Archive for July, 2010

Guest Wireless Access Using a Cisco ASA 5505 with VLAN Configuration

July 22, 2010 3 comments

In my last post here I showed the procedure on how to enable guest internet access by creating a vlan with a Cisco ASA 5510 firewall. To accomplish the same setup using a Cisco ASA 5505 there are some differences in how the guest interface and vlan are created within the Cisco firewall. Also, there is a very important prerequisite; you must have the Security Plus License for the ASA 5505 to enable vlan trunking. All other aspects of the procedure are the same.

To create the Guest-VLAN interface in the ASA 5505 you need to use the command line interface (CLI). The first step is to establish a connection to the ASA 5505 using a Cisco RJ-45 to DB9 console cable or IP telnet session. Using a program such as PUTTY, open a serial or telnet connection to the ASA 5505. Enter enable mode by typing “en”, you will be prompted for the enable password.

Here are the necessary commands with comments:

# enter configuration mode

conf t

#create the new vlan

int vlan3

#give the interface a name

nameif Guest-VLAN

#assign a security level lower than that of your internal LAN

security-level 10

#assign the interface an ip address

ip address

#enable the interface

no shutdown

#exit interface configuration


#access the physical interface that your LAN is connected

int Ethernet0/1

#define the vlans that the interface will allow (vlans 1 & 3 in this case)

switchport trunk allowed vlan 1 3

#define the native vlan

switchport trunk native vlan 1

#change the interface from access mode to trunk mode (this allows multiple vlans (security plus license required))

switchport mode trunk

#enable the interface

no shutdown


That’s it for the configuration on the ASA 5505! The rest of the procedure is the same as this post Guest Wireless Access Using a Cisco ASA 5510 with VLAN Configuration



Guest Wireless Access Using a Cisco ASA 5510 with VLAN Configuration

July 21, 2010 6 comments

I wanted to setup a guest wireless network at my work so that guests had internet access, but no access to our internal LAN. This was accomplished using our Cisco ASA 5510 firewall, HP Procurve switch, Netgear wireless access points, and the creation of a vlan.


Here are the steps that I took to make this work:

First, login to the Cisco ASA firewall using ASDM. Go into the configuration, under device setup drill down to Interfaces. Add a new interface, give it a name, assign it a VLAN ID, security level lower than that of our internal LAN, and assign an ip address. Setting the VLAN ID to 3, identifies or “tags” the vlan using the 802.1Q protocol.


Next, go to Firewall configuration and drill down to NAT Rules. Create a dynamic NAT rule for the Guest-VLAN interface to use the ip address of the outside interface. Without this dynamic NAT rule, users will not be able to get to the internet.


Next, go to Device Management and drill down to DHCP Server. I enabled the DHCP server on the Guest-VLAN interface and created an ip address pool, assigned Google Public DNS servers for DNS Servers 1 and 2. Then I setup the lease length for 1 day (86400 seconds).


That is it for the configuration on the Cisco ASA. Next, I logged into our Layer 3 HP switch and created the Guest VLAN, assigned it with VLAN ID 3 to match the VLAN ID of the Cisco ASA. I tagged all ports with the newly created Guest VLAN.


Next you have to assign the HP Switch an ip address to match the subnet of the newly created VLAN.


Finally, I logged into our Netgear wireless access points, created a Guest wireless SSID, applied WPA2 security and configured the VLAN ID to 3


Now when guests logon to the RES-GUEST SSID they receive an ip address from the Cisco ASA DHCP server on the Guest-VLAN interface and can browse the internet, but can’t access our internal LAN.

Mission accomplished!

%d bloggers like this: