Using an ASA to Establish a Guest Network

It is not uncommon to visit a small to medium sized customer for a first time and find a wireless and/or guest network that compromises security for the rest of the network. Organizations that lack policies and procedures for their network tend to pick up consumer grade wireless routers and connect them exactly as they would at home. In this article, we will look at a how we can rectify two important issues using the DMZ interface on an ASA5505 to create an isolated guest network.

When a non-technical employee installs a consumer grade wireless router to create a guest network, they typical unbox the new equipment and connect the “WAN” port to the main network. The main network gives the newly purchased router an IP address via DHCP. The Wireless Router has DHCP enabled by default and will provide its own address space to wireless clients. Everything just seems to work. This configuration is less than optimal because it doesn’t protect the main network and it performs an extra network address translation (NAT) on the packets that pass through the wireless router. Below is a graphic of this configuration.

If a capable firewall is available, the same consumer router could be moved to its own DMZ interface. In our case we are going to use a Cisco ASA5505. The default behavior for an ASA is that a DMZ interface with a lower security level cannot forward traffic to the inside interface with a higher security level. Additionally, the address translation in the router is not desirable. There is an easy way to fix this and make the wireless router work more like a wireless access point that just forwards data link layer traffic.


The solution is to connect the consumer router’s switchport to the network as opposed to it’s WAN port. In our example, we are also disabling DHCP on the Wireless Router and enabling it on the ASA. This will ensure that that ASA is the default gateway for wireless clients. At this point, the wireless router is behaving just like a wireless access point, forwarding frames instead of routing packets. The port in which the consumer router connects to the main network should be an isolated network interface, assuming this is for a guest network.

//ASA Configuration with Public Access DMZ

//inside interface
interface Vlan1
nameif inside
security-level 100
ip address

//outside interfaceinterface Vlan2
nameif outside
security-level 0
ip address dhcp setroute

//DMZ interfaceinterface Vlan3
interface vlan 3
//required in some ASA5505 due to licensing
no forward interface vlan 1
nameif DMZ
security-level 50
ip address

//outside physical interface
interface Ethernet0/0
switchport access vlan 2
switchport mode access no shut

//DMZ physical interface
interface Ethernet0/1
switchport access vlan 3
switchport mode access
no shut

//inside physical interfaces
interface Ethernet0/x (where x is each interface 2-7)
switchport access vlan 1
switchport mode access
no shut

//inside dhcp configuration
dhcpd address inside
dhcpd dns
dhcpd enable inside

//DMZ dhcp configuration
dhcpd address DMZ
dhcpd dns
dhcpd enable DMZ

//nat configuration
global (outside) 1 interface
nat (inside) 1
nat (DMZ) 1

This article discussed the issues that can be introduced by improperly installing a guest network and a simple solution to rectify those issues. Obviously, appropriate policies should be in place that restrict unauthorized personnel from installing equipment. If there is a requirement to install a guest network on a budget, a consumer grade router can be used. Moving that network equipment to its own DMZ area and connecting it using a switchport on the device can create a cleaner and more secure solution.

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To and tagged . Bookmark the permalink.

2 Responses to Using an ASA to Establish a Guest Network

  1. Pingback: ASA Guest Network With Limited Inside Access - PacketU

  2. Rusty says:

    I have a guest network setup on 8.4 but I am having trouble accessing the VPN from the guest network.

    I read that it is not possible to access the VPN on the outside interface due to Cisco design decisions, so I setup the VPN on the guest interface as well.

    This works, however, I would like to avoid adding an additional VPN configuration to every machine. I thought I could resolve this with a NAT rule like the following.

    nat (guest,guest) source static SV_guest SV_guest destination static SV_asa_outside SV_asa_guest

    SV_guest is the guest subnet, SV_asa_outside is the address of the outside interface, and SV_asa_guest is the address of the inside interface.

    However, this does not work. I am able to use the VPN by connecting directly to the guest interface, but while the NAT entry shows that it is translating/untranslating packets, the existing VPN configuration doesn’t work.

    Any ideas why that might be? or alternate ways I could accomplish the same?


Comments are closed.