Setting up your ASA for guest wireless is easy, you only need the base licence to do this. First of all you need to know that a VLAN is associated to layer 2 of the OSI model, and when your clients connect to the Guest Wireless VLAN they will be able to route out the VLAN via the ASA firewall. So here’s your topology.


I can hear you ask why there are 2 connections to the firewall well one is your inside corporate interface and the second is your guest wireless interface.

So you’ve already setup your AP either its an autonomous AP or you have this connected to your LAN controller, the reason you need to trunk your AP to the switch is so you can have multiple SSID’s each with its own VLAN assigned. One thing I would mention is make sure your switch has DTP turned off for unused ports, don’t think I need to explain that one do I?

ASA1(config)#interface vlan 3
ASA1(config-if)#nameif Guest
ASA1(config-if)#security-level 50
ASA1(config-if)#ip address
ASA1(config-if)#no forward interface vlan 1
ASA1(config)#interface ethernet 0/2
ASA1(config-if)#switchport access vlan 3

NAT Translation

ASA1(config)#global (outside) 1 interface
ASA1(config)#nat (Guest) 1

I usually assign DHCP address’ from the ASA when setting up guest wireless this way, but you can do it from the LAN controller or the AP itself. Here’s the config for the ASA

ASA1(config)#dhcpd address 192.168.1.x 192.168.1.x Guest_DHCP
ASA1(config)#dhcpd dns
ASA1(config)#dhcpd enable Guest_DHCP

That my friends is all there is to it, your ASA will already have the ACL in there that states “any to any less secure network” which means your guest wireless clients will be able to access the internet and the config line “no forward interface vlan 1″ prevents access to your inside corporate network.

“If you cant see it, it’s not there”