We have an ASA 5520. We are using one of the gig etherner ports to setup a vendor network. The ASA is providing the DHCP services for the vendor network. The port from the ASA is connected into a switch port on one of our core switchs. The vlan port assignment on the core switch is that of the guest network. All works well for wired clients, but wirless clients which use the same vendor vlan cannot get dhcp info from the ASA. We are using a Cisco WiSM as the management for our wireless infrastructure. The configuration looks good on both the ASA and the WiSM, we had Cisco verify this. Now if we replace the ASA with a little Linksys router, both the wired and wireless clients get dhcp addressing just fine.
It is not possible... see below:
Q. I have a Cisco Adaptive Security Appliance (ASA) device. Can I use this ASA as a DHCP server instead of windows DHCP server in order to assign IP addresses to my lightweight access points (LAPs)?
A. No, it is not possible to use an ASA as a DHCP server for LAPs. This is because the DHCP requests from the LAPs are forwarded to the external DHCP server through the WLC. Therefore, a WLC acts as a DHCP relay agent to forward the request from the LAP. However, ASA does not support DHCP requests from a DHCP relay agent.
If ASA is configured as a DHCP server, you cannot configure DHCP relay services on an interface on which the server is enabled. Additionally, DHCP clients must be directly connected to the interface on which the server is enabled. Refer to PIX/ASA as a DHCP Server and Client Configuration Example for more information.
The Cisco ASA combines the functions of a firewall, Virtual Private Network (VPN), and intrusion prevention system (IPS) in a single appliance. The ASA is managed by an easy-to-use Adaptive Security Device Manager (ASDM).
The ASA is not being the DHCP server for the LWAP AP's, our Windows DHCP server does that. The ASA is needing to be the DHCP server for the wireless clients (users). The wireless clients get DHCP leases if we use something such as a simple Linksys router and the Linksys being the DHCP server, but if we try and use the ASA, only the wired clients get DHCP leases and not wireless clients.
We are currently implementing something similar at my site. If your LAPs are behind the firewall in the vendor DMZ and your controllers are on the inside of the firewall, below is what I believe is happening.
We do use the PIX/ASA to provide DHCP services to the LAP. We provide a local IP address, gateway and DNS servers. The LAP then performs DNS resolution for the WLC and associates with the WLC through the firewall.
The clients on the other hand, cannot get DHCP locally or through the ASA. They have to get the DHCP services via the LWAPP tunnel to the WLC. Your client broadcasts the bootps request to the AP, AP sends it to the WLC via LWAPP the WLC then relays the request to the defined DHCP server. I don't think the ASA can receive a DHCP request on the inside interface and pass it through to the DMZ(vendor) interface if that is what you are trying to do? Since your clients are tunneled and terminate on the WLC, I think you will need a locally defined IP address attached to the WLC.
PS if I have mistated anything, please help educate me, for this is how I understand the process.
What we are trying to do really should work. The configuration is we have setup a logical VLAN XX on our corporate lan...non-routed. And from on of the ports on the ASA (we named vendor) we assign this ASA port a private address, then on the ASA we configure the dhcpd, and PAT settings for the clients. We then connect from this ASA port and into a port on our core switch that is assigned to this vlan for the vendor network. As I mentioned wired clients get their addressing and work great. Now on the WiSM we have configued the vlan (same vlan as the corporate vendor vlan) and onthe WiSM we configure the DHCP server for the vlan to be that of the ASA interface we are connecting to the core switch. Now if we take something like a little linksys cable/dsl router and use it in place of the ASA and then connect the linksys to something like a separate internet connection like comcast, and the other end into the vendor assigned vlan then both wired and also wireless clients get addressing info and work. Linksys works, it should seem like something like the ASA should work also.
The ASA cannot be used as a dhcp server for wireless users. It doesn't work. Yes you can get any other device to give out ip addresses, but the 0aSA and PIX will not. wired will work, just like in your case. Had a TAC case open a couple years ago regarding this....
If I remember correctly it is how the wlc handles the dhcp request from the client and how it is forwarded to the asa. I think it expains it in the link I sent earlier.
If I remember correctly it is how the wlc handles the dhcp request from the client and how it is forwarded to the asa. I think it expains it in the link I sent earlier. Check out thi other link... says 4.2 allows you to change the way dhcp is handled from the controller.
config dhcp proxy disable