Cisco :: ASA 5520 - Don't Allow Guest Traffic Access Internal Network
Feb 28, 2013
I have created a new sub-interface on our ASA 5520 for guest internet access.
My goal is to allow access to a few specific services hanging off some dmz interfaces on the same firewall and full unrestricted access to the internet only. Everything else should be out of bounds.
The order of the rules I plan to setup on the guest interface inbound are:
#1. <rules to allow access to specific services in the dmz>
#2. <block any ip access to the entire private network ip address space>
#3. <permit ip any any>
#1. These rules will give access to the guest user to services located in the dmz
#2. This rule will block all access to any services in the private ip address space (thus blocking access to all internal services)
#3. This rule is to allow access to any other services i.e. the internet.
Is this the best way to achieve my goal in the most secure way or is there a better way? i.e. is there a way to force the traffic by default to only go out the outside interface unless there is a specific rule allowing it go elsewhere?
(Of course Dynamic PAT will also be configured for traffic coming from the guest interface to the outside interface.)
View 2 Replies
ADVERTISEMENT
Jan 23, 2012
We have a Cisco wireless infrastructure in place that includes a guest network with its own subnet that is a sub interface of the inside interface on our ASA 5520. There are no routes for it to be allowed access to the internal subnets. So it can only access the internet. This is primarily used by the public, but we have several non employee personnel that we only want to give internet access and force them to access the internal network through our clientless SSL vpn portal or through other internet facing internal resources such as webmail.I have done packet traces from within the ASA and the break appears to be there is no ACL allowing the traffic back into the network once the web resource replies to the request and the traffic is attempting to come back into the network from the web resource. Is that as clear as mud?
I know that this has to be a common problem and a way around this is to allow the guest wireless network access to the internal network but only for the select resources that they require. And that this can be done seemlessly by network specific routes and or alternate DNS entries, but I would like to keep this simple and just allow them to access the web resource, webmail and VPN, from the guest wireless using internet DNS servers without route trickery.
View 8 Replies
View Related
Dec 18, 2012
I have the syntax correct and thought process down right on a solution to allowing guest wireless users access to an internal webserver. (DMZ discussion aside)
We have an ASA5510 with interfaces setup as:
outside - 65.x.x.x address
inside - 172.20.1.2
guest_inet - 10.2.1.1
Internally clients resolve our website to 192.168.40.40 and that part works as it should. Clients outside of our network resolve our website to the correct external address (lets just call it 1.1.1.1). We have a NAT statement static (inside, outside) 1.1.1.1 192.168.40.40 netmask 255.255.255.255 and an ACL to permit tcp any host 1.1.1.1 eq www
Clients on our guest_int use an external DNS server and hence resolve our website to 1.1.1.1. However it seems traffic goes out and back in our outside interface and this connection never occurs.
What I'm wondering is the correct NAT statement / ACL to add that would allow our internal clients on the 10.2.1.x network to access our internal website. Would that be: static (inside,guest_inet) 1.1.1.1 192.168.40.40 netmask 255.255.255.255 ? Since there is already an ACL permitting port 80 traffic to 1.1.1.1 we should be taken care of on the ACL side of things, right?
View 3 Replies
View Related
Mar 14, 2011
I am trying to build a remote vpn in ASA 5520 Software Version 8.3(1). I am using ASDM 6.3(1) for the configuration. I went through the SSL VPN wizard and did the configuration. I tried connecting to the ASA using anyconnect VPN and I could successfully connect the VPN. My home laptop takes an IP 192.168.60.21 (which I have defined in the wizard). Now my issue is, I can't access any office internal network from this laptop (none of the internal IP is ping ing even). Meanwhile, I could ping and rdp to this laptop(which is connectd by anyconnect VPN) from my office network. One thing I noticed is that when I give a traceroute to an internal IP from the laptop, the first hop goes to my home ISP router.
View 8 Replies
View Related
Aug 23, 2011
I am using ASA 5520 with 8.2.4 IOS. I'm new to ASA/Firewall. I need to do access webserver from outside network.From Laptop (192.168.2.51), If I connect to url... it should open page from 10.10.10.50.I also need to ssh to webserver from laptop. If I ssh to 192.168.2.50 from laptop, it should connect to 10. 10. 10.50. [code]I can't get to webserver from outside network, so now, I connected laptop to directly ASA 5520 outside port with crossover cable.ASA Inside port connects to L3 switch. Webserver also connects to L3 switch. But still doesn't work.
View 9 Replies
View Related
Mar 23, 2011
We have a guest wireless network using 1130AG Access Points. Is it possible to allow devices on this network access to an Internal IP? I know that kind of defeats the purpose on the guest network, but we'd like to give access to internal email to these devices. Currently this does not work because you cannot loop back into the network to gain access (out the firewall and right back in the same port).
View 5 Replies
View Related
Nov 29, 2011
I have been trying to create a Guest WLan on my 4402 WLC system and have found several confilcting documents explaining the procedure. During this process I have notices that although the current corp wireless works, there was never a virtual interface created for it. Instead it uses the same Wlan/Vlan as the ap manager and managemnt interfaces. Could this by why I cant seem to get the Guest access working? or is this not a problem after all since the wireless does work.
View 1 Replies
View Related
Sep 12, 2011
i have two WAP4410N wireless router. with software version (2.0.1.0) , here i have a problem on SSID broadcast and access.i have created Two ssid's WC72 and SREE with same security configuration WPA2-personalmixed . i cant see the broadcasted SSID of name SREE where i only view WC72 and get connected to it..
where i initially want is separate SSID and internal network access for internal employees and Guests (shouldn't connect to internal network).
View 9 Replies
View Related
Mar 18, 2012
Can we change the internal web authentication for guest network to use http instead of https?
View 3 Replies
View Related
Jan 27, 2013
I have a small request. I have a setup where the internal users within the corporate network need to remote VPN into the VPN concentrator.
The setup is as below
inside
(202.x.x.x)VPN ASA 5520 ---------------- FW ------------- intenal network
----------------
outside
The problem is that the 10.0.0.0/8 internetl network establishes the connection via the outside interface. However, the return path is via the inside interface. But the vpn concentrator keeps showing next-hop not reachable for USP 500. Why does it show that when it has a route via the inside interface.
6|Jan 29 2013 13:44:38|110003: Routing failed to locate next hop for udp from NP Identity Ifc:202.x.x.x..29/62465 to outside:10.163..x.x/5892
Also, since we are trying to send traffic from outside to the inside interface, I tried to NAT the source ip i.e 202.x.x.x and left the source unaltered. But it still doesnt work.
I am wondering why is the ASA not routing via the inside interface and looks for the return traffic via the same outside interface the traffic entered in. The outside has a security-level of 0 and the isnide has a sec-level of 100.
View 17 Replies
View Related
Mar 22, 2012
We have an ASA 5505 running version 8.4. We are having problems allowing external traffic to access computers behind the firewall. Our current config is:
ASA Version 8.4(3)!hostname ciscoasadomain-name default.domain.invalidnames!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip address 10.2.1.1 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address 152.18.75.132 255.255.255.240!boot system disk0:/asa843-k8.binftp mode passivedns server-group DefaultDNSdomain-name default.domain.invalidobject network a-152.18.75.133host 152.18.75.133object network a-10.2.1.2host 10.2.1.2object-group network ext-serversnetwork-object host 142.21.53.249network-object host 142.21.53.251network-object host 142.21.53.195object-group network ecomm_serversnetwork-object
[code]....
View 10 Replies
View Related
May 17, 2013
I have a ASA 5505, which has two IPSec RA tunnels build, for each one the user is able to authenticate and get an IP address is the designated IP pool, but they are not able to ping the Firewall, or RDP to any internal servers. Here is a copy of the running config:
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa(code)
View 1 Replies
View Related
Jan 10, 2013
we have a Cisco 2901 as a router on a stick for several vlans. Everything on the segment routes fine and accesses the internet just as they should. The 2901 connects to an ASA5505 on port 0/1. Any host connected to the ASA5505 can access the internet, but can not ping into any of the vlans off of the 2901. The strange thing is on either segement of the network I can ping all of the gateways. What is even more strange is when I run wireshark from behind the firewall going into the 2901 I can not see the packet on another wireshark instance behind the 2901. However if I start a ping for a host host behind the asa I can see the packet in wireshark on the host, which I am trying to ping, hit the gateway.
View 15 Replies
View Related
Dec 19, 2011
I am implementing a guest wireless network to work alongside my internal network. The guest network will use the existing switching network and will be separated by VLANs. I have the ASA set so that traffic can get to it and out to the Internet. I can set up a workstation on the same VLAN as my guest network and can route inside my network (strictly doing this for testing purposes). Where I am having problems is with the Catalyst 4506 switches and the ip routing. I had two separate "ip route" statements defined on my switches.
ip route 10.200.2.0 255.255.255.0 10.200.2.254
ip route 0.0.0.0 0.0.0.0 10.100.100.254
I have discovered that the traffic is always following the default route despite the fact that my IP address on my test workstation falls in the 10.200.2.x network. I was looking at documentation and found that it is possible to set up policy-based routing on the core switches. Can you have two "ip route" statements defined like this to segreate traffic or do I have to use PBR for routing (or a combination) in this case? If I define PBR then how does that impact my existing routing? I need to make sure that I can still route the existing traffic while I'm configuring this change.
View 9 Replies
View Related
May 7, 2012
I have created remote access vpn in my ASA 5505. The tunnel is established but i am not able to access the internal network.
View 3 Replies
View Related
Aug 18, 2011
Is it possible to allow certain websites to bypass the web authentication pages, so that they do not need to authenticate to get to our own website, but do have to if they wish to go anywhere else?Looking at a 5508 model at the moment
View 4 Replies
View Related
Oct 28, 2012
I seem to be having an issue with my PIX configuration. I can ping the VPN client from the the internal network, but can cannot access any resources from the vpn client. [code]
View 4 Replies
View Related
May 18, 2011
We have ASA5510s and I've configured an SSL VPN using AnyConnect.. The VPN address pool is 10.10.10.0/24 and our internal network is 10.10.20..0/24. After successful login, using LDAP. the client receives a 10.10.10.0/24 address from the pool, but cannot access anything on the internal 10.10.20.0/24 network. I've toyed with access lists and NAT exemption, but to no avail. What do I need to do?
View 8 Replies
View Related
Mar 22, 2010
Have a WLC 5508 running 6.x code with LAP's providing wireless for our internal laptops (WPA2 and EAP-TLS). I want to provide guest wireless which goes out a different port on the WLC to a guest firewall/cable modem. However, we want to prevent our internal laptops from being able to use the guest wireless. I have RADIUS (IAS) and LDAP for my AD available. We would prefer not to have use Lobby Ambassador and just have the guests use a simple password or web passthru. Guests may be laptops or smartphones. What options are available? I have tried a test setup using dynamic vlan assignments from RADIUS using the IETF flags, but can't seem to get it to work. Is there a way to identify the SSID is being used at the RADIUS server?
View 13 Replies
View Related
Apr 29, 2012
I have an ASA 5520 with the below config
Gi0/0: outside (Internet)
Gi0/1: inside (Internal users)
Gi0/2: DMZ (web servers, ftp, Mail etc..)
I have a SMTP relay deployed on the DMZ for mailing. I have also a mail servers installed in the internal lan,
I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.
How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?
For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?
View 2 Replies
View Related
Nov 19, 2012
I have a base config of AnyConnect VPN below, however the ASA 8.3.1 code has deprecated some commands and the VPN/NAT/FW rule syntax is quite different. Can som point out what's missing from the pertinent config below that prevents the VPN Pool from accessing the internal LAN?
The Core LAN router is 1.2.3.1.
!
ASA Version 8.3(1)
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 1.2.3.2 255.255.255.0
View 2 Replies
View Related
Apr 9, 2012
What I got is a 5505 ASA firewall and I'm connected to it via VPN. I'm pulling an 192.168.169.x address because that's what we set their company's internet LAN to. Which is what we want. What I can't do while I'm VPN'd in is ping from the internet network to the DMZ, and the same when I try and ping from the DMZ to the internal network.
The DMZ is on a 196.0.0.x network.The internet network is 192.168.169.x network.
I don't need them to have internet access on the DMZ I just want to be able to access it from the internal network. What is going on is we need them to be able to VPN into the DMZ and access their equipment. At this point it would just make me happy to be able to ping from the internal network to the DMZ and I can figure it out from there I've setup rules and applied them and when I wasn't having success I referred back to defaults. Right now the rules are set at default, any thing in and anything out, on both internal and DMZ. I'm using a VPN client and going through Cisco ASDM Launcher to setup the rules and static routes, I haven't done anything with the command line. All the research I've done everyone does it command line, I find it easier to do it GUI. This is my first time working with an ASA firewall.
View 2 Replies
View Related
Mar 23, 2011
We have a 4402 wlc setup for guest network access. We are using the local net users to provide access to our guests. We have an issue where if a user signs in through the web, sometimes but not always, they are then forced to keep signing back in almost every 30-60 seconds.
View 8 Replies
View Related
Feb 24, 2013
I have a cisco wlan controller (2100) running software 7.0.235.0. I have the internal private wlan running off of port 1 and that is working fine with an internal dhcp server.Is it possible to setup another ssid (guest) and have the interface directly linked to a static ip on the WAN and also use the built in cisco internal dhcp server?
View 4 Replies
View Related
Aug 1, 2012
After connecting via anyconnect client 2.5, I cannot access my internal network or internet. My Host is getting ip address of 10.2.2.1/24 & gw:10.2.2.2
Following is the config
ASA Version 8.2(5)
!
names
name 172.16.1.200 EOCVLAN198 description EOC VLAN 198
dns-guard
!
interface Ethernet0/0
description to EOCATT7200-G0/2
switchport access vlan 2
[code]....
View 5 Replies
View Related
Oct 31, 2011
I have configured Clientless SSL VPN for access to ASA 5540 internal network. Still I am unable to take ssh to my core switc [code]
View 5 Replies
View Related
Apr 19, 2011
I have two Cisco WAP4410N access points. Both has Regular and Guest SSIDs, with same configurations, except "Wireless Isolation" on Guest SSID is enabled. Problem is Guest SSIDs are not visible on devices
Access points are working on different chanles, firmware Version: 2.0.1.0.
View 5 Replies
View Related
Jan 25, 2011
A query here with regards to Wireless isolation between SSID and wireless isolation within SSID.If we have 2 SSID, eg. InternalSSID, GuestSSID on AP1.Both SSID are set to Enabled for isolation between SSID, and within SSID, that would mean all machines connected thro' this AP1, would be isolated from one another.
1) If there's 1 laptop that connects to another AP, lets call it AP2, (doesn't have isolation function) on ssid01. Would this laptop still be isolated from those that connects to the first AP?
2) If there are wired PCs connected to the router. And the 2 APs are connected to the same router. Would the machines connected thro' the AP1 on either InternalSSID, GuestSSID be able to access those wired PCs? (My assumption is yes.)
3) Is there a quick and efficient way to setup on WRVS4400N to isolate GuestSSID totally from InternalSSID, and wired PCs. InternalSSID and wired PCs should be allowed to 'see' one another.
The challenge here is that, the network points are all installed already. Both AP are connecting thro' 2 separate unmanaged switch together with a couple of other PCs. 1 Port on the unmanaged switch, each,connects to the router.
View 1 Replies
View Related
Apr 22, 2012
I'm a member of a club and we have just got BT Business Broadband with BT Business Hub 3. The club has one WiFi laptop which will occasionally access the BT Hub 3 using WiFi for internet use only. So essentially we have no network as such, just the BT Hub and a laptop.I would like to allow some club members to have internet access (WPA2 password), but without allowing access to the club laptop in any wayAs I said previously, the club laptop will only be active occasionally, so actual exposure is limited, but ideally I would like for the club laptop to be invisible to others when it is connected. I would also like each members equipment to be hidden from each other, so nobody can access each others data etc.. Can I achieve this simply? If so, do I need extra equipment?
I do have some donated equipment available: Netgear WAG102 Wireless Access Point, D-Link DSL-2640R Broadband Wireless G ADSL2+ Router and US Robotics 9106 SureConnect ADSL Wireless Gateway. Could I use any or all of these?I know this donated equipment is only Wireless G, but speed for the members is not important as they will only use internet access for emails and occasional google searches etc.I've tested the WAG102 at home, by plugging it into a LAN port of my BT HomeHub3 and giving it a different SSID, which works OK, but I can still see the other equipment connected wirelessly to my BT HomeHub3, although I cannot access my home laptop etc. because they are password protected.
View 3 Replies
View Related
Sep 10, 2012
I have a 5505 between a vendor router & my company network, vendor is not able to access devices on internal network. I am also not able to access the firewall via asdm
View 10 Replies
View Related
Mar 6, 2013
We have the RV180W router and the WAP321 access point in our business. We want to broadcast two SSIDs from both locations: the office SSID, which shares routing to LAN traffic, and a guest SSID.The office computers are attached via ethernet to a switch off of LAN port 1 on the router. The AP is attached to LAN port 2 on the router.On the router, the office SSID and the LAN are members of VLAN 1. The guest network is a member of VLAN 2. From the router, everything works just fine.On the WAP, the staff SSID works fine, but the guest SSID has no internet. Both the office and guest networks get DHCP successfully from the router.Our VLAN membership table in the router and WAP are attached, as well as other configuration details.Why would we not be getting internet on the guest ID only on the WAP?
View 8 Replies
View Related
Dec 26, 2011
I need to know how WLC can support ISE guest management in wireless mode. Tested and confirm by Cisco SE, Knowing that WLC currently does not support dynamic VLAN authorization for central web authentication. This limitation will be addressed in WLC 7.2 when MAB and CWA support is added to the code. On the other hand, DACLs on the other hand works and we can use that to restrict access of this guest traffic.Can ISE support on WLC LWA guest access provision? This able to view guest user login and show at ISE monitoring.
View 1 Replies
View Related
Oct 11, 2012
I got a problem with my netgear WNDR3400V2.As u see in this picture the box allow guest to access my local network is greyed out.I made the router an access point and have no clue how to make it normal again.
View 2 Replies
View Related