So, I've run into a small issue at work, and I'm uncertain as to the best way to resolve the issue while providing a robust security implementation to prevent accidental data loss / network compromise. Help!

We have a number of people who have been coming into our building requesting access to our wireless network, so that they can get on the internet (we run meetings here quite often, so we always have people coming in). Obviously, I don't want to give them the password to our wireless network that's connected to our internal network, as there would be all sorts of security ramifications involving doing so. So I figured I would create a secondary guest network, and allow them to connect to that instead.

I initially thought that I could just plug a secondary router into our network, use it to dole out a different range of internal IP addresses using DHCP, and life would be grand. However, I quickly found out that via routing, this would still allow them access to our internal network (d'oh!). So, I obviously need some way to create a secondary network, and have it completely blocked off from the primary network.

We are currently running a Cisco ASA 5505 firewall. Our network is configured via the following:

Internet -> Cable Modem -> Cisco ASA - [funky set up using Windows Server for DHCP, NAT, DNS, etc] -> PCs.

So, my skill level with the Cisco ASA is lacking, but I'm assuming that would probably be the best bet to go to create a separate, isolated guest network that would be kept separate from the primary internal network. The company had purchased the Cisco ASA through a consulting company before I started, and the consulting company had come in and configured the ASA with a very basic configuration. One port was used as "inside", and one port was used as "outside". I'm assuming I could simply configure a third port, configure it as "guest", and allow it to only direct traffic between it and the "outside" port. However, I have no idea how to go about doing so, and the last thing I want to do is muck up our primary network for everyone during business hours!

Does anyone have any quick tips on configuring the ASA to do what we want it to? This can't be that uncommon of a problem, and I'm guessing the solution is quite easy. But since I've never done this before, I want to make sure I don't mess everything up. Or, is there a better alternative than configuring it through the ASA?

Thanks!

Why not just use a wireless router that has a guest network option?

http://www.amazon.com/Netgear-Wireless-Gigabit-Router-WNDR3700/dp/B002HWRJY4

Why not just use a wireless router that has a guest network option?

http://www.amazon.com/Netgear-Wireless-Gigabit-Router-WNDR3700/dp/B002HWRJY4
We actually have one (Dlink DIR-655, I think). However, DHCP is controlled by our Windows Server, and not by the router. So I've tried enabling the guest network, but it fails, since it prevents traffic from accessing the Windows Server and obtaining an IP address. I've done some digging, and it turns out that the DIR-655 (and most others?) cannot support DHCP for just the guest network. It has to be an either all-or-nothing approach. :(

With DD-WRT you can create a virtual interface then use DHCP only on that interface and bridge it straight to the WAN so that it connects to the AP then gets directly routed outside with zero interaction with your internal network. I use it at home to route them to a vlan to let guests use the internet without worrying about them on my actual network.

Here's a decent guide to do it using dd-wrt http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs

You're over thinking. In your diagram

Internet -> Cable Modem -> Cisco ASA - [funky set up using Windows Server for DHCP, NAT, DNS, etc] -> PCs.

you just want to split off a line between cable modem and the Cisco ASA. You don't want guests on your internal LAN, so why put them there & create rules so they don't see anything? Keep them physically separate from your internal IPs.

So for guests, you should go:

Internet -> Cable Modem -> Guest wireless router

and keep that completely separate.

You're over thinking. In your diagram

Internet -> Cable Modem -> Cisco ASA - [funky set up using Windows Server for DHCP, NAT, DNS, etc] -> PCs.

you just want to split off a line between cable modem and the Cisco ASA. You don't want guests on your internal LAN, so why put them there & create rules so they don't see anything? Keep them physically separate from your internal IPs.

So for guests, you should go:

Internet -> Cable Modem -> Guest wireless router

and keep that completely separate.

This would work if the OP is granted multiple IP addresses from his ISP.

You're over thinking. In your diagram

Internet -> Cable Modem -> Cisco ASA - [funky set up using Windows Server for DHCP, NAT, DNS, etc] -> PCs.

you just want to split off a line between cable modem and the Cisco ASA. You don't want guests on your internal LAN, so why put them there & create rules so they don't see anything? Keep them physically separate from your internal IPs.

So for guests, you should go:

Internet -> Cable Modem -> Guest wireless router

and keep that completely separate.
How would I go about splitting off a line from the Cable Modem though? It only has a single CAT5 jack on it. I need that for the ASA to support the rest of our network.

*edit*

Ok, here's where I'm at so far. I've done some playing on the ASA, and have gotten a bit farther in the process. I used the following for a basis for my approach:

http://itguy11.wordpress.com/2010/07/21/guest-wireless-access-using-a-cisco-asa-5510-with-vlan-configuration/

Basically, what I did was added a third interface, called it "guest", assigned it to Switch Port 0/7, and blocked traffic from vlan1 (inside) to this vlan3 (guest).

I lucked out, because apparently when the company bought the ASA, they only purchased the Base License for it, which only allows for a max of two interfaces, or three if traffic between them is restricted. So by restricting traffic flow from vlan1 (inside) to guest, I was able to set up the third interface.

I then added the NAT rule to use the IP address of the outside interface.

That's as far as I went in the walkthrough, because I didn't want to enable DHCP on the ASA. I wanted that to be maintained on the router that would be plugged into that network.

-------

From that point, I plugged the router into the ASA, plugging the CAT5 cable into the WAN port of the router. Unfortunately, from this point, the router never seemed to pick up an IP address or anything from the ASA. Consequently, I was unable to get on the internet. DNS lookups failed, etc. I then plugged it into the LAN port instead. Same thing. However, when plugged into the LAN port, the ASA was able to detect that my computer was hooked up to the router, and I was able to see it in the ARP Table Monitoring log, as part of the "guest" interface. However, still no internet, and still no IP for the router.

So now's where I'm stuck with dealing with this. It seems that I'm so close, but can't quite get the last pieces to fall into place to get internet access. I configured the ASA interface to have an IP of 10.0.0.1, Subnet 255.255.255.0. I then configured the router to have an IP of 10.0.0.2, Subnet 255.255.255.0, and tried to give it the Gateway IP of the 10.0.0.1 that was assigned to the ASA. However, the router keeps complaining that the WAN IP and LAN IP must be on a different subnet. So, I'm a bit lost at this point.

Thanks all again for the help!

if the DHCP server is on vlan1 and you isolate vlan3 from 1 then you cannot give an IP unless you set up dhcp a relay, but this again is letting the vlans intermingle. You can enable dhcp on specific interfaces on the ASA to alleviate that. How are you segregating the wireless traffic are you using 2 separate APs? At home I have my wireless mesh in front of an ASA5510 and require the use of the VPN client to connect to my wired network. At work our guest networks are treated as lepers and isolated on a 192 subnet letting the AP delve out IPs to guests then directly routed to the DMZ on our PIX. I'm not boned up on the details of the internal mesh at work as I have 1 guy that eats breathes and sleeps wireless security and talking to him makes my head hurt :p

It's alive!

So, I'm not sure why the way I had it initially configured wasn't working. However, I made a small tweak and slightly changed the way I had it configured, and now it works!

Previously, I had the IP of the ASA interface as 10.0.0.1, and gave the router connected to it an IP of 10.0.0.2. However, it didn't seem to like that, and wasn't happy. I think the problem was that it never fully received an external-side IP address from the ASA. When I went to try to give it one, it complained that the WAN and LAN IPs needed to be on different subnets.

So I slightly tweaked the router, having it's external IP still be 10.0.0.2, subnet of 255.255.255.0, and a gateway of 10.0.0.1. The internal IP was then 192.168.1.1, with DHCP doling out IPs within that range. After making that small tweak, it was happy!

So now I've got two completely isolated networks running off of the same ASA, with traffic prohibited between the two. One contains a wireless SSID for guest usage, and the other contains our entire company network.

Thanks all for the help!

doh. wish I refreshed sooner. I was tinkering around in the ASDM on a spare 5510 I had. Glad you got it working.

so I bought the trendnet-tew 673GRU ... any notes on how to create a guest network for that? thanks!

How would I go about splitting off a line from the Cable Modem though? It only has a single CAT5 jack on it. I need that for the ASA to support the rest of our network.


I see you have it running, but to answer your Q you just pop a little switch in between the modem & your ASA. Modem to switch, then switch to ASA / switch to WAP. And thanks to kaomu for reminding about the IP - you WOULD need a 2nd IP from your ISP & would need to know the address. This method would bypass your firewall / internal LAN altogether.

Good that you found a solution, tho - it's so satisfying when those packets start flying!

I see you have it running, but to answer your Q you just pop a little switch in between the modem & your ASA. Modem to switch, then switch to ASA / switch to WAP. And thanks to kaomu for reminding about the IP - you WOULD need a 2nd IP from your ISP & would need to know the address. This method would bypass your firewall / internal LAN altogether.

Good that you found a solution, tho - it's so satisfying when those packets start flying!
Ah, I gotcha! That makes much more sense. Thank you :)

You're right though - once you type google.com, hit Enter, and see the logo in all its glory on your screen, it's like seeing a puzzle finally completed! :D Functional packets makes me a happy person. Of course, then I'm always wondering if there's still a vulnerability in the setup, and that there's still some way for someone malicious to get onto our internal network through the guest network. But it is what it is, and it's good enough for now. Hopefully I can trust that Cisco's ASA is robust enough to withstand your standard drive-by attack.