07-10-2013 10:52 PM - edited 03-11-2019 07:10 PM
Hi,
I am deploying a new wireless setup with two 2504 controllers, one for the corporate ssid and one for guest segment.
The anchor controller used for web-authentication has 1 leg in the inside network (10.x.x.x) and 1 leg in the dmz 192.168.100.x (to ASA 5515 v9.0) on the 192.168.100.0 /24 range.
The ASA has internal and external context.
The Mobility tunnel is up.
The ASA is doing DHCP, and the hosts receive IP addresses and (public) DNS 173.194.67.94.
Problem is the hosts cannot do DNS lookup and thus no redirection to the web-portal.
The ASA shows no denies. When I ping the DNS from the Anchor controller, I see the following.
Jul 11 2013 07:44:17: %ASA-6-302020: Built outbound ICMP connection for faddr 173.194.67.94/0 gaddr 10.101.114.172/815 laddr 10.101.114.172/815
Jul 11 2013 07:44:19: %ASA-6-302021: Teardown ICMP connection for faddr 173.194.67.94/0 gaddr 10.101.114.172/815 laddr 10.101.114.172/815
A packet sniffer shows that hosts connected send DNS requests and never get anything back.
How should approach this issue from here?
Solved! Go to Solution.
07-11-2013 09:59 AM
Hello Chris,
You can setup captures on the ingress and egress interfaces of the ASA.
Is the connection being translated to a public IP?
You can also use the packet tracer command:
packet in interface_name udp 10.101.114.172 1025 173.194.67.94 53
interface_name = incoming interface.
And confirm the packet is being allowed and translated.
Regards,
Felipe.
Remember to rate useful posts.
07-12-2013 08:52 AM
Hi Chris,
I'm glad to know it is working now.
Please make the post as resolved so others can learn from this.
Regards,
Felipe.
Remember to rate useful posts.
07-11-2013 09:59 AM
Hello Chris,
You can setup captures on the ingress and egress interfaces of the ASA.
Is the connection being translated to a public IP?
You can also use the packet tracer command:
packet in interface_name udp 10.101.114.172 1025 173.194.67.94 53
interface_name = incoming interface.
And confirm the packet is being allowed and translated.
Regards,
Felipe.
Remember to rate useful posts.
07-12-2013 03:08 AM
Hi,
after some changes, the WLC can now reach the public DNS server.
However, the hosts cannot do anything. (no nslookup, no ping)
I removed web-authentication from the WLAN config to simplify troubleshooting, but even so, the result is the same.
Host receives IP address and DNS server.
When I do a packet tracer on the outside context, from the guest (wifi) segment to the DNS, I see the packet is dropped.
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
my config is:
object network Guest_wireless
subnet 192.168.100.0 255.255.255.0
access-list GUEST extended permit ip object Guest_wireless any
access-list GUEST extended permit icmp object Guest_wireless any
access-group GUEST in interface Guest_wireless
interface GigabitEthernet0/3.2
nameif Guest_wireless
security-level 40
ip address 192.168.100.254 255.255.255.0 standby 192.168.100.253
object network Guest_wireless
nat (dmz,outside) dynamic "public ip"
Thanks
07-12-2013 05:31 AM
Corection: Packet tracer does work.
The guest laptop can ping the gateway (fw interface)
But it cannot ping the public IP and I have allowed all traffic out as you can see in the config above.
07-12-2013 07:23 AM
The problem was the NAT config.
nat (dmz,outside) dynamic "public ip" had to be
nat (guest_int,outside) dynamic "public ip"
This is the new interface, and I'm programmed for NAT config related to DMZ..
Anyhow, I'm happy it's fixed.
Thanks for the help
07-12-2013 08:52 AM
Hi Chris,
I'm glad to know it is working now.
Please make the post as resolved so others can learn from this.
Regards,
Felipe.
Remember to rate useful posts.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: