shahin <(E-Mail Removed)> hath wroth:
>I have a issue with placing a wireless access point into the DMZ.
What type of DMZ? There are at least 3 different types (bastion host,
screened subnet, and dual firewall). In addition, there some
abomination found in cheap routers that claims to be a DMZ, but really
opens to the internet whatever is plugged into the DMZ, without any
filtering or protection. It really depends on your unspecified model
router(s) and topology. What are you using?
>We have a fire wall with DMZ,
Of course, this is a secret model firewall or you would have supplied
the maker and model number. Hint: Not all firewalls are the same.
>and I want the guest clients be able to
>use this Access point for internet, so I put a CISCO 1200 serie in to
>the DMZ.
Ok, that's one way to do it. It will work depending on your
unspecified model router(s).
>the DMZ has no DHCP and LAN clients that connected to DMZ
>have Static IPs, so I gave the WAP (wireless Access Point) the same IP
>reng as DMZ, now I give to my laptop an IP in the same reng as DMZ and
>WAP, I can ping the WAP but I am not able to to ping the outside world
>or use internet.
I don't understand. Could you re-write this one sentence description
of your topology in a somewhat clearer manner? If I decode this
correctly, you do NOT have a DHCP server (or DHCP relay feature)
available to the DMZ. Is this correct? If so, it won't work for the
random connecting client unless you manually assign IP address to each
wireless client. I assume you don't want to do this, so you'll need
to conjur a DHCP server or DHCP relay.
>If I put the WAP in inside interface of firewall there is no problem,
>I can ping any where and I can use internet. ( the only diffrent
>between DMZ and Inside network is that DMZ has no DHCP and Inside LAN
>has DHCP)
Won't work without a DHCP server available inside the DMZ.
>Any Idea?
Sure. Which exact model Cisco 1200 series access point are you using?
<http://www.cisco.com/en/US/products/hw/wireless/ps430/products_data_sheet09186a00800937a6.html>
None of these have DHCP server built into the access point. Therefore,
it has to come from the rest of your network. Depending on your
inside firewall and what you are using for a DHCP server on your
inside network, you can either enable the DHCP server on the DMZ size
of the inside firewall, or setup the firewall to act as a relay host
for a different DHCP server inside the firewall.
Another way is to simply forget about using the 1200 access point for
wireless and use a wireless router. Wireless clients connect and
obtain a non-routeable IP address. DHCP server is in the wireless
router. NAT converts all connections to a single IP address, which
can be filtered, sniffed for evilware, and secured. If the purpose is
to give users internet access without also giving them access to the
inside network, this arrangement is easy to configure.
If you're using a Microsoft ISA server, these articles might be
useful:
http://www.isaserver.org/tutorials/2...sdmzpart1.html
http://www.isaserver.org/articles/20...sdmzpart2.html
--
Jeff Liebermann
(E-Mail Removed)
150 Felker St #D
http://www.LearnByDestroying.com
Santa Cruz CA 95060
http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Similar Threads
Linear Mode
