Hello,
I'm trying to setup two SSID's on my 1140 Aironets that will allow me to have both a secure, internal WLAN and a guest WLAN. Right now, the WLAN works for guest access to the Internet only, using SSID LBBWireless. I took over at this position from someone who didn't know the ASA needed the Security Plus license, so that was how it was setup. The Aironets are connected to Ethernet0/6 and Ethernet0/7 using POE to power them.
My goal is to have the following SSID's on the Aironets:
LBBWireless - Internal and Internet Access
LBBWireless(Guest) - Internet Access only
Being kind of new to the ASA, I need some help. I figure it has something to do with the access rules and native VLAN on the switchports, but I'm a bit lost. Here are parts of the configs:
ASA:
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 69.64.233.2 255.255.255.240
!
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.192
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
speed 100
duplex full
!
interface Ethernet0/2
speed 100
duplex full
shutdown
!
interface Ethernet0/3
speed 100
duplex full
shutdown
!
interface Ethernet0/4
switchport access vlan 3
speed 100
duplex full
!
interface Ethernet0/5
switchport access vlan 3
speed 100
duplex full
!
interface Ethernet0/6
switchport access vlan 3
switchport trunk allowed vlan 1,3
switchport trunk native vlan 3
switchport mode trunk
!
interface Ethernet0/7
switchport access vlan 3
switchport trunk allowed vlan 1,3
switchport trunk native vlan 3
switchport mode trunk
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name lbb.net
same-security-traffic permit intra-interface
access-list outside_access_in extended permit ip 192.168.10.0 255.255.255.0 any
access-list outside_access_in extended deny ip 10.0.0.0 255.0.0.0 any
access-list outside_access_in extended deny ip 127.0.0.0 255.0.0.0 any
access-list outside_access_in extended deny ip 172.16.0.0 255.240.0.0 any
access-list outside_access_in extended deny ip 192.168.0.0 255.255.0.0 any
access-list outside_access_in extended permit tcp any gt 1023 host 69.64.233.2 eq smtp
access-list outside_access_in extended permit tcp any gt 1023 host 69.64.233.2 eq www
access-list outside_access_in extended permit tcp any gt 1023 host 69.64.233.2 eq https
access-list outside_access_in extended permit tcp any gt 1023 host 69.64.233.2 eq 3389
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp host 10.0.0.16 gt 1023 any eq smtp
access-list inside_access_in extended permit ip 10.0.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_access_in extended deny ip 10.0.0.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list inside_access_in extended deny ip 10.0.0.0 255.255.255.0 127.0.0.0 255.0.0.0
access-list inside_access_in extended deny ip 10.0.0.0 255.255.255.0 172.16.0.0 255.240.0.0
access-list inside_access_in extended deny ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_access_in extended deny tcp 10.0.0.0 255.255.255.0 any eq smtp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp 10.0.0.0 255.255.255.0 any echo
access-list inside_access_in extended deny ip any any
access-list dmz_access_in extended deny ip 192.168.1.0 255.255.255.192 10.0.0.0 255.0.0.0
access-list dmz_access_in extended deny ip 192.168.1.0 255.255.255.192 127.0.0.0 255.0.0.0
access-list dmz_access_in extended deny ip 192.168.1.0 255.255.255.192 172.16.0.0 255.240.0.0
access-list dmz_access_in extended deny ip 192.168.1.0 255.255.255.192 192.168.0.0 255.255.0.0
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended permit icmp 192.168.1.0 255.255.255.192 any echo
access-list dmz_access_in extended deny ip any any
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.10.0 255.255.255.0
no pager
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-524.bin
asdm location 10.0.0.16 255.255.255.255 inside
asdm location 10.0.0.7 255.255.255.255 inside
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.0.0.0 255.255.255.0
nat (dmz) 1 192.168.1.0 255.255.255.192
static (inside,outside) tcp interface smtp 10.0.0.16 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 255.255.255.255
static (inside,outside) tcp interface https 10.0.0.16 https netmask 255.255.255.255
static (inside,outside) tcp interface 3389 10.0.0.7 3389 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
Aironet:
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap-se.lbb.net
!
logging buffered 8192 debugging
enable secret 5 $1$UO5E$xBbSrVDEBSRyvrJpoCKYd.
!
no aaa new-model
!
!
dot11 syslog
dot11 vlan-name GuestAccess vlan 3
dot11 vlan-name InternalAccess vlan 1
!
dot11 ssid LBBWireless
vlan 1
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 0205545505550C350D
!
dot11 ssid LBBWireless(Guest)
vlan 3
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 020A244C12551D320D
I'm trying to setup two SSID's on my 1140 Aironets that will allow me to have both a secure, internal WLAN and a guest WLAN. Right now, the WLAN works for guest access to the Internet only, using SSID LBBWireless. I took over at this position from someone who didn't know the ASA needed the Security Plus license, so that was how it was setup. The Aironets are connected to Ethernet0/6 and Ethernet0/7 using POE to power them.
My goal is to have the following SSID's on the Aironets:
LBBWireless - Internal and Internet Access
LBBWireless(Guest) - Internet Access only
Being kind of new to the ASA, I need some help. I figure it has something to do with the access rules and native VLAN on the switchports, but I'm a bit lost. Here are parts of the configs:
ASA:
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 69.64.233.2 255.255.255.240
!
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.192
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
speed 100
duplex full
!
interface Ethernet0/2
speed 100
duplex full
shutdown
!
interface Ethernet0/3
speed 100
duplex full
shutdown
!
interface Ethernet0/4
switchport access vlan 3
speed 100
duplex full
!
interface Ethernet0/5
switchport access vlan 3
speed 100
duplex full
!
interface Ethernet0/6
switchport access vlan 3
switchport trunk allowed vlan 1,3
switchport trunk native vlan 3
switchport mode trunk
!
interface Ethernet0/7
switchport access vlan 3
switchport trunk allowed vlan 1,3
switchport trunk native vlan 3
switchport mode trunk
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name lbb.net
same-security-traffic permit intra-interface
access-list outside_access_in extended permit ip 192.168.10.0 255.255.255.0 any
access-list outside_access_in extended deny ip 10.0.0.0 255.0.0.0 any
access-list outside_access_in extended deny ip 127.0.0.0 255.0.0.0 any
access-list outside_access_in extended deny ip 172.16.0.0 255.240.0.0 any
access-list outside_access_in extended deny ip 192.168.0.0 255.255.0.0 any
access-list outside_access_in extended permit tcp any gt 1023 host 69.64.233.2 eq smtp
access-list outside_access_in extended permit tcp any gt 1023 host 69.64.233.2 eq www
access-list outside_access_in extended permit tcp any gt 1023 host 69.64.233.2 eq https
access-list outside_access_in extended permit tcp any gt 1023 host 69.64.233.2 eq 3389
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp host 10.0.0.16 gt 1023 any eq smtp
access-list inside_access_in extended permit ip 10.0.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_access_in extended deny ip 10.0.0.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list inside_access_in extended deny ip 10.0.0.0 255.255.255.0 127.0.0.0 255.0.0.0
access-list inside_access_in extended deny ip 10.0.0.0 255.255.255.0 172.16.0.0 255.240.0.0
access-list inside_access_in extended deny ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_access_in extended deny tcp 10.0.0.0 255.255.255.0 any eq smtp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp 10.0.0.0 255.255.255.0 any echo
access-list inside_access_in extended deny ip any any
access-list dmz_access_in extended deny ip 192.168.1.0 255.255.255.192 10.0.0.0 255.0.0.0
access-list dmz_access_in extended deny ip 192.168.1.0 255.255.255.192 127.0.0.0 255.0.0.0
access-list dmz_access_in extended deny ip 192.168.1.0 255.255.255.192 172.16.0.0 255.240.0.0
access-list dmz_access_in extended deny ip 192.168.1.0 255.255.255.192 192.168.0.0 255.255.0.0
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended permit icmp 192.168.1.0 255.255.255.192 any echo
access-list dmz_access_in extended deny ip any any
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.10.0 255.255.255.0
no pager
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-524.bin
asdm location 10.0.0.16 255.255.255.255 inside
asdm location 10.0.0.7 255.255.255.255 inside
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.0.0.0 255.255.255.0
nat (dmz) 1 192.168.1.0 255.255.255.192
static (inside,outside) tcp interface smtp 10.0.0.16 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 255.255.255.255
static (inside,outside) tcp interface https 10.0.0.16 https netmask 255.255.255.255
static (inside,outside) tcp interface 3389 10.0.0.7 3389 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
Aironet:
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap-se.lbb.net
!
logging buffered 8192 debugging
enable secret 5 $1$UO5E$xBbSrVDEBSRyvrJpoCKYd.
!
no aaa new-model
!
!
dot11 syslog
dot11 vlan-name GuestAccess vlan 3
dot11 vlan-name InternalAccess vlan 1
!
dot11 ssid LBBWireless
vlan 1
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 0205545505550C350D
!
dot11 ssid LBBWireless(Guest)
vlan 3
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 020A244C12551D320D
