Hi Guys,

I have configured a sub interface on GigabitEthernet1/2.2 for guess access on VLAN 20, I have tested by configuring my local pc network connection to use VLAN20 and a static IP address, the gateway is not reachable though at 192.168.200.1 

Any help will be greatly appreciated

:
: Serial Number: ******
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.10(1)
!
hostname CISCO
domain-name ******
enable password ***** pbkdf2
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
no mac-address auto
ip local pool MOBILE_VPN_POOL ******-****** mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address ****** 255.255.255.252
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.10.20.1 255.255.255.0
!
interface GigabitEthernet1/2.2
description Guest WiFi
vlan 20
nameif insideGuest
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
banner motd ******************************************************************************
banner motd You are entering a restricted network device. This communication constitutes
banner motd an electronic communication within the scope of the Electronic Communication
banner motd Privacy Act, 18 USCA 2510. The unlawful interception, use, or disclosure of
banner motd such information is strictly prohibited under 18 USCA 2511 and any applicable
banner motd laws. Violators will be prosecuted to the fullest extent of the law.
banner motd ******************************************************************************
boot system disk0:/asa9101-lfbff-k8.SPA
boot system disk0:/asa982-lfbff-k8.SPA
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name lfec.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network INSIDE_NETWORK
subnet 10.10.20.0 255.255.255.0
object network MOBILE_VPN_POOL
subnet ****** 255.255.255.0
object network OUTSIDE_LWR
subnet 10.10.10.0 255.255.255.0
object service OUTSIDE_TCP_81
service tcp source eq 81
object service INSIDE_TCP_81
service tcp source eq 81
object service OUTSIDE_UDP_81
service udp source eq 81
object service INSIDE_UDP_81
service udp source eq 81
object service OUTSIDE_TCP_37777
service tcp source eq 37777
object service INSIDE_TCP_37777
service tcp source eq 37777
object service OUTSIDE_UDP_37777
service udp source eq 37777
object service INSIDE_UDP_37777
service udp source eq 37777
object network INSIDE_SERVER_DVR
host 10.10.20.108
object service RDP_Inside_Out_NAT
service tcp source eq 3395
object service RDP_Outside_In
service tcp destination eq 3395
object service RDP_Inside_Out_NAT_UDP
service udp source eq 3395
object service RDP_Outside_in_UDP
service udp destination eq 3395
object network NEC-Phone
host 10.10.20.107
object service OUTSIDE_TCP_10443
service tcp source eq 10443
object service INSIDE_TCP_10443
service tcp source eq 10443
object service INSIDE_TCP_8000
service tcp source eq 8000
object service OUTSIDE_TCP_8000
service tcp source eq 8000
object network OUTSIDE_LWR_SQL_SERVER
host 10.10.10.5
object network insideGuest
subnet 192.168.200.0 255.255.255.0
access-list OUTSIDE_ACCESS_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_ACCESS_IN extended permit icmp any any unreachable
access-list OUTSIDE_ACCESS_IN extended permit tcp any object INSIDE_SERVER_DVR eq 81
access-list OUTSIDE_ACCESS_IN extended permit udp any object INSIDE_SERVER_DVR eq 81
access-list OUTSIDE_ACCESS_IN extended permit tcp any object INSIDE_SERVER_DVR eq 37777
access-list OUTSIDE_ACCESS_IN extended permit udp any object INSIDE_SERVER_DVR eq 37777
access-list OUTSIDE_ACCESS_IN extended permit tcp any object NEC-Phone eq 8000
access-list OUTSIDE_ACCESS_IN extended permit tcp any object NEC-Phone eq 10443
access-list MOBILE_VPN_SPLIT_TUNNEL standard permit 10.10.10.0 255.255.255.0
access-list PARRISH2LWR extended permit ip object INSIDE_NETWORK object OUTSIDE_LWR
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host ****** eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host ****** eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list ACL_QOS_DATA_PRIORITY1 extended permit ip any host 10.10.10.5
access-list outside_cryptomap extended permit ip object INSIDE_NETWORK object OUTSIDE_LWR
access-list QOS_POLICY extended permit ip any object OUTSIDE_LWR_SQL_SERVER
access-list insideGuest_access_in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffer-size 65000
logging buffered notifications
logging asdm informational
flow-export destination inside 10.10.20.182 2055
flow-export template timeout-rate 15
flow-export delay flow-create 60
mtu outside 1472
mtu inside 1472
mtu insideGuest 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static INSIDE_NETWORK INSIDE_NETWORK destination static MOBILE_VPN_POOL MOBILE_VPN_POOL
nat (inside,outside) source static INSIDE_NETWORK INSIDE_NETWORK destination static OUTSIDE_LWR OUTSIDE_LWR
nat (inside,outside) source static INSIDE_SERVER_DVR interface service OUTSIDE_TCP_81 INSIDE_TCP_81
nat (inside,outside) source static INSIDE_SERVER_DVR interface service OUTSIDE_UDP_81 INSIDE_UDP_81
nat (inside,outside) source static INSIDE_SERVER_DVR interface service OUTSIDE_TCP_37777 INSIDE_TCP_37777
nat (inside,outside) source static INSIDE_SERVER_DVR interface service OUTSIDE_UDP_37777 INSIDE_UDP_37777
nat (inside,outside) source static NEC-Phone interface service OUTSIDE_TCP_10443 INSIDE_TCP_10443
nat (inside,outside) source static NEC-Phone interface service OUTSIDE_TCP_8000 INSIDE_TCP_8000
!
object network INSIDE_NETWORK
nat (inside,outside) dynamic interface
object network insideGuest
nat (insideGuest,outside) dynamic interface
access-group OUTSIDE_ACCESS_IN in interface outside
access-group insideGuest_access_in in interface insideGuest
route outside 0.0.0.0 0.0.0.0 ****** 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
snmp-server host inside 10.10.20.182 poll community ***** version 2c
snmp-server location
snmp-server contact
snmp-server community *****
snmp-server enable traps entity config-change
snmp-server enable traps remote-access session-threshold-exceeded
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association replay window-size 1024
crypto ipsec security-association pmtu-aging infinite
crypto ipsec df-bit clear-df outside
crypto dynamic-map DYNAMIC_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map DYNAMIC_MAP 65535 set security-association lifetime seconds 86400
crypto map OUTSIDE_MAP 1 match address outside_cryptomap
crypto map OUTSIDE_MAP 1 set peer ******
crypto map OUTSIDE_MAP 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map OUTSIDE_MAP 10 match address ******
crypto map OUTSIDE_MAP 10 set pfs
crypto map OUTSIDE_MAP 10 set peer ******
crypto map OUTSIDE_MAP 10 set ikev1 transform-set ESP-AES-256-SHA
crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic DYNAMIC_MAP
crypto map OUTSIDE_MAP interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 2
ssh cipher integrity high
ssh key-exchange group dh-group14-sha1
console timeout 0
management-access inside

dhcpd address 10.10.20.110-10.10.20.240 inside
dhcpd dns 10.10.10.5 9.9.9.9 interface inside
dhcpd enable inside
!
dhcpd address 192.168.200.2-192.168.200.254 insideGuest
dhcpd dns 8.8.8.8 interface insideGuest
dhcpd lease 36000 interface insideGuest
dhcpd domain guest interface insideGuest
dhcpd enable insideGuest
!
dhcprelay timeout 60
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.28
group-policy DfltGrpPolicy attributes
vpn-idle-timeout 60
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_****** internal
group-policy GroupPolicy_****** attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GP_ANYCONNECT internal
group-policy GP_ANYCONNECT attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MOBILE_VPN_SPLIT_TUNNEL
address-pools value MOBILE_VPN_POOL
dynamic-access-policy-record DfltAccessPolicy
username cisco password ***** pbkdf2 privilege 15
tunnel-group TG_ANYCONNECT type remote-access
tunnel-group TG_ANYCONNECT general-attributes
address-pool MOBILE_VPN_POOL
default-group-policy GP_ANYCONNECT
tunnel-group TG_ANYCONNECT webvpn-attributes
group-alias VPN enable
tunnel-group ****** type ipsec-l2l
tunnel-group ****** ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
class-map flow_export_class
match any
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
class class-default
set connection decrement-ttl
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum: ******
: end