cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
749
Views
0
Helpful
7
Replies

ASA 5508, WDS and diferrent subnets/VLANs

zsolt.csete
Level 1
Level 1

Hello,

 

My main objective is to set up the WDS for client installs. However the WDS server and the clients are in different subnets (and on occasion different VLANs).

It isn't working out this far though, the which client doing the PXE boot won't receive any answer from the server subnet.

It works fine if I put the WDS server in the same subnet, as the client asking for the install.

 

About the environment:

  • An old domain controller, which I plan to phase out soon (physical Small Business Server 2008)
  • A new domain controller, with the WDS role installed on Hyper-V (Server 2016)--> I can't separate the roles for the time being.
  • A Cisco ASA 5508 as the main router, which also does the DHCP role
  • A Cisco SG500-52 managed switch
  • The different offices-teams are on different subnets and the WDS server is in a subnet where the DHCP is disabled

 

I did some research on the topic, and found out that I either use Option 66/67 or go the IP Helper route.

Unfortunately this ASA router doesn't support Option 66/67, and I'm really not at all versed with Cisco/networking. I can't even find those IP Helper options in our router.

Tried to play around with a lot of things... among many others: the DHCP relay settings, also looked at the switch Static Hosts function (seen options 66-67 there) --> zero success this far.

 

Can someone please point me in the right direction?
It is a production environment, while it's rather small, my options for experimenting are still limited.

Since my networking/Cisco knowledge is rather poor, I'm using the ASDM GUI.

 

 

Thanks in advance!

 

Regards,
Zsolt

7 Replies 7

Hi Zsolt,

 

Based on your description, I have drafted the attached network diagram and hoping it somewhat resembles your environment. Please verify if you have the required NAT, Routes, and ACL Policies inplace. 

Your config should look like this:

 

ASA#
interface Ethernet0/1

vlan 100
nameif CLIENT-NW
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2

vlan 200
nameif WDS-NW
security-level 100
ip address 1.1.1.1 255.255.255.0
!
static (WDS-NW,CLIENT-NW) 1.1.1.1 1.1.1.1 netmask 255.255.255.0
access-group acl_CLIENT-NW in interface CLIENT-NW
access-list acl_CLIENT-NW extended permit ip 192.168.1.0 255.255.255.0 1.1.1.0 255.255.255.0

 

Client Servers

 

ip route 1.1.1.0 mask 255.255.255.0  gateway 192.168.1.1

 

WDS Servers

ip route 192.168.1.0 mask 255.255.255.0 gateway  1.1.1.1

 

Dennis Mink
VIP Alumni
VIP Alumni

Are you using DHCP with option 66 and/or 67?

Please remember to rate useful posts, by clicking on the stars below.

According to this table, Option 67 seems to be unsupported by our ASA: https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/dhcp.html#wp1115679

 

Is there be a similar option on the switch? I couldn't find it.

zsolt.csete
Level 1
Level 1

Hi Jean-Pierre,

 

Thank you for the drawing! It's a bit different in reality though (btw what software did you use to create it? I might try to do a diagram of my own, might help us a bit)

 

Actually, everything is behind the ASA router/firewall, and all of our devices are on the SG500-52 switch.

The old and the new domain controllers are on the same VLAN/subnet (dedicated to servers) as well, with zero DHCP used on that subnet.

 

Since I'm using the GUI and haven't really touched the CLI yet, I don't see yet how will the recommended settings forward any requests made by client computers towards the WDS. Which rule-policy will achieve this?

 

The VLAN part of your suggestions seems to be alright in our config, however I think the ACL policies might be missing.

By the way: if the WDS and the client is on the same subnet/VLAN, with DHCP enabled: it works.

Hi Zsolt,

 

Based on the symptoms you mentioned, It might be an issue with the routing / ACL policies.

Would you be able to share the relevant config files so that we can check further? Thank you.

 

 

Best Regards,

Jean-Pierre

All in all, I've found out that there might not be a way to do this, only if the DHCP role will be migrated to a Windows Server. The switch and the ASA missing the necessary options. As a workaround, I've placed the WDS server in the subnet where the client installs take place, so it works fine.

Later on I'm going to stop using the ASA as a DHCP.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: