Tricky ASA 5505 to 5520 EasyVpn - WLC WLAN issue

Unanswered Question
Aug 13th, 2009
User Badges:

I have a WLC 4400 that manages our AP's. We have a few wlan/ssid's that the ap's use.

We have locations around the county that are connected back to us on our fiber. When we plug AP's into any of the remote or local sites we have no problems.

Second setup: We have locations that are not on our fiber so we use ASA 5505's to create a tunnel using easy vpn.

They connect just fine and users into plugged into the 5505 have no problems at all.

When I plug in the AP it connects , gets an IP and connects to the WLC.

The wireless client connecting to the AP will get an ip from the WLC / WLAN subnet. Still looks good. All DNS resolution and pinging works internal and externally.

The problems that occurs is no traffic gets back? Like web, etc.. So when I try to bring up a web page internally or externally it just times out. All sites can be pinged just no way back? It will sometimes connect to web sites for a few minutes then slowly stop and then time out. Intranet pages and outside pages alike.

TIA

ASA Version 7.2(3)

hostname ciscoasa

domain-name default.domain.invalid

enable password *********** encrypted

names

interface Vlan1

nameif inside

security-level 100

ip address 10.100.177.1 255.255.255.240

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

passwd ********** encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 10.100.174.0 255.255.255.0 inside

http 10.26.0.0 255.255.0.0 inside

http 10.100.171.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

http 10.100.177.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd domain mydomain.org

dhcpd auto_config outside

dhcpd address 10.100.177.2-10.100.177.14 inside

dhcpd dns 10.26.0.101 10.100.50.21 interface inside

dhcpd wins 10.26.0.101 interface inside

dhcpd option 43 hex 31302e3130302e35302e313425324331302e3130302e35302e31 interface inside

dhcpd option 60 hex 436973636f2b41502b6331323530 interface inside

dhcpd option 150 ip 10.100.20.11 interface inside

dhcpd enable inside

vpnclient server xxx.xxx.xxx.xxx

vpnclient mode network-extension-mode

vpnclient nem-st-autoconnect

vpnclient vpngroup tunnel-1 password ********

vpnclient username **** password ********

vpnclient enable

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

prompt hostname context

Cryptochecksum:3d384c00eaa7477b77725efa8f6d763a

: end

ciscoasa#



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
spetrill1 Thu, 08/13/2009 - 18:14
User Badges:

Forgot to add this..

Quick layout again of the scenario: the clients connecting to the AP's plugged into the ASA are getting addresses from the WLAN they are connecting to from the WLC.

The Users directly plugged in are getting them from the ASA 5505.

I can create a ftp server on the internal network and ftp to it and connect to it from outside on the WLAN/WLC subnet on the AP plugged into the ASA. When I start a download it starts ..but then drags and gets slow until it drops. If I browse to a network share I can copy a file it is just really really slow. The web pages start for a millasecond then just keep waiting for reply. Again it works on the subnet plugged straight into the ASA.



cchitwood1 Thu, 10/15/2009 - 12:00
User Badges:

Add DHCP option 3 to your DHCP scope so your APs get the default gateway.


dhcpd option 3 ip x.x.x.x interface inside

Actions

This Discussion