is correct?

I would be grateful to hear from anyone that has set this up, has anyone encountered problems connecting these types of devices?

Does anyone have configuration examples or good documents i could read up on.

Many Thanks

J Mack


Re: WAP Advice Please

Putting the AP in the DMZ is a good way to go in many cases.

What you give up in this scenario is multiple VLANS/SSIDs, since (I believe) the PIX does not do dot1q trunking to a less-secure interface.

You could probably get around that using a VPN client, where each "VLAN" would be described by the VPN link used by the client.

This also permits you to use whatever security you have (RADIUS, TACACS+, local database) for authentication of the client.

If you're using SSL on your web site, you may also need to open up port 443.

Good Luck


New Member

Re: WAP Advice Please

In your case, the AP can serve more than just Internet access, which can give your users a lot of flexibility. I have set up an 1130 AP with VLAN access to two different networks in my office - one is a DMZ that only has Internet access and one is to my Inside network. The AP has access to those VLANs because we recently trunked all our switches together and they all participate in VTP - translation: every switch knows about all the VLANs, and that makes it easier.

This arrangement gives your employees access to the same (Inside) network as their desktop, and guests have access to the Internet (through the DMZ) for checking mail, doing presentations, etc. I just got it working today so I don't have security turned on - I'm still looking for a document that shows how to turn security on one SSID and not another without using a WLSE or WLC.

Here's the link to the document that shows how to use VLANs with an AP;