Cisco Firewall :: 5510 Set Up A Guest Wireless Network
Jun 4, 2012
I have a situation with a customer who has an ASA 5510. They have a fairly standard config with an Internal, DMZ and Outside interface, with rules on the Internal and Outside interfaces primarily. What they want to do is set up a guest wireless network.What I want to do is split the Internal interface into 2 sub interfaces - one with the same settings as the current Internal interface and the other in a second VLAN for the guest wireless traffic. In order to do this though I have to remove the current config from the internal interface. The big question mark for me is what happens to all the firewall rules for the current Internal interface when I remove it? Do they all get deleted? do they revert to Global rules?, do they remain unchanged ready to be applied to whatever interface is named as Internal in the future? (That's what I'm hoping for)
One other thing, if I put the second sub interface for the wireless guest trafffic into VLAN 2 that is effectively enabling 802.1q right? Frames tagged for VLAN 2 will go to the second sub interface and native VLAN 1 will go to the Internal sub interface right?
View 3 Replies
ADVERTISEMENT
Jul 8, 2012
I have been tasked with setting up a guest wireless network for a remote office. They would prefer that the guest network be on a different VLAN than the trusted network, and they want to use a different outside IP address for the guest network.
I am trying to figure out how to configure the ASA so that it supports two different LANS, each with it's own outside IP address. Is this possible?
View 7 Replies
View Related
Dec 18, 2012
I have the syntax correct and thought process down right on a solution to allowing guest wireless users access to an internal webserver. (DMZ discussion aside)
We have an ASA5510 with interfaces setup as:
outside - 65.x.x.x address
inside - 172.20.1.2
guest_inet - 10.2.1.1
Internally clients resolve our website to 192.168.40.40 and that part works as it should. Clients outside of our network resolve our website to the correct external address (lets just call it 1.1.1.1). We have a NAT statement static (inside, outside) 1.1.1.1 192.168.40.40 netmask 255.255.255.255 and an ACL to permit tcp any host 1.1.1.1 eq www
Clients on our guest_int use an external DNS server and hence resolve our website to 1.1.1.1. However it seems traffic goes out and back in our outside interface and this connection never occurs.
What I'm wondering is the correct NAT statement / ACL to add that would allow our internal clients on the 10.2.1.x network to access our internal website. Would that be: static (inside,guest_inet) 1.1.1.1 192.168.40.40 netmask 255.255.255.255 ? Since there is already an ACL permitting port 80 traffic to 1.1.1.1 we should be taken care of on the ACL side of things, right?
View 3 Replies
View Related
Jan 15, 2012
I have a subnet for guest network access, both wired and wireless. We have a Netgear ProSafe that is trunked to a Cisco 2901 performing 'Router-on-a-Stick'. For most internal traffic, it all stays behind the ASA. But for guest traffic, I have a route-map that sets the next-hop address as the outside interface of the ASA. The question is, how can I still permit those users to access our internal DNS servers? Do I need any particular NAT translations, exemptions, DNS doctoring, hairpinning, etc.? I have an ACL on the inside interface that permits traffic from the guest networks to our internal DNS servers, and then the next ACL line denies any other traffic from the guest networks to any of our internal networks.
View 7 Replies
View Related
Oct 17, 2012
Any problems with the guest network on the ea4500 with the cloud firmware? I am losing guest clients after about 24 hours and the re-authentication fails. you enter the guest password and nothing happens until you reboot the router.
View 2 Replies
View Related
Jan 23, 2012
We have a Cisco wireless infrastructure in place that includes a guest network with its own subnet that is a sub interface of the inside interface on our ASA 5520. There are no routes for it to be allowed access to the internal subnets. So it can only access the internet. This is primarily used by the public, but we have several non employee personnel that we only want to give internet access and force them to access the internal network through our clientless SSL vpn portal or through other internet facing internal resources such as webmail.I have done packet traces from within the ASA and the break appears to be there is no ACL allowing the traffic back into the network once the web resource replies to the request and the traffic is attempting to come back into the network from the web resource. Is that as clear as mud?
I know that this has to be a common problem and a way around this is to allow the guest wireless network access to the internal network but only for the select resources that they require. And that this can be done seemlessly by network specific routes and or alternate DNS entries, but I would like to keep this simple and just allow them to access the web resource, webmail and VPN, from the guest wireless using internet DNS servers without route trickery.
View 8 Replies
View Related
Oct 29, 2012
Having an issue with a Cisco Linksys E1500 on a home network. The device has a feature to provide a guest wireless network but the guest network can't get to the internet. A wired connection is fine, as is the normal wireless network but not the guest. The cheesy thing is, that it doesn't list an option for what type of wireless security protocol you want on the guest network. I'm assuming that it uses the same security protocol that the normal wireless network uses, but who knowsEspecially weird is that it asks you what password you want on the guest network but then the guest network show to be insecure when you try to connectthought maybe it was something funky with some of my configurations so I went ahead and factory defaulted it and just set it up with an insecure network for both the normal and guest networks. This didn't solve it. The guest network still couldn't get to the internet. In fact, the guest network can't even ping the router.
View 1 Replies
View Related
Apr 4, 2012
I am using Cisco ASA5510 Firewall in my network. The IOS is Software Version 8.0(5)24. The Flash is 512 MB and DRAM 1GB on the ASA. I want to upgrade the IOS on my Firewall and use the Latest one.
Also, what are the IOS details for upgradation. The Firewall is serving both the VPN and FW Rules.
View 7 Replies
View Related
Apr 30, 2013
BTW, the ASA is running version 7.0 (8) and I'm doing this through the command line.I've got a group of workers coming in a couple times per week that need wireless access to 1 printer on our network and internet access; I'll deny them access to the rest of our LAN.I've already configured an AP with WPA2 on a seperate subnet and put a router between it and our network. I've setup the router to apply an ACL to allow access to the printer's IP, deny to the rest of our main subnet, and permit everything else to go to our ASA 5510 that is serving as our gateway. From a laptop connected to the access point:I'm able to ping the printer's ipI'm not able to ping other workstations or our servers, as intendedI'm able to ping the ASA's inside interface The only part I can't seem to pull off is the final part of getting the ASA to translate the IP's from the new subnet to the outside interface.
So we have:
Laptop > Wireless AP > Router with ACL > Primary LAN > ASA5510 > internet
PAT is working fine for the primary LAN, but the laptop can't hit the internet.
View 7 Replies
View Related
Jul 24, 2011
I am not sure if this can be done in asa 5510. Is there any way we can configure that when our public ip goes down i get an email?
View 2 Replies
View Related
Apr 16, 2011
How to design a network setup and achieve failover in the below scenario.
(Vendor router)
L3-Switch ---- ASA FW1 ---switch-- Router 1 ------ MPLS cloud1 ----- Router A ------------ L3 switch
(Vendor router)
L3-Switch ---- ASA FW2 ---switch-- Router 2------ MPLS cloud2 ----- Router B------------ L3 switch
I am planning to achieve the failover either of the following ways -
1) Configuring both ASA FW as active/standby method .
2) configuring ASA FW 1 tracking command pointing to the ISP end ip address so the traffic would be moved to secondary firewall by putting a AD as 1 on ASA FW ......pointing to the ISP ip address and other floating route ( with a higher AD value) to the secondary firewall interface.
3) To configure HSRP between the Routers.
View 2 Replies
View Related
Feb 26, 2012
I have been asked to create an inbound connection on the ASA from the internet to a part of the network that is accessible over the Wide area network eg
-Internet address 94.175.x.100 goes to 151.5.3.100,
-The internal network is 10.42.15.0/22, and connects to the 151.5.3.0/24 network over a private MPLS.
Is this possible with the ASA5510 and if so can you give me a clue how to pass the traffic
View 6 Replies
View Related
Oct 11, 2012
I have an issue with my mail server(SME Server) which is behind a Cisco ASA 5500(firewall) problem is that if one leaves my network they can receive but can not send email via my SMTP also internal people can only send if they use the IP address of the server rather than the domain [URL]
here is my layout
ISP - ASA 5510 - LAN (includes mailserver)
View 7 Replies
View Related
Apr 17, 2011
I am setting up a new ASA 5510 on our inside network so that we can terminate our VPN connections on this ASA. I can get the VPN to work fine however I noticed that once I turned on my VPN profiles now when I try to access the ASDM I'm getting the VPN logon page. So I decided that in order to resolve this I need a separate interface dedicated to management of my ASA.
I'm trying to come up with the best way to do this. I've got two ports on the ASA plugged into my core switch. One is on a separate VLAN from the rest of my network traffic. This is the port I want to use for management. The second will be used to route all of my VPN traffic.
So far I haven't been able to get this to work at all. My thought was that it had to do with routes, NAT and ACLs. I've been playing with them but can't get any combination to work.
View 2 Replies
View Related
Dec 9, 2011
I configured one ASA 5510 firewall with CSC-SSM-10 in one of my customer location.
Here i want configure my firewall to send email alerts to particular mail ID, if anybody any access my network from outside( Like VPN users).
View 1 Replies
View Related
Jan 30, 2012
I have recently upgraded my ASA 5510 to 8.3 code and honestly I am confused on the best and most efficient way to do many nat translations through it. I have a group of about 100 IP's that need http/https/and sqlnet allowed through for our web farm.
I have a text file with the real and translated IP addresses and in 8.2 I could simply modify it and dump the thing in and make the NAT rules and access-lists. Now with the new object based model I am having a hard time wrapping my brain around how to do this using as few lines of code as possible.
Do I have to create an network object for each and every IP i want to nat through?
View 1 Replies
View Related
Apr 16, 2013
I am having a problem getting my ASA to work properly. I attached a diagram for reference and most of the config is below. When I finally got it to route properly between 2 sub nets on the internal network, the NO NAT statement broke routing for the VPN Clients who rely on a NAT statement for the same sub net that is listed in NO NAT access list. I can get one of the 2 to work by replacing NAT statements but can't figure out a combination to allow routing for both the internal sub nets and the VPN clients to work.
It's been about 5 days of tweaking this thing just to get the internal routing to work correctly and when I finally did I broke VPN client access. To note, the VPN clients can still log in and get a session going, they just can't get anywhere once they are in. I also think there's a lot of stuff in this config that is not needed like a lot of the object groups, etc. but I am being very careful about removing anything. I took over support of this ASA after someone else put it in place and over this past weekend we moved it to a new building and new ISP and that is when I had to get it to route between sub nets. The main point of this move was to remove building 1's reliance on building 2 for Internet and outside email access in the event that building 2 is not available (it is close to water and this has happened more than once over the past year).
So that is why I can't go with the smartest option of just keeping the routes on the router in the other building. I also know the 1600s are ancient but they're all we have for now. I can provide those router configs also but they are VERY basic, all static routing. The IP for the Cisco router on the same sub net as the ASA is 192.168.42.254.
This is the statement that allows the routing to work between the 2 internal sub nets but breaks VPN clients: nat (INSIDE) 0 access-list NO NAT
This is the statement that allows the VPN clients to work but breaks the internal routing: nat (INSIDE) 0 access-list INSIDE_nat0_outbound
The rest of the config is below the diagram.
ASA Version 8.2(2)
host name Cisco asa
domain-name default.domain.invalid
enable password - encrypted
password - encrypted
names
dns-guard
[code]...
View 7 Replies
View Related
Jan 2, 2012
We currently have a Guest wireless setup at my company, instead of using a anchor controller we have dual contorllers with each having one interface connecting out into our dmz and then going out. it's a pure L2 connection and exits out to the internet via a DMZ interface on our ASA. We recently purchased a PA-200 Palo Alto firewall to use for this Guest network, and configured everything exactly how it's all ready setup on our dmz switch and asa with the same ip addresses. When we connect the outside interfaces from the controller to a L2 switch that's connected to the Palo Alto firewall we can't get dhcp requests thru and have no connectivity, even if we set a static IP on our client we still have no connectivity and it won't redirect us. We use Web-Auth for our authenication with this network and I know once you get an IP address it will only allow dns to redirect to the virtual IP for authenication before it allows anything else but it is the exact same setup as we had before just with a different firewall so I'm stuck. Also if I plug directly into the switch via ethernet cable I can get an IP address and get out to the internet.
View 13 Replies
View Related
May 6, 2012
My landlord downstairs has set up a guest network for me from his Netgear WGR614v10 so I can ditch my dsl and just pay him. First I tried using my Netgear WNR2000 router to act as a receiver (bridge?) but messed it up and couldn't even access the router config anymore, had reset to factory settings.I bought a Netgear WN311B PCI adapter, but I can not connect. My laptop works fine, and after a bit I got my nook to work. We've gone through having an open network with no encryption to currently trying with WPA2-PSK. If I try to connect with Win 7 it just says "Windows is unable to connect to network." Troubleshooting just says to restart the router. If I try NetGear's Smart Wizard it will detect the network fine in setup, and say the signal is at 79-80%.
But at the "Settings" tab, it just says "scanning" in the status bar, it always says channel 6, and shows signal at 1 dot. Window's network connections list it at "Good." I did very briefly get it to work when I first tried the new adapter. Windows even asked me what type of network this was (Home/Work/Public) but when I tried to open a web browser it was not working anymore.I don't think it's range as my laptop and nook work. I can get it to connect to my WNR2000 router, so I don't think it's necessarily the adapter
View 1 Replies
View Related
Jun 28, 2011
I used the ASA 5510 and in these days, facing the problem is internet is very slow. When i check in real-time log viewer debugging, i found the following logs 6|Jun 29 2011|15:47:53|106015|123.123.123.123|416|111.222.111.222|80|Deny TCP (no connection) from 123.123.123.123/416 to 111.222.111.222/80 flags ACK on interface Inside 4|Jun 29 2011|15:47:53|106023|123.123.123.123|852|111.222.111.222|80|Deny tcp src Inside:123.123.123.123/852 dst Outside: 111.222.111.222/80 by access-group "Internal_access_in" [0x0, 0x0] a lot of log message are come out and I notice that 111.222.111.222 ip is try to attack my network. In that moment, my network is very slow and nearly to be down. When I block with that ip by access list, network is up again. But after a few moment, attack from other ip, it's so terrible and so tired to block a lot of ip by acl.
View 6 Replies
View Related
Jan 19, 2013
Is it possible to perform static Nat's through an internal network?I have a ASA 5510 with a public outside interface (let’s call it 68.68.68.1), and I have an inside private IP address (192.168.1.2/24). The inside IP address leads to a 4900m with that interface being configured with a 192.168.1.1 (no switching). On the 4900 M I have several VLANs one of them is an internal DMZ of sorts. (192.168.2.0/24). Within this DMZ network are several Web servers which need to be associated a public IP address (68.68.68.x).
Every time I configure a static Nat to associating a public IP address with an internal IP address within the DMZ, packet Tracer on the ASA informs me that the packet gets dropped at the static Nat and I cannot figure out why this is so.Safe it to say my question still stands is it possible to Nat (68.68.68.222 to and 92.168.2.60) given the configuration above, and how would I go about configuring in such the manner above so that I acn apply static nat through the 192.168.1.0 network to reach the 192.168.2.0 network.
View 11 Replies
View Related
May 12, 2012
I have an ASA 5510 configured 3 interface Internet_AAPT, Internal_Network and Server_Network. The server network works fine as is able to connect to the internet and services like port 80 work from the internet in. But from the Internal_Network can only get to the server network but not internet (6May 13 201214:17:4030201310.153.111.21253663199.47.216.14880Built outbound TCP connection 42508 for Internet_AAPT:199.47.216.148/80 (199.47.216.148/80) to Server_Network:10.153.111.212/53663 (10.153.111.212/53663). The weird thing in logs i see a connection being made but for some reason its referring to the Server_Network interface? below is my current config...
ASA Version 8.2(5)
!
hostname ASA01
domain-name names
name 10.153.11.184 QNAP
name 10.153.11.192 exc2010
name 10.153.11.133 zeacom
[code]....
View 10 Replies
View Related
Oct 29, 2012
We have Cisco ASA 5510, I am about to add another 2 Objectgroup network groups on the firewall to our already growing list. Under this Object-group Network xxxx , we are planning to add about about 500 network-object host xxx.xxx.xxx.xxx . This objectgroup will then be applied to an ACL. Just wanted to know if thats possible - meaning addnig 500 hosts? If it is whats the limit?
Also are there any other things to keep in mind before i go-ahead with this huge object group?
View 3 Replies
View Related
Mar 26, 2013
I am in the process of switching firewalls. Currently I have a Sonic Firewall inplace. I have been tasked to switch the firewall out with a cisco asa firewall 5510. The sonic firewall currently allows email traffic, web traffic, and dns traffic. When I use the current config below on the asa I am unable to receive email from the outside network. I can send and browse websites but I cannot receive email.
ASA Version 9.1(1)
! hostname ciscoasa
enable password kdkfdjdjflkadjdsfj
[Code]......
View 3 Replies
View Related
Mar 19, 2013
I'm currently working on setting up 2 ASA 5510's with redundancy/failover. I'm not an expert when it comes to the ASA's so I'm not 100% sure if I can do what I need to.I have 2 inside networks that need to remain separate, a DMZ network,and an outside network. Since each network connects via ethernet to one of the 4 ethernet ports on the ASA 5510's, all 4 ethernet ports on the ASA 5510 will be in use. If I wanted to setup one firewall as Active and the other as standby, how would I go about doing that? Do I need a direct ethernet connection between the 2 firewalls to use something such as HSRP? Or would the Standby firewall be able to tell if the Active firewall is OK since they would both be connected on each of their interfaces to the same networks?
View 1 Replies
View Related
May 2, 2013
we have ASA 5510 Configured. this is regarding site-to-site VPN.
View 1 Replies
View Related
Jan 2, 2012
So, I've set up Anyconnect client access to an ASA-5510.
I've got a handful of interfaces, which contain hosts that should be accesible to anyconnect clients. I'm unable to reach addresses on a specific network, due to what packet-tracer claims is an implicit deny, though I'm unsure where to apply an access-list in this case.
fw1# show nameif
Interface Name Security
Ethernet0/0.205 SECURE 90
[Code].....
View 7 Replies
View Related
Aug 26, 2012
I have this guest wlan working with web authentication, as you may know in order to get authenticated you must have an IP address first then have a valid username and password. The problem is that if you don't have valid credentials you keep the IP address anyways.I'd like to know if there is a way to release the IPs that are not being used? The WLC is the DHCP server for this network.
-WLC4402
-6.0.202.0
View 6 Replies
View Related
Aug 6, 2012
This is rattling my brain. I have configured 2 SSIDs, one for internal, one for guests. They are on seperate VLANs (50 and 51) and bridge groups (1 and 2). I can get IPs via DHCP for the internal network, but not for the guest. I can't get DHCP for any VLAN 51 sub-interface, nor clients that connect to it. The overall goal is to keep all traffic on the guest network seperate from the internal traffic, however, DHCP requests will be from an internal server. I have removed all the access-lists for troubleshooting purposes. AP and Switchport configs are below!
AP Config
Current configuration : 4011 bytes
!
version 12.4
[Code].....
View 6 Replies
View Related
Apr 19, 2011
I have two Cisco WAP4410N access points. Both has Regular and Guest SSIDs, with same configurations, except "Wireless Isolation" on Guest SSID is enabled. Problem is Guest SSIDs are not visible on devices
Access points are working on different chanles, firmware Version: 2.0.1.0.
View 5 Replies
View Related
Oct 3, 2012
Could I setup wired guest Internet connection without layer 3 web authentication and how?I want guest users access Internet without going through web authentication.
View 2 Replies
View Related
Sep 24, 2011
I am using two firewalls to connect two different offices. Firewall 5510 is running ASDM 6.3 and 5505 is running ASDM 6.2, Problem is that even after connecting two sites, i am unable to ping remote network from either side. I am mentioned static route as tunneled.
View 1 Replies
View Related
Jan 28, 2013
I recently got my Cisco wireless system working a few days ago and am back with a guest network. Our wireless system includes one 2504 controller and 2 2602i access points. So, I want a wireless guest network completely isolated from the LAN.
Here is what I have done.
I have created a new internal network and assigned 192.168.2.1 to an unused port on the firewall and 2.2 to a new controller interface with vlan 10. I can ping both 2.1 and 2.2 from the firewall and the controller. Basic network connectivity is working. The DHCP server is setup on this same firewall and configured only for this port. This address is referenced in the controllers interface.
A new w lan was setup and enabled. The proper interface group was selected on the w lan. I have left the default layer2 security.
As far as AAA servers tab in this wlan, this is where I am a little confused. I wish to just have a single log in for this guest network. I wasn't sure what to do so I went over to the Security tab and created a "local net users" account. I do not know how to reference the use of this under wlan, security, aaa servers. Should I check the box that says "local eap authentication"?? If so, I don't have a profile name in the drop down. What I'm looking for is the username/password to be stored locally on the controller itself since there will be only 1 account.
Under wlan, advanced tab, I do not have "Allow AAA override" checked. Should I?
Lastly, when I try to connect the client, it is not pulling a dhcp address. I wasn't sure if authentication was required before dhcp or the other way around so I'm not sure what to trouble shoot first, authentication or dhcp.
View 8 Replies
View Related
