Comments on: Cisco ASA Configurations for Newbies : Enabling “Guest” VLAN’s http://www.aaronhall.net/cisco-asa-configurations-for-newbies-enabling-guest-vlans.html Someday, bringing GoodThings2Life will become a Paradigm! Wed, 03 Feb 2010 23:54:55 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Aaron Hall http://www.aaronhall.net/cisco-asa-configurations-for-newbies-enabling-guest-vlans.html/comment-page-1#comment-18 Aaron Hall Fri, 19 Jun 2009 13:54:20 +0000 https://www.aaronhall.net/cisco-asa-configurations-for-newbies-enabling-guest-vlans.html#comment-18 Thanks for the correction, I've updated the original post! Thanks for the correction, I’ve updated the original post!

]]> By: Brett http://www.aaronhall.net/cisco-asa-configurations-for-newbies-enabling-guest-vlans.html/comment-page-1#comment-17 Brett Mon, 01 Jun 2009 18:20:49 +0000 https://www.aaronhall.net/cisco-asa-configurations-for-newbies-enabling-guest-vlans.html#comment-17 Typo.. make that nat (GUEST) 1 192.168.1.0 255.255.255.0 Typo.. make that

nat (GUEST) 1 192.168.1.0 255.255.255.0

]]> By: Brett http://www.aaronhall.net/cisco-asa-configurations-for-newbies-enabling-guest-vlans.html/comment-page-1#comment-16 Brett Mon, 01 Jun 2009 18:20:06 +0000 https://www.aaronhall.net/cisco-asa-configurations-for-newbies-enabling-guest-vlans.html#comment-16 Looks like you need another NAT statement for the Guest network. nat (inside) 1 0.0.0.0 0.0.0.0 nat (GUEST) 1 192.168.1.1 255.255.255.0 Looks like you need another NAT statement for the Guest network.

nat (inside) 1 0.0.0.0 0.0.0.0
nat (GUEST) 1 192.168.1.1 255.255.255.0

]]> By: Aaron Hall http://www.aaronhall.net/cisco-asa-configurations-for-newbies-enabling-guest-vlans.html/comment-page-1#comment-15 Aaron Hall Thu, 21 May 2009 23:48:06 +0000 https://www.aaronhall.net/cisco-asa-configurations-for-newbies-enabling-guest-vlans.html#comment-15 The problem might have more to do with licensing than with configuration. Without the Security+ license mode enabled, the only way to enable Vlan3 is to configure Vlan3 as DMZ mode (which you may realize leaves it wide open). The problem might have more to do with licensing than with configuration. Without the Security+ license mode enabled, the only way to enable Vlan3 is to configure Vlan3 as DMZ mode (which you may realize leaves it wide open).

]]> By: amm http://www.aaronhall.net/cisco-asa-configurations-for-newbies-enabling-guest-vlans.html/comment-page-1#comment-14 amm Thu, 21 May 2009 16:22:25 +0000 https://www.aaronhall.net/cisco-asa-configurations-for-newbies-enabling-guest-vlans.html#comment-14 Thanks for posting this, I've tried setting this up for a consulting gig I'm doing and have also tested with an asa 5505 I have at home. Granted, I don't have the security+ license on either asa but in my case I shouldn't need it, at least I don't think so since I only care about vlan3 being setup for 1 guest wireless network so I don't need to assign multiple vlans to the switchports. I don't need Inside users to access the ap's. Any client whether wired or wireless connecting on vlan3 ports receives dhcp provided address but they can't get out to the internet, can't get to websites, etc. Based on your post and Cisco documentation this should work. Help! What am I missing here. I've posted the config. for your reference. Yes, you'll probably see some access rules that are unnecessary but I was trying to open things up in my frustration. Thanks. : Saved : ASA Version 7.2(2) ! hostname NPAP-ASA domain-name default.domain.invalid enable password wrHx06yEpLqMHfuS encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.13.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp setroute ! interface Vlan3 no forward interface Vlan1 nameif GUEST security-level 50 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 switchport access vlan 3 ! interface Ethernet0/5 switchport access vlan 3 ! interface Ethernet0/6 switchport access vlan 3 ! interface Ethernet0/7 switchport access vlan 3 ! passwd wrHx06yEpLqMHfuS encrypted ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup GUEST dns server-group DefaultDNS domain-name default.domain.invalid access-list inside_access_out remark allow ping from inside out access-list inside_access_out extended permit icmp any any access-list outside_access_in remark allow echo reply from outside access-list outside_access_in extended permit icmp any any echo-reply access-list outside_access_in extended permit tcp any interface outside eq 3389 access-list GUEST_access_out extended permit icmp any any access-list GUEST_access_out_1 remark guest to outside any any 5/9 access-list GUEST_access_out_1 extended permit ip any any access-list GUEST_access_out_1 remark icmp any any outgoing 5/9 access-list GUEST_access_out_1 extended permit icmp any any access-list GUEST_access_in remark icmp any any incoming 5/9 access-list GUEST_access_in extended permit icmp any any access-list GUEST_access_in remark ip any any incoming 5/9 access-list GUEST_access_in extended permit ip any any access-list GUEST_access_in remark guest incoming interface any icmp 5/9 access-list GUEST_access_in extended permit icmp interface GUEST any pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu GUEST 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-522.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface 3389 192.168.13.20 3389 netmask 255.255.255.255 access-group inside_access_out out interface inside access-group outside_access_in in interface outside access-group GUEST_access_in in interface GUEST access-group GUEST_access_out_1 out interface GUEST timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute http server enable http 192.168.13.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5 ssh 24.213.161.80 255.255.255.255 outside ssh timeout 5 console timeout 2 dhcpd auto_config outside ! dhcpd address 192.168.13.21-192.168.13.100 inside dhcpd enable inside ! dhcpd address 192.168.1.10-192.168.1.110 GUEST dhcpd enable GUEST ! ! class-map GUEST-class match any class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp policy-map GUEST-policy class GUEST-class inspect dns ! service-policy global_policy global service-policy GUEST-policy interface GUEST prompt hostname context Cryptochecksum:ee5ed32b894e16915ff00256476d3ea7 : end asdm image disk0:/asdm-522.bin no asdm history enable Thanks for posting this, I’ve tried setting this up for a consulting gig I’m doing and have also tested with an asa 5505 I have at home. Granted, I don’t have the security+ license on either asa but in my case I shouldn’t need it, at least I don’t think so since I only care about vlan3 being setup for 1 guest wireless network so I don’t need to assign multiple vlans to the switchports. I don’t need Inside users to access the ap’s.

Any client whether wired or wireless connecting on vlan3 ports receives dhcp provided address but they can’t get out to the internet, can’t get to websites, etc. Based on your post and Cisco documentation this should work. Help! What am I missing here. I’ve posted the config. for your reference. Yes, you’ll probably see some access rules that are unnecessary but I was trying to open things up in my frustration. Thanks.

: Saved
:
ASA Version 7.2(2)
!
hostname NPAP-ASA
domain-name default.domain.invalid
enable password wrHx06yEpLqMHfuS encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.13.1 255.255.255.0

!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute

!
interface Vlan3
no forward interface Vlan1
nameif GUEST
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
passwd wrHx06yEpLqMHfuS encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup GUEST
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list inside_access_out remark allow ping from inside out
access-list inside_access_out extended permit icmp any any
access-list outside_access_in remark allow echo reply from outside
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list GUEST_access_out extended permit icmp any any
access-list GUEST_access_out_1 remark guest to outside any any 5/9
access-list GUEST_access_out_1 extended permit ip any any
access-list GUEST_access_out_1 remark icmp any any outgoing 5/9
access-list GUEST_access_out_1 extended permit icmp any any
access-list GUEST_access_in remark icmp any any incoming 5/9
access-list GUEST_access_in extended permit icmp any any
access-list GUEST_access_in remark ip any any incoming 5/9
access-list GUEST_access_in extended permit ip any any
access-list GUEST_access_in remark guest incoming interface any icmp 5/9
access-list GUEST_access_in extended permit icmp interface GUEST any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu GUEST 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.13.20 3389 netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group GUEST_access_in in interface GUEST
access-group GUEST_access_out_1 out interface GUEST
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.13.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 24.213.161.80 255.255.255.255 outside
ssh timeout 5
console timeout 2
dhcpd auto_config outside
!
dhcpd address 192.168.13.21-192.168.13.100 inside
dhcpd enable inside
!
dhcpd address 192.168.1.10-192.168.1.110 GUEST
dhcpd enable GUEST
!

!
class-map GUEST-class
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map GUEST-policy
class GUEST-class
inspect dns
!
service-policy global_policy global
service-policy GUEST-policy interface GUEST
prompt hostname context
Cryptochecksum:ee5ed32b894e16915ff00256476d3ea7
: end
asdm image disk0:/asdm-522.bin
no asdm history enable

]]>