How would I contain guest Wifi network in firewall?

I would like to implement a guest wifi network on my preexisting private network and can't figure out the security on my firewall. Currently the link connecting my private network to the internet is functioning fine and I really don't want to change this link into a trunk as I believe trying to reconfigure the trunk and security lists in the firewall would cause downtime. I would like to use a second interface on the firewall (5520 ASA with 8.2 software) as a trunk interface for my guest network and any other new VLAN in the future. My main concern is at the Core of my network the default gateway is the private IP for my internal firewall connection. If the guest network is connected to my core device going to the ASA, how do I specify a second default gateway on the core for the guest network on the ASA?
After writing this I realized, what if i connected a switch directly to the second trunk interface on my ASA and then used this IP as the default gateway for the guest network? I believe this should work but this leads me to one more question:
Say I wanted to allow my quest network access to a specific server on my internal network, would a proper configuration be to setup the ACLs on the firewall, allowing them to communicate to my inside network?

Hi,
Yeah I suppose changing the existing interface to a Trunk would not be possible without somekind of downtime unless you used an untypical configuration.
Sadly, my personal knowledge of wireless networks and the devices is almost nonexistent as we have different people to handle setting up those.
But I would imagine you can use a separate Vlan for the Guest Wifi and bring that Vlan to the new ASA interface only. If your actual core switch is doing routing, in other words if its acting as a L3 switch then you should probably add the Guest Wifi Vlan only as L2 to the core switch and configure it all the way to the new ASA Trunk. Default gateway as you say would be the IP address configured on the ASA itself.
Controlling the traffic from the new interface on the ASA should be pretty simple.
access-list GUEST-WIFI remark Allow traffic to internal server
access-list GUEST-WIFI permit tcp host eq
access-list GUEST-WIFI remark Deny All traffic to Internal networks
access-list GUEST-WIFI deny ip any
access-list GUEST-WIFI remark Allow All other traffic
access-list GUEST-WIFI permit ip any
access-group GUEST-WIFI in interface
The above ACL first allows some traffic to a certain internal server with a certain service. It then blocks all other traffic to the internal network. Finally it allows all other traffic. That would be all traffic destined to external public networks.
Naturally you would need possibly Static Identity NAT configurations (since you are using 8.2 software) to enable connections from the Guest Wifi to Internal network.
- Jouni

Similar Messages

  • How to set up guest wifi network on 1200 series APs with disclaimer web portal?

    I've been thinking about this one for awhile. I want to set up a guest wifi network without any security (AES / TKIP) that allows guests to connect. Ideally, their web browser would be redirected to a web portal containing legal disclaimers, and they would need to accept the terms and conditions to use the guest wifi. I would also like to have them be required to visit the web portal again every 8 hours after that to accept the terms and conditions again.
    I have a Cisco 1240AG access point already. What else do I need to make this work?

    I don't believe you can do this just with an AP running in autonomous mode you would need to have a WLC to configure the splash page.
    Have a look here:
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70users.html#wp1049273
    Alternatively you can use software running on a PC/Server. Something like http://www.antamedia.com/hotspot/
    Hope that helps!
    Matty

  • How can I set up a guest WiFi network using Time Capsule and Airport Express extension?

    How can I set up a guest WiFi network using Time Capsule and Airport Express extension?

    Sorry, but it is not possible to "extend" the Guest Network using either wireless or an Ethernet connection.

  • How-do-i-configure-guest-wifi-access-using-2504-wlc-fortigate-utm-l3-device

    Dear All
    I have a 2504 Wireless Controller with multiple radios attached. I currently have a "private" WLAN configured (taking ip from windows server based DHCP of Range 192.1681.0/24 ) and working, but I need to add a Guest/Public WLAN which should take the IP from Other DHCP Configured on Fortigate UTM of range 172.16.0.0/24.
    We have one SG300 switch in the office and the rest are basic switches.
    Our firewall/router is a Fortigate UTM 240D
    Find the attached network diagram for the issue.
    Is there a SIMPLE way to enabling guest access that doesn't require VLANS (or are VLANS easier than I'm making them)? 
    Thanks.
    - See more at: https://supportforums.cisco.com/discussion/12473186/how-do-i-configure-guest-wifi-access-using-2504-wlc-fortigate-utm-l3-device#sthash.aj1XcWI0.dpuf

    Complete these steps in order to configure the devices for this network setup:
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-vlan/70937-guest-internal-wlan.html
    Configure Dynamic Interfaces on the WLC for the Guest and Internal Users
    Create WLANs for the Guest and Internal Users
    Configure the Layer 2 Switch Port that Connects to the WLC as Trunk Port

  • How can i delete a wifi network?

    how can i delete a wifi network?

    deroco wrote:
    Thank you but I tried that and it still shows up as a network. I live out in the country and shouldn't have any other networks close. I am afraid of a security breach.
    As far as networks showing up when you right click the WiFi icon in the Menu Bar, you will always see those that are close by. I know of no way to hide or remove those.
    What leroydouglas provided is correct to remove any WiFi networks you have previously connected to.

  • How do i find the wifi network and password for iphone 4s

    how do i find the wifi network name and passwordfor iphone 4s?

    Well Netgear will not know your password. The factory default user name for netgear is usually admin and the factory default is password is password.  Go to an internet browser and in the url windo type in 192.168.0.1 and if I am right a login window will appear.  Try the factory defaults.

  • HT3576 how can i verify that the network or firewall is not blocking access to port 5223.

    how can i verify that the network or firewall is not blocking access to port 5223?

    Talk to someone who knows something about networking and/or firewalls on an appropriate forum.
    Configuring your network and/or firewall is beyond the scope of this forum, which is devoted to issues using the iPhone.

  • HT3576 How do you, verify that the network or firewall is not blocking access to port 5223.

    How do you, verify that the network or firewall is not blocking access to port 5223.

    Maybe:
    http://answers.yahoo.com/question/index?qid=20110606132954AAZH4Tc
    http://forum1.netgear.com/showthread.php?t=48533

  • How do I check a wifi network on my iphone 4S ?

    I was in a Dennys restaurant that boasts a free WI-FI network, but couldnt logon to it.  The iPhone saw the net but would not join it.  No-one else could get onto the network either.  This has happened in other locations too. 
    My home network is via the Telus phone line. I noticed that on this network, according to Speedtest.net,  the internet speed is not very good, i.e. download 5.96 MB,  Up  0.43 Mb/s,    ping 62ms
    Thanks for any ideas on making it easier to join free networks that wont be joined, and speed up access on a slow networks

    If others are having problems getting on the network, it's probably a problem on the network, but I think you understand that. If the network is broken and it doesn't belong to you, the only way to 'bypass this' is to disconnect from the WiFi network and use 3G. That or complain to the manager... I doubt that will do you much good. They can barely figure out how to fry eggs, much less do anything with their network.

  • How to create a bigger wifi network?

    Hello,
    I am a macbook user and I have a virgin superhub in the front room in my house, can I put a airport express at the back of the house and connect to the virgin superhub to get a bigger wifi network and maybe get a wifi signal in the garden?
    thanks for any suggestions.

    but I could do it with 2 airport express units?
    Yes, one AirPort Express would need to be located in the vicinity of the hub. In order to extend wirelessly, the second AirPort Express would need to be located approximately half way between the first Express and the garden area.
    Any walls, ceilings, or other obstructions in the signal path between the AirPorts and the garden area will really absorb the signal quickly, so you will need to minimize obstructions as much as possible.
    You never really know how well....or if....wireless connections will work for your purposes until you try things out in your home. For that reason, if you decide to give it a try with two AirPorts, it might be a good idea to understand the store's return policies before you buy.

  • How do I remove a wifi network account from iMac? Or how do I encrpyt an open wifi network account to make it secure?

    Somehow a wifi network connection  has been created either on my airport router or iMac or iPad which is non secured, I.e. Open. I cannot workout how to delete it or make it a secure connection. My concern is that other users may able to access my computers via this open wifi connection.
    What can I do to correct this?

    click on the wifi icon and go all the way down to network preference click and open it once you on network window on the bottom right there is a advance icon click that then you should be able to delete all the network that your mac is remember.
    hope this is help.

  • How do I delete a wifi network when I don't have the password?

    Yesterday, I had some work done on my home network, which affected all my wireless devices.  I was able to get everything up and running, but the Ipad.  I have a different type of encryption now and can't connect to my Ipad.  My nephew, who did the work, wants me to delete the current wifi and then start over so it will see the current wifi network.  The network that is showing is my new network name, but I type in the password and I get an unable to join/dismiss message.  I have tried to reset network settings, but I still see the same network.  My nephew won't be back until later in the week, I miss the wifi. 
    Any ideas?
    Thanks.
    Nan

    I'm not sure if this will work for you, but it's worth a shot.
    TRY THIS:
    Go to Settings > Wi-Fi > select 'Other...' > Enter Network Name and Security Password > select 'Join'
    MY SETTINGS:
    The router is set to WPA2 Encryption.  The iPhone 'Wi-Fi Networks' settings is set to 'Ask to Join Networks'
    ISSUE BACKGROUND:
    I had a problem where my iDevice (iPhone 4) would not automatically connect to my Wi-Fi router even though the name - linksys - was always present.  I didn't want to 'Reset Network Settings' yet as there were some  hotspots I didn't want to have to go through the hassle of entering 16 to 32 character passwords again.  I was planning to try the 'Forget this Network' option, but it wasn't present.  I tried the step above as a long shot and it worked.  Hope this helps.

  • How can I create a wifi network

    I have created a wifi network, and also connected with my ipad, but it does not work, just connect.  what I should do?

    search the Internet. https://www.google.com/search?q=how+to+set+up+a+wifi+network

  • How to "forget" previously used WiFi networks

    Can anyone suggest how to remove the use/name of a wifi network I have used previously from the "connect via" screen when I want to connect to the internet or something like that.
    I have applied a filter in the WLAN wizrd (which I think should block it, unless someone can tell me differently) but it still gets listed.
    This happens when im around the network or not.
    This is on the E66, but also applies to the E71.
    Thanks
    Solved!
    Go to Solution.

    There are always minor differences in the menus for different phones. The menu structure I quoted was for the N96.

  • How do I delete old wifi networks from appearing in the wifi icon in the menu bar.

    Just bought a new Airport Time Capsule and is up and running OK.
    When I click on the wifi icon in the menu bar all my old wifi networks appear 
    which are then viewable by neighbours although the networks themselves are PW protected.
    In system preferences>network>advanced I have deleted all my old N/Works allowing only
    my new one to appear.
    How can I delete the old networks I no longer use from re-appearing in the list under the wifi icon?
    Alan

    When you delete old networks in System Preferences > Network > WiFi > Advanced, be sure to click the OK button, then click the Apply button in the next window that appears.
    You also need to delete the old networks in KeyChain Access as follows:
    Open Macintosh HD > Applications > Utilities > KeyChain Access
    Click on the name of an old wireless network to highlight it
    Click the Delete key on your Mac
    Do the same for other old wireless networks that you no longer use, then restart your Mac.

Maybe you are looking for

  • To all those having issues syncing their new iPod touch to iTunes:

    Do me a favor and try downloading doubletwist from www.doubletwist.com. I was having issues with itunes telling me it couldn't sync music/videos/photos (but it could apps) with my new 32 GB ipod touch 3rd gen so I shipped it back to Amazon earlier th

  • Pentax K-x calibration with Camera Raw 3.1, and calibration updates

    The Pentax K-x will save its raw files in either DNG (Adobe) format, or PEF (Pentax) format. Until Camera Raw 3.1 was released, I had my K-x writing DNG files, since there was no support in Apperture for PEF files. With Camera Raw 3.1, the K-x is now

  • EPMA Windows Services not starting

    Before you all jump on me, I've read almost all of the threads and documentation concerning this issue that are out there. I've checked the databases and they are configured appropriately, I've checked the IPv6 settings and they are ok. this EPMA ins

  • Join String to Column in Query

    Hi I have a column in a query I would like to join a string so that the value from the column always has a descriptor at the end like this: 1.5 "Yards" 2.5 "Yards" I don't mean: column AS "Yards" The value in the column changes length so I want to tr

  • No tab for "Folders" in advanced options for Calendar synch

    After updating to Desktop v 7.0, my secondary Outlook calendars do not synch to my phone.  Online help files state there should be a "Folders" tab in advanced settings within configuration where I can select the other calendar folders.  Nope.  I have