Setting up your ASA for guest wireless is easy, you only need the base licence to do this. First of all you need to know that a VLAN is associated to layer 2 of the OSI model, and when your clients connect to the Guest Wireless VLAN they will be able to route out the VLAN via the ASA firewall. So here’s your topology.
I can hear you ask why there are 2 connections to the firewall well one is your inside corporate interface and the second is your guest wireless interface.
So you’ve already setup your AP either its an autonomous AP or you have this connected to your LAN controller, the reason you need to trunk your AP to the switch is so you can have multiple SSID’s each with its own VLAN assigned. One thing I would mention is make sure your switch has DTP turned off for unused ports, don’t think I need to explain that one do I?
ASA1(config)#interface vlan 3
ASA1(config-if)#nameif Guest
ASA1(config-if)#security-level 50
ASA1(config-if)#ip address 192.168.1.254 255.255.255.0
ASA1(config-if)#no forward interface vlan 1
ASA1(config-if)#exit
ASA1(config)#interface ethernet 0/2
ASA1(config-if)#switchport access vlan 3
ASA1(config-if)#exit
NAT Translation
ASA1(config)#global (outside) 1 interface
ASA1(config)#nat (Guest) 1 0.0.0.0 0.0.0.0
I usually assign DHCP address’ from the ASA when setting up guest wireless this way, but you can do it from the LAN controller or the AP itself. Here’s the config for the ASA
ASA1(config)#dhcpd address 192.168.1.x 192.168.1.x Guest_DHCP
ASA1(config)#dhcpd dns 8.8.8.8
ASA1(config)#dhcpd enable Guest_DHCP
That my friends is all there is to it, your ASA will already have the ACL in there that states “any to any less secure network” which means your guest wireless clients will be able to access the internet and the config line “no forward interface vlan 1″ prevents access to your inside corporate network.
“If you cant see it, it’s not there”
RH
all-things-networking 
So if I read this right (little rusty on my cisco admittedly) , interface 1 is to your switch/network normal, and int 2 of the ASA connects to a trunked port on your switch set to vlan3. (gets around the security plus license?) So just have to make sure there are trunks between all the switches (at least between your access points) with vlan3 added to, and set your vlan to 3 on the access point? Now if you set the vlan3 on your ap, will most cisco switches automatically pickup that tagging for the port, or do you need to manually assign that specific port and actually make it a trunk. Again been many years since I’ve been in a cisco class or had to touch,so please be kind 🙂
Thanks
-Dave
VLAN 3 exists on the ASA, assuming this AP services your corporate and Guest Network you seperate this with layer 2 VLAN’s at the switch.
All you need to make sure is the subnet on interface vlan 3 of the ASA is the same as your guest wireless subnet associated to the VLAN on the switch. To assign a specific vlan to the trunk you would use on the switch “switchport trunk native vlan x”.
In my scenario i used a Cisco Wireless LAN controller is this what you are using or a stand alone AP?
Currently the place I started working for has many older stand alone cisco APs, though I have been researching and looking at going with a 2504 controller. I think a lot of my older APs can be converted to LWAPS with a new image, and I can slowly replace with newer as time goes on. We have multiple locations with anywhere between 5 to 9 access points per each. I wouldn’t have to guest every single AP, just the ones near conference rooms. An in those instances yes there would be dual SSIDs (1 corp, 1 guest). Thanks for the above info.
Think I’m getting a little confused above. So the ASA only really just recognizes any traffic on that second interface within the subnet you assign. So in theory you could have a vlan of 99 on your ap and switches, and as long as that vlaned truck port ends back up to that 2nd interface, then it’d be fine? At least thats how I’m reading it. Thanks for the help again.
Yes that’s correct you got it!!
I’d recommend using a LAN controller. The 2504 can support 75 AP’s but that requires extra licensing upgrades and your right in saying the autonomous AP’s need to get an LWAPP image, the easiest way I found to do that was via http.
Best of luck with your project. If you need any more advice then I’d be happy to help you.
Ok good. Well I’d need a 2504 or any controller for each sight I’d imagine anyways since our links between sites are slow and spotty. And Thanks again, you’re a great resource that’s for sure.
You shouldnt put a controller at every site, What you would do is use Flex-Connect formerly known as H-REAP and use local switching with either central authentication or remote authentication.
Oh i thought of 1 other question. How in the ASA would I add access to a single IP from the other subnet/vlan for management purposes. There is one site where the stand alone ap would plug directly into that int2 port on the ASA. Thanks
Thats a good question, what i would do in this situation is hook up a console cable to this AP and manage it via that rather than managing at layer 3. Simple and hassle free…… also known as OOB (out of Band)