Cisco Aironet Multiple SSID & PIX VLANs

[dave2korg]

Hey all,

This is a 2 part question, I have 2 Cisco Aironet 1130ag (A/B/G) access points that I want to have setup in this way:

Both broadcast 2 SSID's, which are setup on 2 different VLAN's. One for a secured network (internal employees), which would have access to internal servers, and services.. and a second ssid where anyone connected would ONLY have access to outside internet access (for contractors, visitors, and temps)..

I have already setup the VLAN's on both the PIX firewall (new interface), and on the Access points. I have created different SSID's and associated them with each seperate VLAN's. I can get internet access through both SSID's so I know the VLAN's are configured atleast minimal.

My problem is, It seems that I am only broadcasting 1 SSID at a time. In my lab, on one laptop I will see the Default SSID, and on another I will only see the second SSID. Is there a way I can go to test and make sure both are broadcasting? I have been in the web interface for approx 3 hours already looking anywhere for an option.

I remember reading somewhere that you can only broadcast 1 SSID per radio channel. That I would need to set each SSID to broadcast on a seperate radio frequency channel. Is this true, and if so where do I go to change that?

David McKissic
A+, Net+, i-net+, CCNA, CNE, CNA
Dell, Compaq, IBM, HP
Network Administrator

 

[Arisap]

Make sure that you have checked the box under Services, Guest Mode/Infrastructure SSID Settings Multiple BSSID on the AP this check box may not be there if your code is less than 12.3(7)JA1

 

[dave2korg]

Thanks for the quick reply. I checked my access point and this is what I see, can you verify with me those above steps relating to these photos?

This is my software version:

http://www.dave2k.org/~temp/cisco1.jpg

Although I couldnt find what you were referring to at the location you provided, I did find it under Security --> SSID manager.

http://www.dave2k.org/~temp/cisco2.jpg

Set it as Guest Mode here? What exactly will that do?

This is my configuration from the top of the same page.

http://www.dave2k.org/~temp/cisco3.jpg

David McKissic
A+, Net+, i-net+, CCNA, CNE, CNA
Dell, Compaq, IBM, HP
Network Administrator

 

[Arisap]

it looks good to me. I dont know why the other SSID isnt broadcasting. I have an almost exact configuration you are trying to do and it works fine.

 

[dave2korg]

Okay, i figured out that the problem was the second AP in the building wasnt set as guest mode for the 2nd bssid.

2nd part of this problem, I need to configure the public VLAN to restrict access to internal servers.. so that it would only have internet access. Does anyone know an easy way to do this? (please keep in mind I am not a Cisco guru)

David McKissic
A+, Net+, i-net+, CCNA, CNE, CNA
Dell, Compaq, IBM, HP
Network Administrator

 

[Arisap]

What kind of firewall are you running or router? there are many ways to skin this cat

 

[dave2korg]

Cisco 3845 Router -> Mated PIX 515E -> Dell Gigabit Eth switch -> Cisco Aironet AP

The Aironet plugs directly into one of my Gigabit switches, which all have been configured to pass VLAN tags.





David McKissic
A+, Net+, i-net+, CCNA, CNE, CNA
Dell, Compaq, IBM, HP
Network Administrator

 

[Supergrrover]

If you do a "show ver" you can tell how many interfaces you can have. Each physical and each vlan counts as one.

You will have to set up a physical interface to have logical ones (VLANs.)

http://www.cisco.com/en/US/products..._guide_chapter09186a0080172786.html#wp1113411

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[dave2korg]

Brent,

I have already done this. There are two Logical VLAN's configured on the inside interface.

They are named WirelessSec and WirelessPub, each with corresponding VLAN id's.

David McKissic
A+, Net+, i-net+, CCNA, CNE, CNA
Dell, Compaq, IBM, HP
Network Administrator

 

[Supergrrover]

What security levels did you assign?
Can you post a config for the pix?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[dave2korg]

Result of the command: "show running-config"

: Saved
:
PIX Version 7.2(1)
!
hostname pixfirewall
domain-name ************llc.com
enable password *************** encrypted
names

!
interface Ethernet0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.128 standby xxx.xxx.xxx.yyy
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.254
!
interface Ethernet1.1
vlan 44
nameif wirelessSec
security-level 98
ip address 10.10.3.1 255.255.255.0
!
interface Ethernet1.2
vlan 42
nameif wirelessPub
security-level 3
ip address 10.10.5.1 255.255.255.0
!
interface Ethernet2
nameif intf2
security-level 4
ip address 192.168.4.1 255.255.255.0 standby 192.168.4.254
!
passwd *************** encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name ************llc.com
access-list intf2_access_in extended permit icmp any any
access-list intf2_access_in extended permit tcp host xxxxx host xxxxxxxxx eq 1433
access-list intf2_access_in extended permit tcp object-group xxxxxxxxxx object-group xxxxxxxxx_ref eq 1433
access-list intf2_access_in extended permit tcp object-group xxxxxxxxxx host xxxxxxxxxxxxx eq www
access-list intf2_access_in extended permit tcp object-group xxxxxxxxxx host xxxxxx eq 1433
access-list intf2_access_in extended permit udp any object-group xxxxxxxxxxxxx eq domain
access-list intf2_access_in extended permit tcp any object-group xxxxxxxxxxxxx eq domain
access-list intf2_access_in extended permit tcp host xxxxxx host xxxxxxxxxx eq smtp
access-list intf2_access_in extended permit tcp host xxxxxxxxxxxxxxx object-group DomainServers_ref object-group DomainPortsTCP
access-list intf2_access_in extended permit udp host xxxxxxxxxxxxxxx object-group DomainServers_ref object-group DomainPortsUDP
access-list intf2_access_in extended deny ip any 192.168.1.0 255.255.255.0
access-list intf2_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list inside_outbound_nat0_acl extended permit ip any 192.168.1.0 255.255.255.0
access-list Default_splitTunnelAcl standard permit any
access-list ************_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list ************_splitTunnelAcl standard permit 192.168.4.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.64 255.255.255.192
access-list inside_access_out extended permit icmp any any
access-list inside_access_out remark Allow SMTP, HTTP, HTTPS, FTP to xxxxxxxxxxxxx
access-list inside_access_out extended permit tcp any host xxxxxxxxxxxx object-group xxxx
access-list inside_access_out extended permit ip xxxxxx_Ideals 255.255.255.0 object-group xxxx
access-list inside_access_out extended permit ip object-group xxxx_New_ref object-group xxxx
access-list inside_access_out extended permit tcp any host xxxxxx object-group FTPandFTPData
access-list inside_access_out extended permit tcp any host xxxxxxxx object-group WebandFTP
access-list inside_access_out extended permit tcp any host xxxxxxxx eq https
access-list inside_access_out remark Allow port 3200 incoming to the Exchange / Blackberry Server
access-list inside_access_out extended permit tcp any host xxxxxxxxxxx eq 3200
access-list inside_access_out extended permit tcp any host xxxxxxxxxxx object-group Exchange
access-list inside_access_out extended permit tcp any host xxxxxxxxxxx eq smtp
access-list inside_access_out remark Allow HTTP access to the xxxxxx server
access-list inside_access_out remark Allow SMTP access to the xxxxxx server from interface2
access-list inside_access_out remark Allow SMTP access to the xxxxxx server from interface2
access-list inside_access_out remark Allow SMTP access to the xxxxxx server from interface2
access-list inside_access_out remark Allow access to xxxxxxxxxxxxxxxx
access-list inside_access_out extended permit tcp any host xxxxxxxxxx eq www
access-list inside_access_out remark Allow HTTP access to the xxxxxx server
access-list inside_access_out remark Allow SMTP access to the xxxxxx server from interface2
access-list inside_access_out remark Allow SMTP access to the xxxxxx server from interface2
access-list inside_access_out remark Allow SMTP access to the xxxxxx server from interface2
access-list inside_access_out remark Allow access to xxxxxxxxxxxxxxxx
access-list inside_access_out extended permit tcp any host xxxxxxxxxx eq www
access-list inside_access_out extended permit tcp object-group xxxxxxxxx_ref object-group xxxxxxxxx eq 1433
access-list inside_access_out extended permit tcp object-group xxxxxxxxxx_ref host xxxxxxxxx eq www
access-list inside_access_out extended permit tcp host xxxxxxxx host xxxxxxxxxx eq 1433
access-list inside_access_out extended permit tcp host xxxxxxxxxxxxx object-group xxxxxxxxxxxx object-group DomainPortsTCP
access-list inside_access_out extended permit udp host xxxxxxxxxxxxx object-group DomainServers object-group DomainPortsUDP
access-list inside_access_out extended permit udp any object-group DomainServers eq domain
access-list inside_access_out extended permit tcp xxx.xxx.xxx.xxx 255.255.0.0 host xxxxxxxx eq 3389
access-list inside_access_out extended permit tcp object-group xxxx_ref host xxxxxxxxxx object-group HTTPandSecure
access-list inside_access_out extended permit tcp any host xxxxxxx eq www
access-list inside_access_out extended permit tcp any host xxxxxxx object-group Netmeeting
access-list inside_access_out extended permit ip 10.10.3.0 255.255.255.0 any
access-list inside_access_out extended deny ip any any
access-list intf2_access_out extended permit tcp any object-group xxxxxxxxxxxxxxxxx object-group HTTPandSecure
access-list intf2_access_out extended permit tcp any object-group xxxxxxxxxxxxxxxxx object-group MMS_TCP
access-list intf2_access_out extended permit udp any object-group xxxxxxxxxxxxxxxxx object-group MMS_UDP
access-list intf2_access_out extended permit tcp any host xxxxxxxx eq www
access-list intf2_access_out extended permit ip 192.168.0.0 255.255.0.0 any
access-list intf2_access_out extended deny ip any any
access-list Server remark group access to xxxxx
access-list Server extended permit tcp any object-group xxxxxxxxxx host xxxxxxxxxxxxxx object-group xxxxxxxxxxx
access-list Server extended permit udp any host xxxxxxxxxx
access-list outside_cryptomap_20 extended permit ip 192.168.1.0 255.255.255.0 host xxx.xxx.xxx.xxx
access-list inside_access_in remark Block access to gotomypc.com
access-list inside_access_in extended deny ip any host xxx.xxx.xxx.xxx log alerts
access-list inside_access_in extended permit ip any any
access-list wirelessSec_access_in extended permit ip any any
access-list wirelessPub_access_in extended permit icmp any any
access-list wirelessPub_access_in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffered emergencies
logging asdm alerts
logging host inside 192.168.1.203
logging host inside xxxx
logging debug-trace
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu wirelessSec 1500
mtu intf2 1500
mtu wirelessPub 1500
ip local pool ************VPN 192.168.1.90-192.168.1.99 mask 255.255.255.0
failover
monitor-interface outside
monitor-interface inside
no monitor-interface wirelessSec
monitor-interface intf2
no monitor-interface wirelessPub
asdm image flash:/asdm-521.bin
asdm history enable
arp timeout 14400
global (outside) 10 interface
global (intf2) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 192.168.1.0 255.255.255.0
nat (wirelessSec) 10 10.10.3.0 255.255.255.0
nat (intf2) 10 0.0.0.0 0.0.0.0
nat (wirelessPub) 10 0.0.0.0 0.0.0.0 dns

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group wirelessSec_access_in in interface wirelessSec
access-group intf2_access_in in interface intf2
access-group intf2_access_out out interface intf2
access-group wirelessPub_access_in in interface wirelessPub
!
route-map inside_outbound_nat0_acl permit 10
!
route outside 0.0.0.0 0.0.0.0 Cisco3850 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS host ARSENIC
key xxxxxxxxxxxxxxxx
group-policy Default internal
group-policy Default attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Default_splitTunnelAcl
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication enable
user-authentication enable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
group-policy SoftwareVendor internal
group-policy SoftwareVendor attributes
vpn-tunnel-protocol IPSec
group-policy ************ internal
group-policy ************ attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ************_splitTunnelAcl
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server host inside xxxxxxxxxxxxx poll community ************
snmp-server host inside xxxxx community ************
no snmp-server location
no snmp-server contact
snmp-server community ************
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 0
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxx.xxx.xxx.xxx
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 80 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group ************ type ipsec-ra
tunnel-group ************ general-attributes
address-pool ************VPN
default-group-policy ************
tunnel-group ************ ipsec-attributes
pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet xxxxxxxxxxx 255.255.255.255 inside
telnet 192.168.1.203 255.255.255.255 inside
telnet 192.168.1.68 255.255.255.255 inside
telnet timeout 5
ssh xxxxxxxxx 255.255.255.255 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns xxxxxxx xxxxxxxx
dhcpd ping_timeout 750
dhcpd domain ************llc.com
!
dhcpd address 192.168.1.140-192.168.1.240 inside
dhcpd enable inside
!
dhcpd address 10.10.3.2-10.10.3.250 wirelessSec
dhcpd enable wirelessSec
!
dhcpd address 10.10.5.2-10.10.5.250 wirelessPub
dhcpd enable wirelessPub
!
!
class-map global-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum 4096
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect dns migrated_dns_map_2
inspect icmp error
inspect icmp
policy-map type inspect http test
parameters
protocol-violation action drop-connection
match request uri regex _default_GoToMyPC-tunnel
drop-connection log
match request uri regex _default_GoToMyPC-tunnel_2
drop-connection log
policy-map global-policy
class global-class
inspect dns
!
service-policy global_policy global
ntp server 192.43.244.18 source outside prefer
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end



David McKissic
A+, Net+, i-net+, CCNA, CNE, CNA
Dell, Compaq, IBM, HP
Network Administrator

 

[Supergrrover]

This should do it Change these -
access-list wirelessPub_access_in extended permit icmp any any
access-list wirelessPub_access_in extended permit ip any any

to -

comment: deny that wirelessPub subnet access to inside subnet
access-list wirelessPub_access_in extended deny ip 10.10.5.1 255.255.255.0 192.168.1.1 255.255.255.0
comment: allow wirelessPub subnet all icmp to any destination
access-list wirelessPub_access_in extended permit icmp 10.10.5.1 255.255.255.0 any
comment: allow wirelessPub subnet http traffic to any destination
access-list wirelessPub_access_in extended permit tcp 10.10.5.1 255.255.255.0 any eq 80
comment: add subsequent lines to allow whatever traffic you want (443-https, 110-pop3, 25-smtp, etc.)
access-list wirelessPub_access_in extended deny any any

They will be processed in top down - if you match a line no further processing will be done. You can also add log keyword and level to log events that match these rules.

Brent
Systems Engineer / Consultant
CCNP, CCSP