cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2683
Views
0
Helpful
22
Replies

Guest Wireless Access

gleung001
Level 1
Level 1

I'm not a network expert but I am attempting to finish up a project started by someone else which is a setting up a guest wireless network. I'm having an issue where the machine connects to the SSID but doesn't get an ip address from the DHCP server set on the firewall. They all get the 169.254.x.x. Here's the equipment involved:

Cisco 3750G switch

Cisco ASA 5510 Firewall - IP 10.0.1.254

Cisco 2500 Series Wireless Controller

I've attached some screenshots. Let me know if you need more information. Thanks.

firewall.png

switch.png

Untitled.png

wlan.png

22 Replies 22

Michael Romero
Level 1
Level 1

I am new to the forum as well but could you explain to me why you are trying to get dhcp from a different subnet 10.0.0.0 than the one configured on your WAP 192.0.0.0? The best scenario for a "guest" network would be to split up the networks and have dhcp coming from its own subnet with the DNS information imbedded in dhcp for internet traffic.

Michael

devils_advocate
Level 7
Level 7

Can you diagram the topology?

Presumably the 192.168.90.* network can route to the 10.0.1.* network ok?

I would assume so, again not a network expert. Show ip route on switch comes back with:

C    192.168.90.0/24 is directly connected, Vlan200

     10.0.0.0/24 is subnetted, 4 subnets

C       10.0.2.0 is directly connected, Vlan20

C       10.0.3.0 is directly connected, Vlan30

C       10.0.1.0 is directly connected, Vlan10

C       10.0.5.0 is directly connected, Vlan5

I think its the way the ASA is handling the Unicast DHCP requests as I suspect the Source address for them is the Interface on the WLC.

Try and disable the DHCP proxy feature on the WLC

Controller->Advanced->DHCP  

Untick the 'Enable DHCP Proxy' option.

Thanks for the suggestion. Forgot to mention I have 2 SSID's. One is my main wireless which is working fine. The other is the guest network which I'm having issues. VLAN 20 is main and VLAN 200 is Guest.

Gary,

If your guest network is in the 192.x.x.x range, and your ASA is on the 10. subnet, you'll need to enable a helper address to forward the dhcp request to.

Assuming that the host boots up in the 192.x.x.x subnet, on your 3750's vlan 200, put int "ip helper-address " if the dhcp scope is on the asa.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Hey John, I set the Ip helper for VLAN 200 to 10.0.1.254 (Firewall IP) and did the same on interface page on WLC but the laptop still doesn't get an IP.

Do you have a pool on the firewall for the 192.x.x.x subnet? I've not tested getting addresses from an ASA pool like this. I could lab this up if needed.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

John, yes the person who started this project set up DHCP on ASA Firewall.

Hmmm....You have pools for vpn configured. The firewall isn't going to hand those over as a normal dhcp request. I believe the ASA will only assign dhcp for interfaces that have addresses assigned to them. For example, you can have a dhcp pool associated to your internal interface in that range. If your address for the lan is 10.0.1.254, you can have dhcp in the 10.0.1.0/24 range (and only a certain amount depending on the license count).

I can think of a couple of things to work around this. Get another dhcp server up that will support the 192.168.x.x range only and point your helper to that OR create a subinterface on your ASA and trunk the ports across to the AP. Place your guest wireless in that vlan, and then you can have a local pool from the ASA for the 192.x.x.x subnet because there will be a physical interface that has that address on it.

I could be wrong, but I don't think you're going to get it to work the way it currently sits.

Here's a link to look through:

https://supportforums.cisco.com/thread/227315

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

John, when you say create a subinterface on ASA, I think that was created...Am I wrong?

As for the trunking, I'm not sure we have that 100% covered. I ran show int trunk on the 3750 switch and got this...1/0/3, 1/04, 1/0/5, 1/0/6, 1/07 are were my AP's are connected. 5/0/22 is where my WLC is connected.

Trunk_preview

Where is the ASA connected? That has to be part of the trunk. Also, there are two different types of pools in the ASA: dhcpd and ip local pool. The ip local pools are used for vpn clients, and the other is used for local clients. Can you telnet into the ASA and post the result from "show run dhcpd" and "show run ip local pool"?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

John, this is for the firewall..

INTERFACE 1 ON CISCO ASA

interface GigabitEthernet1/0/1

description ASA_LAN

switchport access vlan 10

switchport mode access

INTERFACE 3 ON CISCO ASA

interface GigabitEthernet1/0/2

description ASA_TRUNK

switchport trunk encapsulation dot1q

switchport mode trunk

Show run dhcpd returns

dhcpd address 192.168.90.1-192.168.90.200 MJFF-GUEST

dhcpd dns 8.8.8.8 4.2.2.2 interface MJFF-GUEST

dhcpd lease 90000 interface MJFF-GUEST

dhcpd enable MJFF-GUEST

Show run ip local pool returns

ip local pool MJFF-VPN-IP-POOL 192.77.22.1-192.77.22.200 mask 255.255.255.0

Okay...do you have a g1/0/1.200 or another subinterface on the ASA that matches the ip address of 192.168.90.x?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***