Monday, March 7, 2011

Repurposing an old Cisco PIX to provide secure public WiFi on a corporate LAN

I am in the planning stages of a fun little project, whereby the clients goal is to provide secure wireless access to guests over a ADSL link dedicated to this purpose.  Simple enough, but this traffic will travel over the same edge to core switches that carry business traffic, so we will have to set up some VLAN’s.

This client recently retired their ageing PIX firewall and replaced it with new Cisco ASA’s.  So instead of chucking the PIX we will press it into service as the secure gateway / firewall for the public ADSL Internet breakout.

The PIX in this case has two physical interfaces named ethernet0 and ethernet1.  ethernet0 will be connected to the ADSL and ethernet1 to the LAN.  ethernet1 will be configured in a VLAN, and the switch ports to which the guest AP’s connect will be configured to do the appropriate VLAN tagging.

Here is how to configure the PIX

  1. interface ethernet0 auto
  2. interface ethernet1 auto
  3. interface ethernet1 vlan1 physical
  4. interface ethernet1 vlan10 logical
  5. nameif ethernet0 outside security0
  6. nameif ethernet1 inside security100
  7. nameif vlan10 guest_wifi security10

Most client devices nowadays expect DHCP and since they don’t logically touch the corporate network we’ll have to make do with running DHCP off the PIX:

  1. dhcpd address 192.168.202.100-192.168.202.200 guest_wifi
  2. dhcpd dns 192.168.0.1 (substitute this with your ISP’s DNS Server)
  3. dhcpd lease 3600
  4. dhcpd ping_timeout 50
  5. dhcpd enable guest_wifi
  6. ip address wifi 192.168.202.1 255.255.255.0

And that should work rather brilliantly – I will know for sure in about a weeks time when I implement.