Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Guest Wireless Access

I'm not a network expert but I am attempting to finish up a project started by someone else which is a setting up a guest wireless network. I'm having an issue where the machine connects to the SSID but doesn't get an ip address from the DHCP server set on the firewall. They all get the 169.254.x.x. Here's the equipment involved:

Cisco 3750G switch

Cisco ASA 5510 Firewall - IP 10.0.1.254

Cisco 2500 Series Wireless Controller

I've attached some screenshots. Let me know if you need more information. Thanks.

firewall.png

switch.png

Untitled.png

wlan.png

22 REPLIES
New Member

Guest Wireless Access

I am new to the forum as well but could you explain to me why you are trying to get dhcp from a different subnet 10.0.0.0 than the one configured on your WAP 192.0.0.0? The best scenario for a "guest" network would be to split up the networks and have dhcp coming from its own subnet with the DNS information imbedded in dhcp for internet traffic.

Michael

Guest Wireless Access

Can you diagram the topology?

Presumably the 192.168.90.* network can route to the 10.0.1.* network ok?

New Member

Guest Wireless Access

I would assume so, again not a network expert. Show ip route on switch comes back with:

C    192.168.90.0/24 is directly connected, Vlan200

     10.0.0.0/24 is subnetted, 4 subnets

C       10.0.2.0 is directly connected, Vlan20

C       10.0.3.0 is directly connected, Vlan30

C       10.0.1.0 is directly connected, Vlan10

C       10.0.5.0 is directly connected, Vlan5

Guest Wireless Access

I think its the way the ASA is handling the Unicast DHCP requests as I suspect the Source address for them is the Interface on the WLC.

Try and disable the DHCP proxy feature on the WLC

Controller->Advanced->DHCP  

Untick the 'Enable DHCP Proxy' option.

New Member

Guest Wireless Access

Thanks for the suggestion. Forgot to mention I have 2 SSID's. One is my main wireless which is working fine. The other is the guest network which I'm having issues. VLAN 20 is main and VLAN 200 is Guest.

Guest Wireless Access

Gary,

If your guest network is in the 192.x.x.x range, and your ASA is on the 10. subnet, you'll need to enable a helper address to forward the dhcp request to.

Assuming that the host boots up in the 192.x.x.x subnet, on your 3750's vlan 200, put int "ip helper-address " if the dhcp scope is on the asa.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
New Member

Guest Wireless Access

Hey John, I set the Ip helper for VLAN 200 to 10.0.1.254 (Firewall IP) and did the same on interface page on WLC but the laptop still doesn't get an IP.

Guest Wireless Access

Do you have a pool on the firewall for the 192.x.x.x subnet? I've not tested getting addresses from an ASA pool like this. I could lab this up if needed.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
New Member

Guest Wireless Access

John, yes the person who started this project set up DHCP on ASA Firewall.

Re: Guest Wireless Access

Hmmm....You have pools for vpn configured. The firewall isn't going to hand those over as a normal dhcp request. I believe the ASA will only assign dhcp for interfaces that have addresses assigned to them. For example, you can have a dhcp pool associated to your internal interface in that range. If your address for the lan is 10.0.1.254, you can have dhcp in the 10.0.1.0/24 range (and only a certain amount depending on the license count).

I can think of a couple of things to work around this. Get another dhcp server up that will support the 192.168.x.x range only and point your helper to that OR create a subinterface on your ASA and trunk the ports across to the AP. Place your guest wireless in that vlan, and then you can have a local pool from the ASA for the 192.x.x.x subnet because there will be a physical interface that has that address on it.

I could be wrong, but I don't think you're going to get it to work the way it currently sits.

Here's a link to look through:

https://supportforums.cisco.com/thread/227315

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
New Member

Re: Guest Wireless Access

John, when you say create a subinterface on ASA, I think that was created...Am I wrong?

As for the trunking, I'm not sure we have that 100% covered. I ran show int trunk on the 3750 switch and got this...1/0/3, 1/04, 1/0/5, 1/0/6, 1/07 are were my AP's are connected. 5/0/22 is where my WLC is connected.

Trunk_preview

Re: Guest Wireless Access

Where is the ASA connected? That has to be part of the trunk. Also, there are two different types of pools in the ASA: dhcpd and ip local pool. The ip local pools are used for vpn clients, and the other is used for local clients. Can you telnet into the ASA and post the result from "show run dhcpd" and "show run ip local pool"?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
New Member

Re: Guest Wireless Access

John, this is for the firewall..

INTERFACE 1 ON CISCO ASA

interface GigabitEthernet1/0/1

description ASA_LAN

switchport access vlan 10

switchport mode access

INTERFACE 3 ON CISCO ASA

interface GigabitEthernet1/0/2

description ASA_TRUNK

switchport trunk encapsulation dot1q

switchport mode trunk

Show run dhcpd returns

dhcpd address 192.168.90.1-192.168.90.200 MJFF-GUEST

dhcpd dns 8.8.8.8 4.2.2.2 interface MJFF-GUEST

dhcpd lease 90000 interface MJFF-GUEST

dhcpd enable MJFF-GUEST

Show run ip local pool returns

ip local pool MJFF-VPN-IP-POOL 192.77.22.1-192.77.22.200 mask 255.255.255.0

Re: Guest Wireless Access

Okay...do you have a g1/0/1.200 or another subinterface on the ASA that matches the ip address of 192.168.90.x?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
New Member

Re: Guest Wireless Access

Sorry John, I'm not familiar with the gi1/0/1.200. I looked through our switch config and I don't see anything similiar to that. This is what's on the interfaces section on ASA.

Guest Wireless Access

It's there at e0/3.200 for vlan 200. Can you connect a laptop to your core switch and make it a member of vlan 200 to see if it will get an address? We need to rule out that it's a dhcp issue and not wireless...I'll start labbing this up if your dhcp doesn't work from the laptop.

What port does the ASA connect to on the 3750?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
New Member

Re: Guest Wireless Access

Hey john, do you mean configure vlan200 on a port on switch and plug laptop to it to see if it pulls an IP? Interface 1 (inside) on Firewall connects to 1/0/1 of switch. Interface 3 (trunk?) of Firewall connects to 1/0/2 of switch. Not sure if it makes any difference but Interface 0 (outside) of Firewall goes to 1/0/48. Is that what you're looking for?

Re: Guest Wireless Access

Yes sir...that's it. Can you connect the laptop to the switch and see if you get an address? I'm labbing this up as well...

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
New Member

Re: Guest Wireless Access

gotcha, going to leave the office soon but will try this out tomorrow when I get in..thanks for your help john.

Guest Wireless Access

No worries. I'm going to be out the rest of the week, so someone else may be able to pick up hopefully. I labbed this up, and the ASA will definitely hand out addresses via a helper address, so you should be okay there. This is just something that has to be found, but you'll get it working.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
New Member

Re: Guest Wireless Access

John, do I need set the ip helper on switch and on WLC interfaces section as well? Or does setting it on WLC suffice? Also to verify, the ip helper is 10.0.1.254 or 192.168.90.254?

Re: Guest Wireless Access

Gary,

I labbed this up and I don't have any issues with it. One thing that I realized after you posted your config is that the ASA is trunked to the vlan that you're guest wireless is. That being said, you won't need a helper on that vlan. The guest will request an address by broadcasting, and since vlan 200 is part of the trunk on the ASA, the ASA will get it. I think your dhcp setup looks fine, but then again you should still put a laptop on the 3750 and make it an access port on vlan 200. If you get an address, the problem is with the WLC. Unfortunately, I don't have experience with those.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
448
Views
0
Helpful
22
Replies
CreatePlease to create content