Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Guest VLan ASA5505 & AP541N

I'm having an issue with getting a VLAN to work with a ASA5505. I'm QUITE certain the issue is a routing/subnetting issue. I will explain my current configuration.

Cisco ASA 5505

inside interface 192.168.0.3 VLAN 1

guest interface 10.10.10.1 VLAN10

DHCP/DNS Windows 2008 R2 Server 192.168.0.13/255.255.255.0

/192.168.0

.3

Port VLAN 1 Untagged/PVID VLAN10 Tagged

Cisco AP541N

Port VLAN1 Untagged/PVID VLAN10 Tagged

The DHCP Server cannot ping 10.10.10.1 unless I change it's IP address to something on the 10.10.10.0 range. Once I change the DHCP server's IP address to something on the 10.10.10.0 range, I'm able to get my AP to assign an IP address to the wireless client but yet I still do not get internet access. Obviously changing the IP address of the DHCP Server also knocks on the 192.168.0.0 subnet. So all my VLAN tagging and port settings seem right on my switch. I need to change some routing rules in my ASA5505. Please take a look at my configuration. The interface "t1" is my outside interface.

ASA Version 8.2(5)

!

hostname ASA5505

domain-name lsfiore.com

enable password 30yhcQ8VnFFDaLKh encrypted

passwd 4oVuIVwNDGSflT4W encrypted

names

name 192.168.0.14 fiore-exch

name 192.168.0.21 lsf-tscan

name 192.168.0.5 lsf-wsus

name 192.168.0.15 webfilter

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 10

switchport trunk allowed vlan 10

switchport mode trunk

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.3 255.255.255.0

!

interface Vlan2

nameif t1

security-level 0

ip address 139.55.206.124 255.255.255.248

!

interface Vlan3

nameif cable

security-level 0

ip address 72.28.195.149 255.255.255.0

!

interface Vlan10

nameif guests

security-level 100

ip address 10.10.10.1 255.255.255.0

!

boot system disk0:/asa825-k8.bin

no ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name lsfiore.com

same-security-traffic permit inter-interface

object-group network obj-192.168.0.0

object-group network obj-172.172.172.0

object-group network obj-192.168.0.14

object-group network obj-192.168.0.14-01

object-group network obj-192.168.0.14-02

object-group network obj-192.168.0.14-03

object-group network obj-192.168.0.21

object-group network obj-192.168.0.21-01

object-group network obj-192.168.0.21-02

object-group network obj-192.168.0.21-03

object-group network obj-192.168.0.15

object-group network obj-192.168.0.15-01

object-group network obj-192.168.0.7

object-group network obj-192.168.0.5

object-group network obj-192.168.0.5-01

object-group network obj-192.168.0.5-02

object-group network obj-192.168.0.5-03

object-group network obj-192.168.0.5-04

object-group network Exchange

access-list Out-In extended permit tcp 64.18.0.0 255.255.240.0 interface t1 eq smtp

access-list Out-In extended permit tcp any interface t1 eq www

access-list Out-In extended permit tcp any interface t1 eq https

access-list Out-In extended permit icmp any any

access-list Out-In extended permit tcp any host 139.55.206.123 eq www

access-list Out-In extended permit tcp any host 139.55.206.123 eq https

access-list Out-In extended permit tcp any host 139.55.206.123 eq citrix-ica

access-list Out-In extended permit tcp any host 139.55.206.125 eq ftp

access-list Out-In extended permit tcp any host 139.55.206.125 eq 8000

access-list Out-In extended permit tcp any host 139.55.206.125 eq 8280

access-list Out-In extended permit tcp any host 139.55.206.126 eq www

access-list Out-In extended permit tcp any host 139.55.206.126 eq 5222

access-list Out-In extended permit tcp any host 139.55.206.126 eq 5223

access-list Out-In extended permit tcp any host 139.55.206.126 eq 9090

access-list Out-In extended permit tcp any host 139.55.206.126 eq 7777

access-list cable_access_in extended permit tcp 64.18.0.0 255.255.240.0 interface cable eq smtp

access-list cable_access_in extended permit tcp any interface cable eq www

access-list cable_access_in extended permit tcp any interface cable eq https

access-list cable_access_in extended permit icmp any any

access-list cable_access_in extended permit tcp any host 72.28.195.148 eq www

access-list cable_access_in extended permit tcp any host 72.28.195.148 eq https

access-list cable_access_in extended permit tcp any host 72.28.195.148 eq citrix-ica

access-list cable_access_in extended permit tcp any host 72.28.195.150 eq ftp

access-list cable_access_in extended permit tcp any host 72.28.195.150 eq 8000

access-list cable_access_in extended permit tcp any host 72.28.195.150 eq 8280

access-list cable_access_in extended permit tcp any host 72.28.195.151 eq www

access-list cable_access_in extended permit tcp any host 72.28.195.151 eq 5222

access-list cable_access_in extended permit tcp any host 72.28.195.151 eq 5223

access-list cable_access_in extended permit tcp any host 72.28.195.151 eq 9090

access-list cable_access_in extended permit tcp any host 72.28.195.151 eq 7777

access-list inside_nat0_outbound_1 extended permit ip any any

access-list inside_nat0_outbound_1 extended permit ip 10.10.10.0 255.255.255.0 any

access-list inside_nat0_outbound_1 extended permit ip 192.168.0.0 255.255.255.0 any

access-list inside_nat0_outbound extended permit ip any 172.172.172.0 255.255.255.0

access-list guests_nat0_outbound_1 extended permit ip any any

access-list guests_nat0_outbound_1 extended permit ip 10.10.10.0 255.255.255.0 any

access-list guests_nat0_outbound extended permit ip any 172.172.172.0 255.255.255.0

pager lines 24

logging enable

logging monitor debugging

logging buffered errors

logging trap errors

logging asdm debugging

logging host inside lsf-wsus

mtu inside 1500

mtu t1 1500

mtu cable 1500

mtu guests 1500

ip local pool vpnpool 172.172.172.100-172.172.17

2.199 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645-206.bin

no asdm history enable

arp timeout 14400

global (t1) 1 interface

global (cable) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.0.0 255.255.255.0

nat (guests) 0 access-list guests_nat0_outbound

nat (guests) 1 10.10.10.0 255.255.255.0

static (inside,t1) tcp interface smtp fiore-exch smtp netmask 255.255.255.255 dns

static (inside,t1) tcp interface www fiore-exch www netmask 255.255.255.255

static (inside,t1) tcp interface https fiore-exch https netmask 255.255.255.255

static (inside,t1) tcp 139.55.206.123 www lsf-tscan www netmask 255.255.255.255

static (inside,t1) tcp 139.55.206.123 https lsf-tscan https netmask 255.255.255.255

static (inside,t1) tcp 139.55.206.123 citrix-ica lsf-tscan citrix-ica netmask 255.255.255.255

static (inside,t1) tcp 139.55.206.123 2598 lsf-tscan 2598 netmask 255.255.255.255

static (inside,t1) tcp 139.55.206.125 8000 webfilter 8000 netmask 255.255.255.255

static (inside,t1) tcp 139.55.206.125 8280 webfilter 8280 netmask 255.255.255.255

static (inside,t1) tcp 139.55.206.126 www lsf-wsus www netmask 255.255.255.255

static (inside,t1) tcp 139.55.206.126 5222 lsf-wsus 5222 netmask 255.255.255.255

static (inside,t1) tcp 139.55.206.126 5223 lsf-wsus 5223 netmask 255.255.255.255

static (inside,t1) tcp 139.55.206.126 7777 lsf-wsus 7777 netmask 255.255.255.255

static (inside,t1) tcp 139.55.206.126 9090 lsf-wsus 9090 netmask 255.255.255.255

static (inside,cable) tcp interface smtp fiore-exch smtp netmask 255.255.255.255 dns

static (inside,cable) tcp interface www fiore-exch www netmask 255.255.255.255

static (inside,cable) tcp interface https fiore-exch https netmask 255.255.255.255

static (inside,cable) tcp 72.28.195.148 www lsf-tscan www netmask 255.255.255.255

static (inside,cable) tcp 72.28.195.148 https lsf-tscan https netmask 255.255.255.255

static (inside,cable) tcp 72.28.195.148 citrix-ica lsf-tscan citrix-ica netmask 255.255.255.255

static (inside,cable) tcp 72.28.195.148 2598 lsf-tscan 2598 netmask 255.255.255.255

static (inside,cable) tcp 72.28.195.150 8000 webfilter 8000 netmask 255.255.255.255

static (inside,cable) tcp 72.28.195.150 8280 webfilter 8280 netmask 255.255.255.255

static (inside,cable) tcp 72.28.195.151 www lsf-wsus www netmask 255.255.255.255

static (inside,cable) tcp 72.28.195.151 5222 lsf-wsus 5222 netmask 255.255.255.255

static (inside,cable) tcp 72.28.195.151 5223 lsf-wsus 5223 netmask 255.255.255.255

static (inside,cable) tcp 72.28.195.151 7777 lsf-wsus 7777 netmask 255.255.255.255

static (inside,cable) tcp 72.28.195.151 9090 lsf-wsus 9090 netmask 255.255.255.255

access-group Out-In in interface t1

access-group cable_access_in in interface cable

route t1 0.0.0.0 0.0.0.0 139.55.206.121 1

route cable 0.0.0.0 0.0.0.0 72.28.195.1 2

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-reco

rd DfltAccessPolicy

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 192.168.0.13

key *****

radius-common-pw *****

aaa-server RADIUS (inside) host 192.168.0.10

key *****

radius-common-pw *****

aaa authentication ssh console LOCAL

http server enable 444

http 192.168.0.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 guests

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 86400

crypto dynamic-map outside_dyn_map 30 set pfs group1

crypto dynamic-map inside_dyn_map 20 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface t1

crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map

crypto map inside_map interface inside

crypto map cable_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map cable_map interface cable

crypto isakmp enable t1

crypto isakmp enable cable

crypto isakmp policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 30

ssh timeout 30

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.43.244.18 source t1

ntp server 129.6.15.29 source t1

ntp server 129.6.15.28 source t1

webvpn

enable t1

group-policy LSF internal

group-policy LSF attributes

dns-server value 192.168.0.13 192.168.0.10

vpn-tunnel-protocol IPSec

default-domain value lsfiore.com

username Mike password nsbrPcayUUh9BZXK encrypted privilege 15

username administrator password ErafdxCnVlZ7bMwk encrypted

username agunnett password KwrpFR94EMHbOwAx encrypted privilege 15

username winningtech password etFobu8SZ3vQgwhE encrypted privilege 15

tunnel-group LSF type remote-access

tunnel-group LSF general-attributes

address-pool vpnpool

authentication-server-grou

p RADIUS

default-group-policy LSF

tunnel-group LSF ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect ftp

inspect esmtp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:c176010e5d6

2e8150b82f

089f3a5577

a

: end

asdm image disk0:/asdm-645-206.bin

no asdm history enable

Everyone's tags (3)
1017
Views
0
Helpful
0
Replies
CreatePlease to create content