Seemingly Simple Wireless Setup, confusing TAC also. 3 devices: WAP150 + DLink switch + ASA Firewall.

Mike Bowers — Mon, 05 Jul 2021 12:43:09 GMT

Hello,

We're having a weird issue and wondering if someone can identify what's wrong. We've opened a TAC case with Small Business and after many hours
and tests we're still confused. It is a very basic set up but it appears like users in the WAP150 Guest network are sending all of their TCP
traffic to the Access point instead of routing it out to the internet. The BIG question noone has been able to answer: Why are the Guest wireless
users trying to send all TCP traffic on Layer 3 to the AP?

Topology:

[ASA 5505 (Basic License) ] --------- [DLink DGS-1100-24P Switch] ---------[Cisco Wireless AP 150] ------ [Guest User connecting from computer or
cell phone]

Here are the devices and info:

ASA 5505:

VLAN 1 - Inside

VLAN 2 - Outside (Since The ASA 5505 has a basic license and can't do vlans, we have ethernet port 7 plugged into a port in the DLink switch for
only guest traffic that works for all Guest users but Guest Wireless users. We have ethernet port 1 plugged in for just Inside users connecting
to Office traffic.

VLAN 5 - GuestWireless

DHCP being supplied by ASA 5505

DLink DGS-1100-24P Switch

Layer 2 Switch with VLANs 3(Office) and 5(Guest).

Cisco WAP150

VLANs 3(Inside) and 5(Guest)

Here is some quick information:

When trunking the Cisco WAP150(I've tried trunk port and Hybrid port for the WAP150 to connect to the DLink switch), the Office VLAN 3 works fine
and users route out with no issues. When trying to connect to the Guest. Guest users connect to Guest wireless, and can PULL a DHCP address from
the ASA in the proper VLAN(Correct Default Gateway,DNS, etc everything correct), AND can send DNS traffic out to the internet and resolve, BUT
web and TCP traffic is directed to the WAP150's IP address which is located in the Inside network. The ASA 5505 at this point says "No, we can't
do this because of of the no forward command between Guest and Inside networks due to license constraints of the basic license". The massive
question is, when someone connects to Guest Wireless and acceses a webpage on the internet, the log capture is showing the Guest users IP
(10.200.1.57, for example) going to the Access Points IP(10.40.222.240) with the traffic instead of routing it out to the internet (i.e logs show
many packets like 10.200.1.57.63246 > 10.40.222.240.443 ).

???? Very confusing. This is a Layer 2 switch between them, it's the only device between them, the Firewall is only routing the packets.

Here's the thing, when connecting wired cable to the DLink switch on a switchport on Vlan 5(Guest), they pull a Guest DHCP address no problem and
route out to the internet with no problems. Pull their hard wire cable out, connect them to Guest Wireless, and their Layer 3 IP traffic gets
sent to the Access Point instead of routed out. Does this make any sense to anyone why L3 traffic is sent to the access point specifically?

I'm going to attach some packet captures for the Guest network on the ASA, ASA config, and DLink switch config.

I do not have Cisco WAP150 screenshots because they are currently unreachable after attempting to set the Management VLAN and untagged VLAN to VLAN 5 and then 1 which cut me off from being able to manage it until I can get permission to go back out there.

To Summarize, the VLAN 3(Inside/Office) and VLAN 5(Guest) are configured on the Access points and broadcasting. VLAN 3 works fine with no issues, but VLAN Guest tries to route TCP/Web Traffic to Access Point instead of to the internet destinations.

Attached files:

ASA Configuration.

ASDM Capture log showing the "No forward" issue due to the basic license of the ASA 5505 that prohibits guest and inside from communicating.

ASA Capture packet log (Note: We have several WAP150s we were going to cluster together. This log shows two: 10.40.222.240 and 10.40.222.242. If the guest connects and associates with the .240, it sends all its web traffic to the 240. If it associates with the 242, it sends all its web traffic/TCP traffic to the .242 AP.) Also, we plugged in a generic netgear Access point at 10.200.1.2 that connects to the Guest wireless VLAN and wireless clients send traffic fine from it. So you'll see that traffic routing out successfully with 10.200.1.2 on the internet.

Screen shots of DLink config (Just for reference. Guest port is plugged into Port 23, Access Points were plugged into Port 1 and Port 2)

Let me know if I can explain anything better or if anything sparks any lightbulbs. . Godspeed 😞

topic Seemingly Simple Wireless Setup, confusing TAC also. 3 devices: WAP150 + DLink switch + ASA Firewall. in Wireless

Seemingly Simple Wireless Setup, confusing TAC also. 3 devices: WAP150 + DLink switch + ASA Firewall.