Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Allow guest internet access 2

Status
Not open for further replies.
fs483

fs483

Technical User
Jul 7, 2002
977
CA
Hello,

I'm wondering if the following is possible :

Would like to allow guest laptops Internet access while isolating it's traffic from corporate lan. Currently in place ASA5510 with HP Procurv switch that supports VLAN and a couple Windows servers. The Windows servers do DHCP and DNS. How would I allow Internet access to guest laptops. Is it possible to enable DHCP on one of the interfaces of the ASA5510? If that would work, I can connect a laptop directly to that port and supply Internet Access. A switch would be added if more than 1 guest.

Now let's say those guest laptops would have to be connected to the main switch, I'm wondering if it's possible to make the switch recognize a guest laptop from a trusted laptop. I believe that's where VLAN and MAC security would be involved. If the switch recognizes a trusted MAC address, it would have to tell it to go the the Windows server DHCP but if the MAC is unrecognized, it would send it to the DHCP of the ASA...

In other setups, I would allow Guest Internet access by putting a switch after the ISP modem. I would then connect the ASA to the switch and a cheap Linksys router to the switch. The rest of the corporate network would be under the ASA and the guests would connect to the Linksys router however, it has happened before that some employees would allow guests laptops to be connected into ports that were for trusted devices. I know part is employee education but I want to completly avoid the possibilty of a guest laptop accidently connecting to corporate side of the network and I don't want adding a switch + linksys router.

Thanks,
fs483
 
Sort by date Sort by votes
Absolutely; 802.1x is your friend here. Rather than write up a huge drawn out solution here, I'll defer to HP's documentation that goes in depth:



I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
I agree that the 802.1x solution is by far the coolest most appropriate solution but is it practical for your time and budget? How secure do you need it? An easy solution is to do a separate vlan and just throw up a wireless ap to connect to. Secured traffic from your internal network, no headaches, much less time, cash and setup.

802.1x is super sexy but if you aren't a network geek (and sometimes even if you are) it can be a huge mountain to scale and it takes a fair amount of time to implement.

Both solutions will work just fine. Just my 2 cents.

Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
I totally agree with you Brent. I mean, that's the beauty of this stuff right?? There's almost always two or more good ways to solve a problem.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Thanks guys, I'll have a look at the document.

Now let's say I would go with the VLAN route, how would I go about doing it? I keep on seeing that Inter-VLAN communication requires a router. In my case, would I need a router?

We'll start simple, suppose I want to only hook up one device directly to one port behind the ASA, no switches involved.

Regards,
fs483
 
Upvote 0 Downvote
The ASA will function as the router.
For single port you can just follow the regular DMZ setup and it will work. :
Interface/DMZ setup -
DHCP server -

Now this easily extends to running the DMZ through a switch and getting extra ports or you can run everything through your procurve (hard coding switch ports to vlans) and then either trunk it to the ASA or have separate ports on the ASA control separate vlans.

Now setting up 802.1x takes an AAA server, having the switch communicate with it

Procurve setup -
Windows Setup -
See how messy this gets...

Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Thanks Supergrrover. I'll give it a try next time I'm onsite. AAA server would be too much for my needs. If I were to run the single DMZ port through my procurve, then that would mean I would have both a patch cable from the inside interface and the dmz assigned interface of the ASA into the procurve right? Suppose the Inside interface of ASA is connected to Port 1 of Procurve and DMZ interface of ASA is connected to Port 2, then I would have to create a different VLAN for Port 2 (and any other port from which guest laptops would connect) right? I can leave Port 1 of Procurve to the default VLAN?

To make matters more complicated, we will be adding an Asterisk system soon and the phones will need to be on a diffrent VLAN and the phones will be using the same shared cable as the trusted PCs. Now that gets me thinking, if I put the guest laptops in the DMZ, will the phones that are connected to those jacks still work?

Thanks,
fs483
 
Upvote 0 Downvote
Yes, you need to create a new VLAN for "GUEST".
Yes, you ~could~ use a seperate physical interface to carry this new VLAN to where it is needed.
Alternatively, you can trunk this new VLAN off the ASA on its existing link to the HP switch. To do this, configure your ASA interface with sub-interfaces, one for each VLAN. (Create your new "VOICE" VLAN while you are at it.)
On your HP switch, create each new VLAN and then add it as "tagged" to the switch uplink port.
Then, on the HP switch, conifigure one port to be "untagged" in the "GUEST" VLAN (changed from its existing "untagged" in VLAN 1).

To add a "VOICE" VLAN to each of your switch ports, configure each of them with "VOICE" VLAN "tagged" (in addition to their existing "untagged" VLAN). As you will see, it doesn't matter what VLAN is "untagged" on each port so the answer is "YES", you can trunk the "VOICE" VLAN down each edge cable regardless of whether it is on your normal LAN or "GUEST" VLAN.
 
Upvote 0 Downvote
Thanks VinceWhirlwind. I think I'll do some tests on an ASA5505 and a Cisco 2924 that I have on my test bench before trying on the production systems.

FS483
 
Upvote 0 Downvote
Trunking multiple VLANs ASA5505<-->Cisco2924 is a bit different (and easier) than doing between ASA5510<-->HPswitch.


Instead of configuring subinterfaces, on the 5505 instead you configure VLAN interfaces, something like this, off the top of my head:
interface VLAN3
desc GUEST
ip address 10.1.3.1 255.255.255.0
no shut
interface VLAN5
desc VOICE
ip address 10.1.5.1 255.255.255.0
no shut

On these devices, the physical interface VLAN configuration for the uplink between ASA & switch is essentially the same on each side:
int f1
sw trunk encap dot1q
sw mode trunk

int f0/24
sw tr en do
sw mo tr

 
Upvote 0 Downvote
If you want vlans trunked on the asa you need sub-interfaces. For the 5510 you will want this -

Be aware that it will be a choke point if you want to have traffic between the vlans. Also pay attention to the untagged packet warning for the physical interface.

Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
720
Shmid
Shmid
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
120
gbayi_omo
gbayi_omo
kythri
  • Locked
  • Question
Restrict access to SSL VPN by IP (ASA 5540 - 8.4(7))
Replies
0
Views
134
kythri
kythri
rjwaunakee
  • Locked
  • Question
Allow Connections with Domain Names
Replies
0
Views
99
rjwaunakee
rjwaunakee
RMurr34
  • Locked
  • Question
No Internet Access if no static map
Replies
0
Views
97
RMurr34
RMurr34

Part and Inventory Search

Sponsor

Back
Top