Solved: Wireless guest have no connectivity in the DMZ

c-balduck · ‎07-10-2013

Hi,

I am deploying a new wireless setup with two 2504 controllers, one for the corporate ssid and one for guest segment.

The anchor controller used for web-authentication has 1 leg in the inside network (10.x.x.x) and 1 leg in the dmz 192.168.100.x (to ASA 5515 v9.0) on the 192.168.100.0 /24 range.

The ASA has internal and external context.

The Mobility tunnel is up.

The ASA is doing DHCP, and the hosts receive IP addresses and (public) DNS 173.194.67.94.

Problem is the hosts cannot do DNS lookup and thus no redirection to the web-portal.

The ASA shows no denies. When I ping the DNS from the Anchor controller, I see the following.

Jul 11 2013 07:44:17: %ASA-6-302020: Built outbound ICMP connection for faddr 173.194.67.94/0 gaddr 10.101.114.172/815 laddr 10.101.114.172/815

Jul 11 2013 07:44:19: %ASA-6-302021: Teardown ICMP connection for faddr 173.194.67.94/0 gaddr 10.101.114.172/815 laddr 10.101.114.172/815

A packet sniffer shows that hosts connected send DNS requests and never get anything back.

How should approach this issue from here?

lcambron · ‎07-11-2013

Hello Chris,

You can setup captures on the ingress and egress interfaces of the ASA.

Is the connection being translated to a public IP?

You can also use the packet tracer command:

packet in interface_name udp 10.101.114.172 1025 173.194.67.94 53

interface_name = incoming interface.

And confirm the packet is being allowed and translated.

Regards,

Felipe.

Remember to rate useful posts.

View solution in original post

lcambron · ‎07-12-2013

Hi Chris,

I'm glad to know it is working now.

Please make the post as resolved so others can learn from this.

Regards,

Felipe.

Remember to rate useful posts.

View solution in original post

lcambron · ‎07-11-2013

Hello Chris,

You can setup captures on the ingress and egress interfaces of the ASA.

Is the connection being translated to a public IP?

You can also use the packet tracer command:

packet in interface_name udp 10.101.114.172 1025 173.194.67.94 53

interface_name = incoming interface.

And confirm the packet is being allowed and translated.

Regards,

Felipe.

Remember to rate useful posts.

c-balduck · ‎07-12-2013

Hi,

after some changes, the WLC can now reach the public DNS server.

However, the hosts cannot do anything. (no nslookup, no ping)

I removed web-authentication from the WLAN config to simplify troubleshooting, but even so, the result is the same.

Host receives IP address and DNS server.

When I do a packet tracer on the outside context, from the guest (wifi) segment to the DNS, I see the packet is dropped.

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

my config is:

object network Guest_wireless

subnet 192.168.100.0 255.255.255.0

access-list GUEST extended permit ip object Guest_wireless any

access-list GUEST extended permit icmp object Guest_wireless any

access-group GUEST in interface Guest_wireless

interface GigabitEthernet0/3.2

nameif Guest_wireless

security-level 40

ip address 192.168.100.254 255.255.255.0 standby 192.168.100.253

object network Guest_wireless

nat (dmz,outside) dynamic "public ip"

Thanks

c-balduck · ‎07-12-2013

Corection: Packet tracer does work.

The guest laptop can ping the gateway (fw interface)

But it cannot ping the public IP and I have allowed all traffic out as you can see in the config above.

c-balduck · ‎07-12-2013

The problem was the NAT config.

nat (dmz,outside) dynamic "public ip" had to be

nat (guest_int,outside) dynamic "public ip"

This is the new interface, and I'm programmed for NAT config related to DMZ..

Anyhow, I'm happy it's fixed.

Thanks for the help

lcambron · ‎07-12-2013

Hi Chris,

I'm glad to know it is working now.

Please make the post as resolved so others can learn from this.

Regards,

Felipe.

Remember to rate useful posts.