ASA 5510 trunking dot.1q issue and WLC DMZ

Unanswered Question
Apr 23rd, 2010

Hi,

We have recently been installing guest wireless access using a wlc in the dmz and a guest nac server. We have successfully deployed wireless guest services using a single ssid. The client get an ip address from the wlc in the dmz, then asks its configured dns servers to resolve the address, if the dns request resolves then the wlc intercepts the request and passes it the guest server to display the splash page. No problem.

There is an asa 5510 between port 2 on the wlc and the dmz. this was used to provide a handoff to websense. when the user requests a url, it get passed off a second interface to the websense and gets an accept or deny based on the filter. Again no problem. All work really well.

Now the problem. The original ssid was setup as untagged on the wlc, 2 new ssids have been added and they have to be tagged,so I added 2 subinterfaces to the interface facing the wlc, again no problem, the new clients can their respective dhcp addresses. The asa 5510 comprises of 3 interfaces 1 to the wlc (eth 0/0), 1 interface to the dmz to take care of the websense handoff and dns (eth 0/3) and the last one to the dmz to take care of traffic hitting the firewall (eth 0/2).

Our problem is untagged traffic. Trafiic from 192.168.12.0 works, as its untagged but the tagged traffic doesn't. The asa seems to lose the 115 and 116 dot1q header, any other traffic that we see that hits the main corporate firewall tagged is listed with a dot1q header, our traffic coming from the sub interfaces is not tagged, not sure if this is an issue, but how van I make the traffic leaving either eth 0/2 or 0/3 tagged with 115 or 116. I have to use the asa to do the websense handoff.

Any ideas???   

interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.12.3 255.255.254.0
!
interface Ethernet0/0.115
vlan 115
nameif child
security-level 100
ip address 192.168.24.3 255.255.252.0
!
interface Ethernet0/0.116
vlan 116
nameif adult
security-level 100
ip address 192.168.20.3 255.255.252.0
!
interface Ethernet0/1
no nameif
security-level 100
no ip address
!
interface Ethernet0/2
nameif outside
security-level 0
ip address 192.168.14.3 255.255.255.0
!
interface Ethernet0/3
nameif websense
security-level 0
ip address 192.168.2.92 255.255.255.0
!
interface Management0/0
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list web extended permit udp any any
access-list web extended permit tcp any any
access-list web extended permit ip any any
access-list web extended permit icmp any any
pager lines 24
logging enable
logging timestamp
logging buffered informational
mtu inside 1500
mtu child 1500
mtu adult 1500
mtu outside 1500
mtu websense 1500
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
access-group web in interface adult
access-group web in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.14.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username admin password GeamAtCaplZpZvZJ encrypted
url-server (websense) vendor websense host 192.168.2.52 timeout 30 protocol TCP version 4 connections 10
filter url except 192.168.12.0 255.255.254.0 192.168.10.18 255.255.255.255
filter url except 192.168.12.0 255.255.254.0 1.1.1.1 255.255.255.255
filter url except 192.168.20.0 255.255.252.0 1.1.1.1 255.255.255.255
filter url except 192.168.20.0 255.255.252.0 192.168.10.18 255.255.255.255
filter url except 192.168.24.0 255.255.252.0 192.168.10.18 255.255.255.255
filter url except 192.168.24.0 255.255.252.0 1.1.1.1 255.255.255.255
filter url http 192.168.12.0 255.255.254.0 0.0.0.0 0.0.0.0
filter url http 192.168.20.0 255.255.252.0 0.0.0.0 0.0.0.0
filter url http 192.168.24.0 255.255.252.0 0.0.0.0 0.0.0.0
http server enable
http 10.1.2.0 255.255.254.0 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:d31267f5698ac856c80dae2eae2ff528
: end                                 

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
maoSimplex Fri, 10/29/2010 - 10:58

Hi Kevin

I have the exact (or similar) issue as you do.  Have a subinterface on interface 1 to route out guest internet traffic.  The ASA in our case is responsible to provide DHCP to guest network.  All works ok and clients connected to guest network do get an IP address from the ASA and can ping the ASA (which is supposed to be their gateway).  They can't get onto the Internet though although the normal data network which is on the same physical interface (no encapsulation) works ok.

Any ideas?

Thanks

Michael

Actions

This Discussion