10-21-2013 11:45 AM - edited 03-04-2019 09:22 PM
I'm not a network expert but I am attempting to finish up a project started by someone else which is a setting up a guest wireless network. I'm having an issue where the machine connects to the SSID but doesn't get an ip address from the DHCP server set on the firewall. They all get the 169.254.x.x. Here's the equipment involved:
Cisco 3750G switch
Cisco ASA 5510 Firewall - IP 10.0.1.254
Cisco 2500 Series Wireless Controller
I've attached some screenshots. Let me know if you need more information. Thanks.
10-21-2013 10:36 PM
I am new to the forum as well but could you explain to me why you are trying to get dhcp from a different subnet 10.0.0.0 than the one configured on your WAP 192.0.0.0? The best scenario for a "guest" network would be to split up the networks and have dhcp coming from its own subnet with the DNS information imbedded in dhcp for internet traffic.
Michael
10-22-2013 01:47 AM
Can you diagram the topology?
Presumably the 192.168.90.* network can route to the 10.0.1.* network ok?
10-22-2013 06:32 AM
I would assume so, again not a network expert. Show ip route on switch comes back with:
C 192.168.90.0/24 is directly connected, Vlan200
10.0.0.0/24 is subnetted, 4 subnets
C 10.0.2.0 is directly connected, Vlan20
C 10.0.3.0 is directly connected, Vlan30
C 10.0.1.0 is directly connected, Vlan10
C 10.0.5.0 is directly connected, Vlan5
10-22-2013 07:05 AM
I think its the way the ASA is handling the Unicast DHCP requests as I suspect the Source address for them is the Interface on the WLC.
Try and disable the DHCP proxy feature on the WLC
Controller->Advanced->DHCP
Untick the 'Enable DHCP Proxy' option.
10-22-2013 07:21 AM
Thanks for the suggestion. Forgot to mention I have 2 SSID's. One is my main wireless which is working fine. The other is the guest network which I'm having issues. VLAN 20 is main and VLAN 200 is Guest.
10-22-2013 07:26 AM
Gary,
If your guest network is in the 192.x.x.x range, and your ASA is on the 10. subnet, you'll need to enable a helper address to forward the dhcp request to.
Assuming that the host boots up in the 192.x.x.x subnet, on your 3750's vlan 200, put int "ip helper-address
HTH,
John
*** Please rate all useful posts ***
10-22-2013 09:41 AM
Hey John, I set the Ip helper for VLAN 200 to 10.0.1.254 (Firewall IP) and did the same on interface page on WLC but the laptop still doesn't get an IP.
10-22-2013 11:48 AM
Do you have a pool on the firewall for the 192.x.x.x subnet? I've not tested getting addresses from an ASA pool like this. I could lab this up if needed.
HTH,
John
*** Please rate all useful posts ***
10-22-2013 11:52 AM
John, yes the person who started this project set up DHCP on ASA Firewall.
10-22-2013 12:08 PM
Hmmm....You have pools for vpn configured. The firewall isn't going to hand those over as a normal dhcp request. I believe the ASA will only assign dhcp for interfaces that have addresses assigned to them. For example, you can have a dhcp pool associated to your internal interface in that range. If your address for the lan is 10.0.1.254, you can have dhcp in the 10.0.1.0/24 range (and only a certain amount depending on the license count).
I can think of a couple of things to work around this. Get another dhcp server up that will support the 192.168.x.x range only and point your helper to that OR create a subinterface on your ASA and trunk the ports across to the AP. Place your guest wireless in that vlan, and then you can have a local pool from the ASA for the 192.x.x.x subnet because there will be a physical interface that has that address on it.
I could be wrong, but I don't think you're going to get it to work the way it currently sits.
Here's a link to look through:
https://supportforums.cisco.com/thread/227315
HTH,
John
*** Please rate all useful posts ***
10-22-2013 12:19 PM
John, when you say create a subinterface on ASA, I think that was created...Am I wrong?
As for the trunking, I'm not sure we have that 100% covered. I ran show int trunk on the 3750 switch and got this...1/0/3, 1/04, 1/0/5, 1/0/6, 1/07 are were my AP's are connected. 5/0/22 is where my WLC is connected.
10-22-2013 12:25 PM
Where is the ASA connected? That has to be part of the trunk. Also, there are two different types of pools in the ASA: dhcpd and ip local pool. The ip local pools are used for vpn clients, and the other is used for local clients. Can you telnet into the ASA and post the result from "show run dhcpd" and "show run ip local pool"?
HTH,
John
*** Please rate all useful posts ***
10-22-2013 12:35 PM
John, this is for the firewall..
INTERFACE 1 ON CISCO ASA
interface GigabitEthernet1/0/1
description ASA_LAN
switchport access vlan 10
switchport mode access
INTERFACE 3 ON CISCO ASA
interface GigabitEthernet1/0/2
description ASA_TRUNK
switchport trunk encapsulation dot1q
switchport mode trunk
Show run dhcpd returns
dhcpd address 192.168.90.1-192.168.90.200 MJFF-GUEST
dhcpd dns 8.8.8.8 4.2.2.2 interface MJFF-GUEST
dhcpd lease 90000 interface MJFF-GUEST
dhcpd enable MJFF-GUEST
Show run ip local pool returns
ip local pool MJFF-VPN-IP-POOL 192.77.22.1-192.77.22.200 mask 255.255.255.0
10-22-2013 01:37 PM
Okay...do you have a g1/0/1.200 or another subinterface on the ASA that matches the ip address of 192.168.90.x?
HTH,
John
*** Please rate all useful posts ***
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: