AaronHall.net Brings GoodThings2Life Someday, bringing GoodThings2Life will become a Paradigm!

Cisco ASA Configurations for Newbies : Enabling “Guest” VLAN’s

So, at the hospital and corporate offices, I wanted to setup our wireless access points to have both a “private” domain-connected link AND a “public” guest-access link for visitors. This way, contractors, vendors, clients, etc can bring their laptops in and get Internet access, and employees can connect to the server without intruding on each other.

Our firewall device is a Cisco ASA 5505, and since I have two Cisco Aironet AP’s, I have them connected to the ASA’s PoE switch and mounted in the ceilings at the office.

The AP’s are easy to configure… just configure the SSID’s to use the right VLAN’s that will be configured on your ASA. It’s the ASA that is tricky, because there’s a pretty hefty pre-requisite for it—you MUST be licensed for the Security Plus package in order to take advantage of trunking and multiple VLAN’s. You’ll also want it to have unlimited user licensing too.

In the example below, I use VLAN 1 (for my “outside” VLAN), 2 (for my “inside” VLAN), and 3 (for my “GUEST” VLAN). Once you have that decided on, Telnet or SSH to your ASA, login, and enter “enable” mode and “configure terminal” to get started, then type these in:

interface Vlan3
nameif GUEST
security-level 50
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/6
description Trunk Port for Wireless AP
switchport trunk allowed vlan 2,3
switchport mode trunk
interface Ethernet0/7
description Trunk Port for Wireless AP
switchport trunk allowed vlan 2,3
switchport mode trunk
dhcpd address 192.168.1.100-192.168.1.200 GUEST
dhcpd enable GUEST
nat (inside) 1 0.0.0.0 0.0.0.0
nat (GUEST) 1 192.168.1.0 255.255.255.0

The “interface Vlan3” section configures the GUEST VLAN, the two “interface Ethernet0/*” sections configure the two PoE ports on the ASA as trunk ports that will accept traffic from VLAN’s 2 and 3 (inside and guest), and the dhcpd commands enable DHCP on the Guest VLAN with a 192.168.1.100-200 IP range (101 clients, just in case the dalmations want to use their laptops). If your AP’s are connected to switches rather than the ASA, you need to issue all of these commands (except the dhcpd commands) on the appropriate switches and switch ports as well.

Oh, and if you’re like me, you probably use ASDM more often than the command line… you can copy/paste the entire code segment above into the Tools > Command Line Interface > Multiple Commands option.

That’s it. Since the Guest VLAN has a security level of 50, it shouldn’t overlap with your Inside VLAN (which is usually 100), and the ASA will automatically configure the appropriate access lists (although any specialized needs will need to be done on your own).

This entry was posted on Wednesday, April 1st, 2009 at 8:25 PM and is filed under Tech News.

5 Responses to “Cisco ASA Configurations for Newbies : Enabling “Guest” VLAN’s”

  1. On May 21st, 2009 at 11:22 AM amm wrote:

    Thanks for posting this, I’ve tried setting this up for a consulting gig I’m doing and have also tested with an asa 5505 I have at home. Granted, I don’t have the security+ license on either asa but in my case I shouldn’t need it, at least I don’t think so since I only care about vlan3 being setup for 1 guest wireless network so I don’t need to assign multiple vlans to the switchports. I don’t need Inside users to access the ap’s.

    Any client whether wired or wireless connecting on vlan3 ports receives dhcp provided address but they can’t get out to the internet, can’t get to websites, etc. Based on your post and Cisco documentation this should work. Help! What am I missing here. I’ve posted the config. for your reference. Yes, you’ll probably see some access rules that are unnecessary but I was trying to open things up in my frustration. Thanks.

    : Saved
    :
    ASA Version 7.2(2)
    !
    hostname NPAP-ASA
    domain-name default.domain.invalid
    enable password wrHx06yEpLqMHfuS encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.13.1 255.255.255.0

    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute

    !
    interface Vlan3
    no forward interface Vlan1
    nameif GUEST
    security-level 50
    ip address 192.168.1.1 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    switchport access vlan 3
    !
    interface Ethernet0/5
    switchport access vlan 3
    !
    interface Ethernet0/6
    switchport access vlan 3
    !
    interface Ethernet0/7
    switchport access vlan 3
    !
    passwd wrHx06yEpLqMHfuS encrypted
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns domain-lookup GUEST
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    access-list inside_access_out remark allow ping from inside out
    access-list inside_access_out extended permit icmp any any
    access-list outside_access_in remark allow echo reply from outside
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended permit tcp any interface outside eq 3389
    access-list GUEST_access_out extended permit icmp any any
    access-list GUEST_access_out_1 remark guest to outside any any 5/9
    access-list GUEST_access_out_1 extended permit ip any any
    access-list GUEST_access_out_1 remark icmp any any outgoing 5/9
    access-list GUEST_access_out_1 extended permit icmp any any
    access-list GUEST_access_in remark icmp any any incoming 5/9
    access-list GUEST_access_in extended permit icmp any any
    access-list GUEST_access_in remark ip any any incoming 5/9
    access-list GUEST_access_in extended permit ip any any
    access-list GUEST_access_in remark guest incoming interface any icmp 5/9
    access-list GUEST_access_in extended permit icmp interface GUEST any
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu GUEST 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-522.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface 3389 192.168.13.20 3389 netmask 255.255.255.255
    access-group inside_access_out out interface inside
    access-group outside_access_in in interface outside
    access-group GUEST_access_in in interface GUEST
    access-group GUEST_access_out_1 out interface GUEST
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    http server enable
    http 192.168.13.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet timeout 5
    ssh 24.213.161.80 255.255.255.255 outside
    ssh timeout 5
    console timeout 2
    dhcpd auto_config outside
    !
    dhcpd address 192.168.13.21-192.168.13.100 inside
    dhcpd enable inside
    !
    dhcpd address 192.168.1.10-192.168.1.110 GUEST
    dhcpd enable GUEST
    !

    !
    class-map GUEST-class
    match any
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    policy-map GUEST-policy
    class GUEST-class
    inspect dns
    !
    service-policy global_policy global
    service-policy GUEST-policy interface GUEST
    prompt hostname context
    Cryptochecksum:ee5ed32b894e16915ff00256476d3ea7
    : end
    asdm image disk0:/asdm-522.bin
    no asdm history enable

  2. On May 21st, 2009 at 6:48 PM Aaron Hall wrote:

    The problem might have more to do with licensing than with configuration. Without the Security+ license mode enabled, the only way to enable Vlan3 is to configure Vlan3 as DMZ mode (which you may realize leaves it wide open).

  3. On June 1st, 2009 at 1:20 PM Brett wrote:

    Looks like you need another NAT statement for the Guest network.

    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (GUEST) 1 192.168.1.1 255.255.255.0

  4. On June 1st, 2009 at 1:20 PM Brett wrote:

    Typo.. make that

    nat (GUEST) 1 192.168.1.0 255.255.255.0

  5. On June 19th, 2009 at 8:54 AM Aaron Hall wrote:

    Thanks for the correction, I’ve updated the original post!