We have recently been installing guest wireless access using a wlc in the dmz and a guest nac server. We have successfully deployed wireless guest services using a single ssid. The client get an ip address from the wlc in the dmz, then asks its configured dns servers to resolve the address, if the dns request resolves then the wlc intercepts the request and passes it the guest server to display the splash page. No problem.
There is an asa 5510 between port 2 on the wlc and the dmz. this was used to provide a handoff to websense. when the user requests a url, it get passed off a second interface to the websense and gets an accept or deny based on the filter. Again no problem. All work really well.
Now the problem. The original ssid was setup as untagged on the wlc, 2 new ssids have been added and they have to be tagged,so I added 2 subinterfaces to the interface facing the wlc, again no problem, the new clients can their respective dhcp addresses. The asa 5510 comprises of 3 interfaces 1 to the wlc (eth 0/0), 1 interface to the dmz to take care of the websense handoff and dns (eth 0/3) and the last one to the dmz to take care of traffic hitting the firewall (eth 0/2).
Our problem is untagged traffic. Trafiic from 192.168.12.0 works, as its untagged but the tagged traffic doesn't. The asa seems to lose the 115 and 116 dot1q header, any other traffic that we see that hits the main corporate firewall tagged is listed with a dot1q header, our traffic coming from the sub interfaces is not tagged, not sure if this is an issue, but how van I make the traffic leaving either eth 0/2 or 0/3 tagged with 115 or 116. I have to use the asa to do the websense handoff.
interface Ethernet0/0 nameif inside security-level 100 ip address 192.168.12.3 255.255.254.0 ! interface Ethernet0/0.115 vlan 115 nameif child security-level 100 ip address 192.168.24.3 255.255.252.0 ! interface Ethernet0/0.116 vlan 116 nameif adult security-level 100 ip address 192.168.20.3 255.255.252.0 ! interface Ethernet0/1 no nameif security-level 100 no ip address ! interface Ethernet0/2 nameif outside security-level 0 ip address 192.168.14.3 255.255.255.0 ! interface Ethernet0/3 nameif websense security-level 0 ip address 192.168.2.92 255.255.255.0 ! interface Management0/0 no nameif no security-level no ip address ! ftp mode passive same-security-traffic permit inter-interface same-security-traffic permit intra-interface access-list web extended permit udp any any access-list web extended permit tcp any any access-list web extended permit ip any any access-list web extended permit icmp any any pager lines 24 logging enable logging timestamp logging buffered informational mtu inside 1500 mtu child 1500 mtu adult 1500 mtu outside 1500 mtu websense 1500 no failover asdm image disk0:/asdm-508.bin no asdm history enable arp timeout 14400 access-group web in interface adult access-group web in interface outside route outside 0.0.0.0 0.0.0.0 192.168.14.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute username admin password GeamAtCaplZpZvZJ encrypted url-server (websense) vendor websense host 192.168.2.52 timeout 30 protocol TCP version 4 connections 10 filter url except 192.168.12.0 255.255.254.0 192.168.10.18 255.255.255.255 filter url except 192.168.12.0 255.255.254.0 22.214.171.124 255.255.255.255 filter url except 192.168.20.0 255.255.252.0 126.96.36.199 255.255.255.255 filter url except 192.168.20.0 255.255.252.0 192.168.10.18 255.255.255.255 filter url except 192.168.24.0 255.255.252.0 192.168.10.18 255.255.255.255 filter url except 192.168.24.0 255.255.252.0 188.8.131.52 255.255.255.255 filter url http 192.168.12.0 255.255.254.0 0.0.0.0 0.0.0.0 filter url http 192.168.20.0 255.255.252.0 0.0.0.0 0.0.0.0 filter url http 192.168.24.0 255.255.252.0 0.0.0.0 0.0.0.0 http server enable http 10.1.2.0 255.255.254.0 outside http 0.0.0.0 0.0.0.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet 0.0.0.0 0.0.0.0 outside telnet timeout 5 ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global Cryptochecksum:d31267f5698ac856c80dae2eae2ff528 : end
I have the exact (or similar) issue as you do. Have a subinterface on interface 1 to route out guest internet traffic. The ASA in our case is responsible to provide DHCP to guest network. All works ok and clients connected to guest network do get an IP address from the ASA and can ping the ASA (which is supposed to be their gateway). They can't get onto the Internet though although the normal data network which is on the same physical interface (no encapsulation) works ok.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...