Cisco Wireless :: PA-200 / WLC Guest Setup Through Palo Alto Firewall?
Jan 2, 2012
We currently have a Guest wireless setup at my company, instead of using a anchor controller we have dual contorllers with each having one interface connecting out into our dmz and then going out. it's a pure L2 connection and exits out to the internet via a DMZ interface on our ASA. We recently purchased a PA-200 Palo Alto firewall to use for this Guest network, and configured everything exactly how it's all ready setup on our dmz switch and asa with the same ip addresses. When we connect the outside interfaces from the controller to a L2 switch that's connected to the Palo Alto firewall we can't get dhcp requests thru and have no connectivity, even if we set a static IP on our client we still have no connectivity and it won't redirect us. We use Web-Auth for our authenication with this network and I know once you get an IP address it will only allow dns to redirect to the virtual IP for authenication before it allows anything else but it is the exact same setup as we had before just with a different firewall so I'm stuck. Also if I plug directly into the switch via ethernet cable I can get an IP address and get out to the internet.
View 13 Replies
ADVERTISEMENT
Jun 9, 2012
We have pair of ASA5585 (ver 8.4(4) with IPS module configured with Active/Standby failover. There are total 09 interfaces are connecting to different zones in the firewall and out of which three(3) interfaces are connecting to Palo Alto 2nd layer firewall. When we test the failover whatever interfaces not connecting Palo Alto failed or shutdown, ASA triggers the failover to other unit, however the Palo Alto is not detecting this failover and it still keeps its previous Active Palo Alto to pass traffic, thereby failing passing traffic on Active firewall through Standby Palo Alto firewall.
But when there's a interface failed or shutdonw on the interfaces where PaloAlto also connected, then once the ASA failover triggers and the same time Palo Alto also trigger its failover then both new active firewall and Palo Alto sending traffic through firewall.However we we cant all the interfaces of ASA also to connect Palo Alto and let the Palo Alto to inspect all the interfaces, but we need our ASA to work in a situation where any of the interfaces failed, the failover to work smooth the pass the traffic via either Palo Alto device.I just need to know is there anything tricky that we can configure on our ASA in this failover senario, or to confirm if there's no any workable solution to this situation.
I have attached the senario that I explained above. Just to emphasis the issue again, if any interface of Gig0/0, Gig0/4 or Gig0/5 failed on active firewall, ASA switching to standby firewall and act as Active, but Palo Alto still remains his Active state and the new Active ASA is not passing traffic via standby PA as its not detecting any of its interfaces as failed or unreachable..?
View 1 Replies
View Related
Sep 6, 2012
So my company is replacing firewalls. In our EU HQ, they went with Palo Alto 2020 models to take the place of Cisco PIX and an IBM IDS box.However, as I'm responsible for the US branch, I'm re-evaluating their decision for our office. We currently have a Cisco 5510 and the same IBM IDS box behind it. Everything works, so I'm wondering if a PA device is worth the upgrade cost, but on the other hand, you can't really put a price on security. The application control, IPS, anti-virus, etc etc are all cool features that might be worth implementing now.
My questions is - why is PAN so expensive? As an example, Sonicwall's NSA 3500 with similar specs are coming in at 1/3 the price for the same feature set, and lower yearly cost. I've seen the demos, and the interfaces are both pretty slick - at least compared to what I have now. The all have the gateway security features and Deep Packet Inspection so what am I missing? I know PAN is all the rage right now in the networking world, but it seems like they're somewhat riding the fanaticism from their marketing teams - similar to Apple customers. We could also debate the differences between what's marketed as UTMs and NGFWs, but from the "black box" perspective (what comes in, what goes out) - aren't they more similar than different?
If I ran the office, I'd also look at Untanged and other vendors, but my boss wants something with a little more brand recognition. Anyway - I'm asking the Horde what's up since I'm not a networking guy by trade - more sys admin - but this office is my responsibility.
View 1 Replies
View Related
Jul 24, 2012
I am trying to setup a Wireless Network on my WLC that is totaly independent of our internal LAN. Port1 is designated at the .14.0 network and Port2 is the .18.0 network. The 14 network (Port1) will be the guest and 18 network (Port2) the internal wireless.
The issue i am having is nothing is routing to Port1. I have the Guest Wireless set to get DHCP from the WLC and i can get an address but i cant get internet access. I tried configuring a Network Route but it will only let me set the service port as the Gateway and not the IP for Port1.
I am running software version 5.1.151.0 and using this guide as it is the only one i can find. [URL]
Here is a screen shot of my Interface config.
View 7 Replies
View Related
Jun 4, 2012
I have setup guest access on the controller and this is not working at the moment.
DHCP server setup on the controller for the Guest users.
You are able to connect (get ip address from controller) and the browser gets redirected to 1.1.1.1 but then page can not be displayed instead of the login page.
View 2 Replies
View Related
Feb 10, 2012
I am running a /24 network in Active Directory with my ASA acting as gateway and firewall. Standard interfaces (Ethernet 0/0 as outside, Ethernet 0/1 as inside)
As of now I have no VLans set up, but I need to setup wireless Internet access for guests... I need directions on how to setup a Vlan with its on DHCP for these aguests... I can then make sure that my APs can be pointed to the same VLAN... I am not familiar with CLI, have generally used ASDM. I am currently running ASDM 6.3(1) on an ASA with version 8.3(1).
This is something I need to do quickly as we are expecting 20-40 "guests" shortly, and I don't want them to use our internal DHCP server addresses.
View 3 Replies
View Related
Dec 11, 2012
how to setup a separate SSID for guests (without a password).
Basically, we have one SSID now called Mnet which has a WPA2 password. For guests coming in i want Mnet Guests where people can connect without needing a password. They should be able to use internet but not connect to LAN devices, how to accomplish this with this WAP321?
View 7 Replies
View Related
Jun 4, 2012
I have setup guest access on the controller and this is not working at the moment. DHCP server setup on the controller for the Guest users. You are able to connect (get ip address from controller) and the browser gets redirected to 1.1.1.1 but then page can not be displayed instead of the login page.
View 10 Replies
View Related
Aug 28, 2011
We're looking at deploying both office extend and also a guest wlan. Both would require a WLC in the DMZ.My question is can one 5508 WLC be both a guest anchor and have office extend APs on it at the same time?
View 2 Replies
View Related
Apr 6, 2010
I just installed my new Cisco E3000 and configured it over the HTTP interface, as I have on previous routers. I am unable to find any setting for the "Guest" wireless network (outbound internet only), or the Parental controls. Both of these are features of interest, and they're simply not listed in any of the web-based settings.
Puzzled, I did a Factory Reset and configured it via the Cisco Connect instead.. this had the Guest feature and Parental controls, but none of the other features I need, like QOS, or Port Forwarding, or DHCP disable.
It seems like the Web interface only configures some settings, and the Cisco Connect configures other settings, but I can't use them both.
Where does one set up the additional password for Guest access? Other than this, the router works fine on 2.4 & 5 GHz, nice..
View 9 Replies
View Related
Jan 25, 2011
A query here with regards to Wireless isolation between SSID and wireless isolation within SSID.If we have 2 SSID, eg. InternalSSID, GuestSSID on AP1.Both SSID are set to Enabled for isolation between SSID, and within SSID, that would mean all machines connected thro' this AP1, would be isolated from one another.
1) If there's 1 laptop that connects to another AP, lets call it AP2, (doesn't have isolation function) on ssid01. Would this laptop still be isolated from those that connects to the first AP?
2) If there are wired PCs connected to the router. And the 2 APs are connected to the same router. Would the machines connected thro' the AP1 on either InternalSSID, GuestSSID be able to access those wired PCs? (My assumption is yes.)
3) Is there a quick and efficient way to setup on WRVS4400N to isolate GuestSSID totally from InternalSSID, and wired PCs. InternalSSID and wired PCs should be allowed to 'see' one another.
The challenge here is that, the network points are all installed already. Both AP are connecting thro' 2 separate unmanaged switch together with a couple of other PCs. 1 Port on the unmanaged switch, each,connects to the router.
View 1 Replies
View Related
Mar 20, 2012
I used Cisco connect to set up guest access with a secure password. Cisco Connect now indicates guess access is allowed and shows the password. However, when I actually try to connect to the guest network, it shows no security at all, and I can join the network without a password.
View 1 Replies
View Related
Apr 19, 2012
I got the task of setting up a Guest wireless network for one of our remote campuses. We already have some APs that are connecting to our WLC.
The Enviroment:WLC Cisco 5500 is at our Corporate office. Connects to our Core Switch then to our Router Router connects to our remote campuses over mpls.
We currently already have APs at this campus that are connecting back to our WLC.
We have a DSL line at the remote campus that we want this Guest wireless routed to.
I have already created the guest network on the WLC and a guest VLAN on the Core switch.
My main question is how to configure the two routers for this and have this go out the DSL modem?
View 9 Replies
View Related
Feb 26, 2013
Just got a new EA3500, and plan to use its guest network feature to allow Internet access but not access to my LAN. Wondering if I can set it up so that users on the guest network bring up a particular website when they open their browser.
View 3 Replies
View Related
Jun 10, 2013
I would like to setup a 2504 to have one Guest WLAN and one Staff WLAN with a controller port for each WLAN connected to different devices.
I would prefer to connect the WLC Guest port to an ASA 5510 and the WLC Staff port to an internal 2960S switch. Will this work? I haven't setup a 2500 series controller previously.
View 4 Replies
View Related
Dec 10, 2012
I am trying to set up a vrf for guest networks and am having issues on one of the switches.A quick overview (since I dont really know what i am doing ) we have two sites that are connected via lanex. each site has a 3750. The only internet connectivity is the remote site (so all the users at the local site route out through the remote site to get to the internet)I need to make a guest network at the local site using our current infrastructure but it cannot have any access to our network resources.
I have created a vlan here (vl166) and on the remote switch
ip vrf TRAINING
didnt do any route distribution
then added "ip vrf forwarding TRAINTING" and readded the ip to the vlan interface
gave it an ip address of 172.16.166.1
did the exact same thing on the remote switch but with interface address of .2
enabled ospf on both switches.... router ospf 3 vrf TRAINING
I cant ping from one interface to the other... when I try pinging from the remote switch I get :
CISCO3750MCI-1#ping vrf TRAINING 172.16.166.1
% VRF does not have a usable source address
CISCO3750MCI-1#show ip vrf interfaces TRAINING
Interface IP-Address VRF Protocol
Vl16 172.16.16.2 TRAINING down
I cant see why the interface is down. Nothing in the logs (even when I do no shut... it just accepts the command but doesnt come up)
View 8 Replies
View Related
Mar 26, 2013
I have registered here to clarify some things about VLAN's. There are so many (different) names and mentions that i found tat my vision gets blurry looking through all the info.I have a setup at a client where the Guest WiFi access needs to be separated from the normal LAN where all the normal devices are attached to. The guests are not allowed to reach the IP camera's and printer etc. etc. . I am trying to visualize how the traffic should flow but the Tagged, Untagged, PVID, Trunks and other names that i found make it difficult for me to see how it works together.
View 8 Replies
View Related
Jun 4, 2012
I have a situation with a customer who has an ASA 5510. They have a fairly standard config with an Internal, DMZ and Outside interface, with rules on the Internal and Outside interfaces primarily. What they want to do is set up a guest wireless network.What I want to do is split the Internal interface into 2 sub interfaces - one with the same settings as the current Internal interface and the other in a second VLAN for the guest wireless traffic. In order to do this though I have to remove the current config from the internal interface. The big question mark for me is what happens to all the firewall rules for the current Internal interface when I remove it? Do they all get deleted? do they revert to Global rules?, do they remain unchanged ready to be applied to whatever interface is named as Internal in the future? (That's what I'm hoping for)
One other thing, if I put the second sub interface for the wireless guest trafffic into VLAN 2 that is effectively enabling 802.1q right? Frames tagged for VLAN 2 will go to the second sub interface and native VLAN 1 will go to the Internal sub interface right?
View 3 Replies
View Related
Oct 17, 2012
Any problems with the guest network on the ea4500 with the cloud firmware? I am losing guest clients after about 24 hours and the re-authentication fails. you enter the guest password and nothing happens until you reboot the router.
View 2 Replies
View Related
Jul 8, 2012
I have been tasked with setting up a guest wireless network for a remote office. They would prefer that the guest network be on a different VLAN than the trusted network, and they want to use a different outside IP address for the guest network.
I am trying to figure out how to configure the ASA so that it supports two different LANS, each with it's own outside IP address. Is this possible?
View 7 Replies
View Related
Jan 27, 2013
I have a Cisco Aironet 1240AG Access Point and I am trying to setup a guest network that is secure and limited in bandwidth utilization. I see an option under security > SSID Manager on the web interface to select an interface of Radio0-802.11G, Radio1-802.11A or both. Can I put the guest network on the Radio1-802.11A and make it more secure/bandwidth limited or does this option not matter?
View 3 Replies
View Related
Jan 23, 2012
We have a Cisco wireless infrastructure in place that includes a guest network with its own subnet that is a sub interface of the inside interface on our ASA 5520. There are no routes for it to be allowed access to the internal subnets. So it can only access the internet. This is primarily used by the public, but we have several non employee personnel that we only want to give internet access and force them to access the internal network through our clientless SSL vpn portal or through other internet facing internal resources such as webmail.I have done packet traces from within the ASA and the break appears to be there is no ACL allowing the traffic back into the network once the web resource replies to the request and the traffic is attempting to come back into the network from the web resource. Is that as clear as mud?
I know that this has to be a common problem and a way around this is to allow the guest wireless network access to the internal network but only for the select resources that they require. And that this can be done seemlessly by network specific routes and or alternate DNS entries, but I would like to keep this simple and just allow them to access the web resource, webmail and VPN, from the guest wireless using internet DNS servers without route trickery.
View 8 Replies
View Related
Aug 18, 2011
Is it possible to allow certain websites to bypass the web authentication pages, so that they do not need to authenticate to get to our own website, but do have to if they wish to go anywhere else?Looking at a 5508 model at the moment
View 4 Replies
View Related
Sep 5, 2012
We are implementing a new corporate headquarters and have bought a Cisco 5508. I have two connections plugged into the 5508 in ports 1 and port 2. Port 1 is for all internally wireless networks and connects to our core 6500 and use an external DHCP server scopes. Port 2 is for our guest WLAN and connects directly to a public network switch in front of (outside) the firewall. For the guest network, I have setup a vlan on the controller for dhcp and the interface setup to that vlan and dhcp scope built on the controller. how or can I NAT the internally addressing for the guest network to the public IP address on the controller. Essentially I want to drop of guest network traffic outside the firewall and not have to deal with setting up the firewall for any aspect of guest network traffic.
View 1 Replies
View Related
Jan 26, 2012
I have an ASA 5550 at our main site with an external ethernet interface to our ISP for internet access. I would like to allow 10.100.41.x/24 http / https access but block this network's access to all other internal networks including 172.17.x.x,, 10.100.1 - 40.x, and others. I'm having trouble identifying what IP address to use as the desitination for the permit rule for access to the internet. The rule that comes after the permit is to deny 10.100.41.x/24 access to internal network addresses.
View 1 Replies
View Related
Oct 19, 2011
I got RV 120W router and I need to setup VPN to connect remote clients (not site-to-site).
Is there any documents, examples or howtos described the way to setup it?
View 1 Replies
View Related
Sep 23, 2012
Is there a module or way to create a Guest Access Lobby on the ASA 5525? We currenly leverage the WLC to do this for us, but are moving to a routed access enviornment which is causing some issues. We would like to offload the guest access responsibility to the ASA if possible.
View 1 Replies
View Related
Mar 15, 2013
I have a ASA 5505 with the security plus license. I have 7 vlans, 2 are guest vlans for wireless and wired connections. I am allowing traffic from the guest vlans to any with the http & https protocols I have ACL's in place before the allow all rule that do not allowed traffic from the guest vlans to the other vlans. Is there any way to have all traffic from the guest vlans to always go to the outside interface for the http & https traffic in stead of trying to go to the other vlans first, I know I have the ACL's in place to prevent the traffic but if I would feel better if I had this in place as well.
View 5 Replies
View Related
Jan 15, 2012
I have a subnet for guest network access, both wired and wireless. We have a Netgear ProSafe that is trunked to a Cisco 2901 performing 'Router-on-a-Stick'. For most internal traffic, it all stays behind the ASA. But for guest traffic, I have a route-map that sets the next-hop address as the outside interface of the ASA. The question is, how can I still permit those users to access our internal DNS servers? Do I need any particular NAT translations, exemptions, DNS doctoring, hairpinning, etc.? I have an ACL on the inside interface that permits traffic from the guest networks to our internal DNS servers, and then the next ACL line denies any other traffic from the guest networks to any of our internal networks.
View 7 Replies
View Related
Dec 18, 2012
I have the syntax correct and thought process down right on a solution to allowing guest wireless users access to an internal webserver. (DMZ discussion aside)
We have an ASA5510 with interfaces setup as:
outside - 65.x.x.x address
inside - 172.20.1.2
guest_inet - 10.2.1.1
Internally clients resolve our website to 192.168.40.40 and that part works as it should. Clients outside of our network resolve our website to the correct external address (lets just call it 1.1.1.1). We have a NAT statement static (inside, outside) 1.1.1.1 192.168.40.40 netmask 255.255.255.255 and an ACL to permit tcp any host 1.1.1.1 eq www
Clients on our guest_int use an external DNS server and hence resolve our website to 1.1.1.1. However it seems traffic goes out and back in our outside interface and this connection never occurs.
What I'm wondering is the correct NAT statement / ACL to add that would allow our internal clients on the 10.2.1.x network to access our internal website. Would that be: static (inside,guest_inet) 1.1.1.1 192.168.40.40 netmask 255.255.255.255 ? Since there is already an ACL permitting port 80 traffic to 1.1.1.1 we should be taken care of on the ACL side of things, right?
View 3 Replies
View Related
Feb 19, 2012
I have a Cisco ASA 5505 in our office. We are currently using Interface 0 for outside and 1 for inside. We only have 1 Vlan in our environment. We have two three switches behind the firewall. Today the uplink to Interface 1, to the firewall, on the switch went bad. I want to setup a second inside interface on the firewall and configure it as failover incase this happens again. I want to attach it to the other switch. Can I do this? If so, what do I need to do? would it only be a passive/standby interface?
View 1 Replies
View Related
Aug 27, 2011
I have two ASA 5505's. One is currently setup as my firewall connected to the Cox Cable modem and wireless AP. I have another ASA that I would like to use, I have an idea that I could set that one up as a VPN unit, but not sure how I could do that. If that is not an option, can you provide the command line instructions on how to setup the VPN via the console cable. [code]
View 1 Replies
View Related
May 9, 2011
I am familiar with the PIX and ASA's. We have two Cisco 6509's with a FWSM installed in both. Our network is shown in the diagram. We use Blue Coat Packetshapers and Barracuda Proxy appliances. I plan on setting up HSRP on both 6509's for traffic coming from our ISP Cisco 2811's as well as use HSRP for our DMZ and internal network. I would like to setup the firewalls for statefull failover. We will be using PAT for our internal users and one-to-one static NAT for our DMZ.
Is it better to setup the firewall's as transparent or routed?
Since the firewall is built into the switch, how do I insert the Barracuda proxies? I can configure them as transparent or routed proxies.
View 2 Replies
View Related
