Home > Cisco Networking > Guest Wireless Access Using a Cisco ASA 5510 with VLAN Configuration

Guest Wireless Access Using a Cisco ASA 5510 with VLAN Configuration


I wanted to setup a guest wireless network at my work so that guests had internet access, but no access to our internal LAN. This was accomplished using our Cisco ASA 5510 firewall, HP Procurve switch, Netgear wireless access points, and the creation of a vlan.

 

Here are the steps that I took to make this work:

First, login to the Cisco ASA firewall using ASDM. Go into the configuration, under device setup drill down to Interfaces. Add a new interface, give it a name, assign it a VLAN ID, security level lower than that of our internal LAN, and assign an ip address. Setting the VLAN ID to 3, identifies or “tags” the vlan using the 802.1Q protocol.

 

Next, go to Firewall configuration and drill down to NAT Rules. Create a dynamic NAT rule for the Guest-VLAN interface to use the ip address of the outside interface. Without this dynamic NAT rule, users will not be able to get to the internet.

 

Next, go to Device Management and drill down to DHCP Server. I enabled the DHCP server on the Guest-VLAN interface and created an ip address pool, assigned Google Public DNS servers for DNS Servers 1 and 2. Then I setup the lease length for 1 day (86400 seconds).

 

That is it for the configuration on the Cisco ASA. Next, I logged into our Layer 3 HP switch and created the Guest VLAN, assigned it with VLAN ID 3 to match the VLAN ID of the Cisco ASA. I tagged all ports with the newly created Guest VLAN.

 

Next you have to assign the HP Switch an ip address to match the subnet of the newly created VLAN.

 

Finally, I logged into our Netgear wireless access points, created a Guest wireless SSID, applied WPA2 security and configured the VLAN ID to 3

 

Now when guests logon to the RES-GUEST SSID they receive an ip address from the Cisco ASA DHCP server on the Guest-VLAN interface and can browse the internet, but can’t access our internal LAN.


Mission accomplished!

Advertisements
  1. Rob
    April 28, 2011 at 3:42 pm

    Awesome! I’ll be trying this out in the next few weeks!

  2. Chris Holt
    June 13, 2012 at 7:22 pm

    This is a great tutorial, and I’m glad you created it, since this is exactly what I’m trying to do with my new ASA5510. However, I promptly got stumped when I got to the “create a dynamic NAT rule” section. I don’t see where I can create a *dynamic* rule. I’m on ASA v8.3(1), and ASDM v6.4(5)106, and it seems to be different. Any help will be greatly appreciated!

  3. Jack Hanington
    September 28, 2012 at 7:15 pm

    Thank you for posting this how to. This is exactly what I needed.

  4. Dean
    September 25, 2013 at 8:44 pm

    Thank you for the great tutorial. Do you need a AP that has a VLAN ID setting? Can this type of configuration be done with any AP?

  5. allan
    October 16, 2013 at 12:19 pm

    for the nat rule: you can also click on the existing nat rule that says inside,outside obj_any and change from “inside” to “any” so it’ll say: any,outside .. or is that not recommended?

  1. July 22, 2010 at 10:46 pm

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: