cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1515
Views
35
Helpful
25
Replies
Highlighted
Beginner

Some questions on vlans/switching/routing

Hi All,

Please forgive If I posted this in the wrong forum. I am still learning how to manage my ASA-5506X device. I have a question regarding vlan, and I was wondering if the experts here can guide me in the right direction. 

Background Info: 

Cisco ASA-5506X Device 

Cisco Smart Switch for VOIP

Ubiquiti Unifi Switch 

4 Interface already setup (Verizon, Comcast, DMZ, and Inside) 

Verizon is used for VOIP as well a failover in case Comcast is down, the ASA will direct all traffic to Verizon.

Inside is the internal network 

and DMZ is DMZ

I am trying to create a wireless guest network, but I would like it to be on its separate subnet. People that are on the guest wireless network should not have access to the internal network. I believe I can do this with a vlan.  As far as accessing the DNS and DHCP go, they should be able to access a public DNS, and I have to tweak the ACLs so it can either access my DHCP server or use the ASA as a DHCP server (not sure if that even works). Can someone please tell me how I can achieve this? 

I added a vlan to the inside interface because the cable coming from that interface goes into the switch. The guest wireless network works, but it doesn't use its subnet. It still points to the internal network for an ip address. 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

If the ASA is not seeing the DHCP request then it does seem that the problem is something in the switches. I am a little unclear about what is happening on the ubiquiti switch, but the rest of your description does seem appropriate.

Assuming that the SG300 operates similar to the other Cisco switches that I am familiar with (mostly the IOS based switches) then you should not need to restart the SG300 after making a config change. The change should take effect immediately after you make it.

HTH

Rick

HTH

Rick

View solution in original post

25 REPLIES 25
Highlighted
Hall of Fame Guru

It will be easier to advise you about issues if you would post the config. But based on what you have told us so far here are some comments that I hope will help:

- you mention adding a vlan to the inside interface. I assume that what you mean is that you want the inside interface of the ASA to process two subnets. To do that you need to configure the interface on the switch to which the ASA connects as a trunk port and to have that trunk carry both the vlan/subnet of your inside network and the vlan/subnet of the guest network.

- then you would configure the interface of the ASA to handle multiple vlans. You could either configure the ASA interface to have two subinterfaces (one for each vlan) or you could configure the physical interface to handle the traffic of the native vlan and configure a single subinterface to handle the other vlan/subnet.

- if the guest wireless is using the ip address of inside network then it suggests that that traffic is coming from the switch in the same vlan as the inside traffic. That should straighten out when you make the changes to have the switch interface operate as a trunk.

- the ASA is capable of operating as a DHCP server.

HTH

Rick

HTH

Rick
Highlighted

Thanks, Rich, I am going to post a config of the ASA. I will make sure to mask sensitive info. 

Highlighted

I am trying to create a wireless guest network, but I would like it to be on its separate subnet. People that are on the guest wireless network should not have access to the internal network. I believe I can do this with a vlan.  As far as accessing the DNS and DHCP go, they should be able to access a public DNS, and I have to tweak the ACLs so it can either access my DHCP server or use the ASA as a DHCP server (not sure if that even works). Can someone please tell me how I can achieve this? 

Hi, To add on Ricks comment ..I have just tried to help you with some example configuration...

You can do trunking between switch and ASA firewall to allow the VLAN at ASA level. 

The ASA 5506-X comes with 8 GigE routed interfaces. Normally for small enterprise based on routing you can go with 3 interfaces and based on that you can add interface– inside (100), DMZ(50) and outside (0).

For Example ..

interface GigabitEthernet1/1
  description to WAN
  nameif outside
  security-level 0
  ip address 20.1.1.1 255.255.255.0
!
interface GigabitEthernet1/2
  description to LAN
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
  description to DMZ
  nameif dmz1
  security-level 50
  ip address 192.168.10.1 255.255.255.0

With trunk enabled at ASA Firewall

int e0/1
no ip address
no security-level
no nameif inside

int e0/1.1
nameif inside
vlan 1
security-level 100
ip address 172.29.1.1 255.255.255.0 standby 172.29.1.2
no shut

int e0/1.2
nameif XXX
vlan 8
security-level 90
ip address 192.168.17.1 255.255.255.0 standby 192.168.17.2
no shut
At switch level ..
Vlan 8
int g9/2
sw trunk encap dot1q
sw mode trunk 
sw trunk allow vlan add 8

DHCP configuration at ASA is achievable and can be done by following configuration ..

Specify a DHCP address pool and the interface for the client to connect.

dhcpd address 192.168.10.5-192.168.10.250 inside
dhcpd dns 4.1.1.1 4.2.2.2
dhcpd lease 3600 dhcpd ping_timeout 50
dhcpd enable inside dhcprelay timeout 60

-GI

Highlighted

Thank you so much for this detailed walkthrough. I will give this a try and report back with any issues. Again, thank you for taking the time to write this! 

Highlighted

Hi Ganesh and Rich, 

My ASA config is below. I also use the ASA for VPN and VOIP. I have 3 static routes setup and I would also like to know If I can direct my internal network to use my DHCP server and the guest network to use ASA as DHCP server. Right now the internal network is using my internal DHCP server. 

Result of the command: "show running-config"

: Saved

:
: Serial Number: XXXXXXX
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(2)
!
hostname ASA-5506
domain-name XXXXXXX
enable password XXXXXXXX
names
ip local pool VPN_XXXX 172.XX.XX.1-172.XX.XX.254 mask 255.255.255.0
!
interface GigabitEthernet1/1
description To Verizon WAN
nameif outside
security-level 0
ip address 2XX.XX.XXX.XX 255.255.255.XXX
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 172.XX.XX.1 255.255.255.0
!
interface GigabitEthernet1/3
description To Comcast WAN
nameif COMCAST
security-level 0
ip address XX.XX.XXX.X 255.255.255.XX
!
interface GigabitEthernet1/4
description DMZ Interface
nameif DMZ
security-level 50
ip address XXX.XXX.X.XXX 255.255.255.0
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa942-lfbff-k8.SPA
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup COMCAST
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server 172.XX.XX.XX
domain-name XXXXXXXXXXXX
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_172.XX.XX.XX_24
subnet 172.XX.XX.XX 255.255.255.0
object network CUCM-6970
host 172.XX.XX.XX
object network CUCM-69
host 172.XX.XX.XX
network-object object CUCM-69
network-object object CUCM-6970
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq 6970
service-object udp destination eq tftp
service-object icmp echo
service-object icmp echo-reply
service-object icmp unreachable
service-object icmp time-exceeded
access-list SplitTunnel standard permit 172.XX.XX.0 255.255.255.0
access-list SplitTunnel standard permit 172.XX.XX.XX 255.255.255.0
access-list SplitTunnel standard permit 172.XX.XX.0 255.255.XXX.0
access-list DMZ_access_in extended deny ip object DMZ-Subnet interface inside
access-list AnyConnect_Client_Local_Print extended deny
access-list AnyConnect_Client_Local_Print extended permit
access-list AnyConnect_Client_Local_Print remark IPP:
access-list AnyConnect_Client_Local_Print extended permit
access-list AnyConnect_Client_Local_Print remark Windows
access-list AnyConnect_Client_Local_Print extended permit
access-list AnyConnect_Client_Local_Print remark mDNS
access-list AnyConnect_Client_Local_Print extended permit
access-list AnyConnect_Client_Local_Print remark LLMNR
access-list AnyConnect_Client_Local_Print extended permit
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended
access-list AnyConnect_Client_Local_Print extended
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu COMCAST 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.XX.XX.XX_24 NETWORK_OBJ_172.XX.XX.XX_24 no-proxy-arp route-lookup
!
object network CUCM-6970
nat (inside,outside) static interface service tcp 6970 6970
object network CUCM-69
nat (inside,outside) static interface service udp tftp tftp
object network DMZ-Subnet
nat (DMZ,COMCAST) dynamic interface
nat (inside,COMCAST) static interface no-proxy-arp service tcp https https
!
nat (inside,COMCAST) after-auto source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group COMCAST_access_in in interface COMCAST
access-group DMZ_access_in in interface DMZ
route COMCAST 0.0.0.0 0.0.0.0 XX.XX.XXX.X X
route outside 0.0.0.0 0.0.0.0 XX.XX.XXX.XX XX
route inside 172.XX.XX.0 255.255.XXX.0 172.XX.XX.X X
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map LDAP_memberOf
map-name memberOf Group-Policy
map-value memberOf CN=VPNUSERS,OU=XXX,DC=XX,DC=XX TEST
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 172.XX.XX.XX
key XXXXXX
radius-common-pw XXXXX
aaa-server LDAP_Domain protocol ldap
aaa-server LDAP_Domain (inside) host 172.XX.XX.XX
ldap-base-dn DC=XX,DC=XX
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password XXXXX
ldap-login-dn CN=VPN Access,OU=XXXX,DC=XX,DC=XX
server-type microsoft
ldap-attribute-map LDAP_memberOf
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 1XX.XX.X.X 255.255.XX.0 inside
http 0.0.0.0 0.0.0.0 inside
http 6X.XX.XX.XX 255.255.255.XXX outside
http 1XX.XX.XX.XX 255.255.255.XX outside
snmp-server host inside 172.XX.XX.XXX community *****
snmp-server host inside 172.XX.XX.XX community *****
snmp-server host inside 172.XX.XX.XX poll community ***** version 2c
no snmp-server location
no snmp-server contact
service sw-reset-button
//CryptoINFO Omitted
ssh XX.XX.XX.XX XX.XX.XXX.XXX outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.5.41.40 source outside
ssl
ssl
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.2.01022-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-4.2.00096-k9.pkg 2
anyconnect profiles XXXX disk0:/XXXX.xml
anyconnect enable
tunnel-group-list enable
error-recovery disable
ssl-server-check warn-on-failure
group-policy NoAccess internal
group-policy NoAccess attributes
dns-server none
vpn-simultaneous-logins 0
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain none
address-pools none
group-policy XXXXXX attributes
vpn-tunnel-protocol ikev1 XXXXX ssl-client ssl-clientless
group-policy XXXXXXXXXXXXXX internal
group-policy XXXXXXXXXXXXXX attributes
wins-server none
dns-server value 172.XX.XX.XX
vpn-idle-timeout 30
vpn-session-timeout none
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelall
default-domain value XXXXXXXXXXXX
webvpn
anyconnect ssl dtls enable
anyconnect keep-installer installed
anyconnect ssl
anyconnect ssl
anyconnect dpd
anyconnect ssl c
group-policy GroupPolicy_XXXXXXXXXXXXXX internal
group-policy GroupPolicy_XXXXXXXXXXXXXX attributes
wins-server none
dns-server value 172.XX.XX.XX 172.XX.XX.XX
vpn-simultaneous-logins 30
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol ssl-client ssl-clientless
group-lock value XXXXXX
split-tunnel-policy XXXXXXX
split-tunnel-network-list value SplitTunnel
default-domain value XXXXXX
split-dns value XXXXXXX XXXXXXXXXXXX
vlan none
webvpn
anyconnect profiles value XXXX type user
anyconnect ask none default anyconnect
dynamic-access-policy-record XXXXXXXXX
user-message "You are not Authorized to use VPN. Please contact Doug to request membership!"
action terminate
dynamic-access-policy-record XXXXXX
description "used for IP phones"
priority 99
dynamic-access-policy-record Dynamic_Access_LDAP
description "Restrict users to only access the VPN that their AD group membership allows."
priority 100
username XXXXXXX
username XXXXXXX
tunnel-group XXXXXXX type remote-access
tunnel-group XXXXXXX general-attributes
address-pool XXXXXX
authentication-server-group LDAP_Domain LOCAL
default-group-policy GroupPolicy_XXXXXXXXXXXXXX
tunnel-group XXXXXXX webvpn-attributes
group-alias XXXXXXX enable
tunnel-group XXXXXX type remote-access
tunnel-group XXXXXXX general-attributes
address-pool VPN_XXXX
default-group-policy XXXXXXXXXXXXXX
tunnel-group XXXX webvpn-attributes
authentication certificate
group-alias XXXXXX enable
group-url https://XXX.XXXXXXXXXXXX/XXXXXX enable
without-csd
tunnel-group XXXXX type remote-access
tunnel-group XXXXXX general-attributes
address-pool VPN_XXXX
authentication-server-group LDAP_Domain LOCAL
default-group-policy NoAccess
tunnel-group XXXXX webvpn-attributes
group-alias XXXXX enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:fXXXXXXXXXXXXXXX
: end
Highlighted

Thank you for posting the config of the ASA. There is lots of detail there and I have looked at the detail only very briefly so far. It may be helpful to have those details as the discussion goes forward. At the moment it shows clearly what you are doing for 4 interfaces (inside, DMZ, Verizon, Comcast). But it does not show us anything about how you want to handle the new vlan/new subnet for guest wireless.

Certainly from the perspective of the switch a new vlan (separate from the vlan for inside network) should be a good solution to implement the guest wireless network. It would allow them to operate independently and would keep them separate from the inside network. There are two alternatives for how you can implement this on the ASA. You could configure the ASA interface which connects to the switch as a trunk, also configuring the switch interface which connects to the ASA as a trunk which carries the two vlans. The other alternative is to keep the existing ASA inside interface as it is, and leave the switch interface connecting to the ASA as an access port. Then you would configure another interface of the ASA (perhaps Gig1/5) for the new subnet and use an access port on the switch (access port in the new vlan) and connect it to the ASA. (so there would be two physical connections from ASA to switch) In either alternative you would configure the new ASA interface with a name for guest wireless and a security level lower than DMZ and higher than the WAN interfaces. You might need some additional access rules but this approach in general would give guest wireless access to Internet but not access to inside or DMZ networks.

It should be easy to have the inside network continue to use your DHCP server and to configure a DHCP pool with appropriate parameters to use for guest wireless.

HTH

Rick

HTH

Rick
Highlighted

Dear Rick, 

Thank you so much for the reply and sorry for late reply on my end. I went ahead and added the vlan as part of the inside interface. For example: 

GibabitEthernet1/2 - inside

GibabitEthernet1/2.30 - GuestWifi - Assigned IP 192.168.18.1

I enabled trunk on the switch, but I am not sure how to enable trunk on the ASA. Can you please tell me how to do that? 

I also enabled DHCP server for the Guest vlan on the ASA. 

Highlighted

OK so you are using the trunk approach. This should work well. If you have configured the subinterface Gig1/2.30 you are well on the way to configuring the trunk on the ASA. What have you configured for the subinterface? The trunk config might look something like this

interface Gig1/2.30

 vlan 30
 nameif GuestWifi
 security-level 40
 ip address 192.168.18.1 255.255.255.0

Assuming that you set up a DHCP scope for 192.168.18.0 then when the trunk if working on the ASA and on the switch then the hosts on the Guest Wifi should get addresses from the DHCP on the ASA.

HTH

Rick

HTH

Rick
Highlighted

Dear Rick, 

Below is the new config from the ASA after adding the vlan 30 and configuring DHCP server. Please look at it and let me know If I am missing anything 

Result of the command: "show running-config"

: Saved

:
: Serial Number: XXXXXX
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(2)
!
hostname ASA-5506
domain-name XXXXX
enable password XXXXXXXXX
names
ip local pool VPN_XXXX 172.XX.XX.1-172.XX.XX.254 mask 255.255.255.0
!
interface GigabitEthernet1/1
description To Verizon WAN
nameif outside
security-level 0
ip address 2XX.XX.XXX.XX 255.255.255.XXX
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 172.XX.XX.1 255.255.XXX.0
!
interface GigabitEthernet1/2.30
description Guest WIFI Vlan
vlan 30
nameif GuestWIFI
security-level 90
ip address 192.168.18.1 255.255.255.0
!
interface GigabitEthernet1/3
description To Comcast WAN
nameif COMCAST
security-level 0
ip address XX.XX.XXX.X XXX.XXX.XXX.XXX
!
interface GigabitEthernet1/4
description DMZ Interface
nameif DMZ
security-level 50
ip address XXX.XXX.X.XXX 255.255.XXX.0
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa942-lfbff-k8.SPA
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup COMCAST
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server 172.XX.XX.XX
domain-name XXXXX
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_172.XX.XX.X_24
subnet 172.XX.XX.X 255.255.255.0
object network CUCM-6970
host 172.XX.XX.XX
object network CUCM-69
host 172.XX.XX.XX
service-object icmp echo
service-object icmp echo-reply
service-object icmp unreachable
service-object icmp time-exceeded
access-list SplitTunnel standard permit 172.XX.XX.X 255.255.XXX.0
access-list SplitTunnel standard permit 172.XX.XX.X 255.255.XXX.0
access-list SplitTunnel standard permit 172.XX.XX.X 255.255.XXX.0
access-list DMZ_access_in extended deny ip object DMZ-Subnet interface inside
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host XXX.X.X.XXX eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host XXX.X.X.XXX eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu GuestWIFI 1500
mtu COMCAST 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.XX.XX.X_24 NETWORK_OBJ_172.XX.XX.X_24 no-proxy-arp route-lookup
!
object network CUCM-6970
nat (inside,outside) static interface service tcp 6970 6970
object network CUCM-69
nat (inside,outside) static interface service udp tftp tftp
!
nat (inside,COMCAST) after-auto source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group COMCAST_access_in in interface COMCAST
access-group DMZ_access_in in interface DMZ
route COMCAST 0.0.0.0 0.0.0.0 XX.XX.XXX.X 1
route outside 0.0.0.0 0.0.0.0 XXX.XX.XXX.XX 50
route inside 172.XX.XX.X 255.255.254.0 172.XX.XX.X 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map LDAP_memberOf
map-name memberOf Group-Policy
map-value memberOf CN=VPNUSERS,OU=XXX,DC=XX,DC=XX TEST
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 172.XX.XX.XX
key XXXXX
radius-common-pw XXXXX
aaa-server LDAP_Domain protocol ldap
aaa-server LDAP_Domain (inside) host 172.XX.XX.XX
ldap-base-dn DC=XX,DC=XX
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password XXXXX
ldap-login-dn CN=VPN,OU=XXXX,DC=XX,DC=XXX
server-type microsoft
ldap-attribute-map LDAP_memberOf
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 1XX.XXX.X.X 255.255.2XX.0 inside
http 0.0.0.0 0.0.0.0 inside
http 69.XXX.XXX.XX 255.255.255.XXX outside
http 1XX.XXX.XXX.XX 255.255.255.XXX outside
snmp-server host inside 172.XX.XX.XXX community *****
snmp-server host inside 172.XX.XX.XX community *****
snmp-server host inside 172.XX.XX.XX poll community ***** version 2c
no snmp-server location
no snmp-server contact
service sw-reset-button

//CryptoInfo Omitted

ssh XX.XXX.XXX.XX XXX.XXX.XXX.XXX outside
ssh 0.X.X.X.0.X.X.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.18.2-192.168.18.254 GuestWIFI
dhcpd dns 4.1.1.1 4.2.2.2 interface GuestWIFI
dhcpd enable GuestWIFI
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.5.41.40 source outside

//VPN Info Omitted
: end
Highlighted

I have looked through the config and have these comments:

- the config of the subinterface/trunked vlan seems mostly ok. I question assigning security level of 90. This would allow users in the Guest Wifi to initiate traffic to your DMZ. I suspect that this is not what you intended.

- I note that the access list for local print starts with a deny ip any any and then proceeds with a series of permit statements which will not be executed if the first statement denied all traffic. I have seen this issue before with local print access list and suspect that somewhere in Cisco documentation is an example which does this.

- I do not see any Network Address Translation for Guest Wifi and without it there will be no access to Internet.

- I do not see any access policy for Guest Wifi. If you change the security level from 90 and if you want these users to only access Internet then perhaps you do not need an access policy for them. But as currently configured I think you do need it.

- The DHCP config seems appropriate.

HTH

Rick

HTH

Rick
Highlighted

Hi Rick, 

I added the NAT rule and lowered the security on the Guest WIFI to 40, so they can't access the DMZ. On the switch side (I have SG-300) I added a vlan 30 and Assigned it to port GE25. I then made that port a trunk port. I am still having issues. When I connect my device to the guest wireless, it doesn't obtain an IP address, and it never connects. 

Below is the new config from the ASA: 

Result of the command: "show running-config"

: Saved

:
: Serial Number: XXXXXX
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(2)
!
hostname ASA-5506
domain-name XXXXXXXXXXXXX
enable password XXXXXXXXXXXX
names
ip local pool VPN_XXX XXX.XX.XX.X-1XX.XX.XX.X mask 255.255.XXX.0
!
interface GigabitEthernet1/1
description To Verizon WAN
nameif outside
security-level 0
ip address XXX.XX.XXX.XX 255.255.255.XXX
!
interface GigabitEthernet1/2
description Inside Network
nameif inside
security-level 100
ip address XXX.XX.XX.X 255.255.XXX.0
!
interface GigabitEthernet1/2.30
description Guest_Wifi_Vlan
vlan 30
nameif GuestWIFI
security-level 40
ip address 192.168.18.1 255.255.255.0
!
interface GigabitEthernet1/3
description To Comcast WAN
nameif COMCAST
security-level 0
ip address XX.XX.XXX.X XXX.XXX.XXX.XXX
!
interface GigabitEthernet1/4
description DMZ Interface
nameif DMZ
security-level 50
ip address XXX.XXX.XXX.XXX 255.255.XXX.0
!
boot system disk0:/asa942-lfbff-k8.SPA
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup COMCAST
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server XXX.XXX.XXX.XXX
domain-name XXX.XXX.XXX.XXX
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_XXX.XXX.XXX.XXX
subnet XXX.XXX.XXX.XXX 255.255.XXX.0
object network CUCM-6970
host 172.XX.XX.XX
object network CUCM-69
host 172.XX.XX.XX
object network Comcast_Public_Pool
range XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
description Comcast_Public_Pool
object network Guest_Wifi
subnet 192.168.18.0 255.255.255.0
access-list SplitTunnel standard permit XXX.XXX.XXX.XXX 255.255.XXX.0
access-list SplitTunnel standard permit XXX.XXX.XXX.XXX 255.255.XXX.0
access-list SplitTunnel standard permit XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu GuestWIFI 1500
mtu COMCAST 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_XXX.XXX.XXX.XXX NETWORK_OBJ_XXX.XXX.XXX.XXX no-proxy-arp route-lookup
!
object network CUCM-6970
nat (inside,outside) static interface service tcp 6970 6970
object network CUCM-69
nat (inside,outside) static interface service udp tftp tftp
object network Guest_Wifi
nat (GuestWIFI,COMCAST) dynamic interface
!
nat (inside,COMCAST) after-auto source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group COMCAST_access_in in interface COMCAST
access-group DMZ_access_in in interface DMZ
route COMCAST 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX
route inside XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map LDAP_memberOf
map-name memberOf XXXXXXXXXXXXXXX
map-value memberOf XXX.XXX.XXX.XXX
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host XXX.XXX.XXX.XXX
key XXXXXXXXXXXXXX
radius-common-pw XXXXXXXXXXXX
aaa-server LDAP_Domain protocol ldap
aaa-server LDAP_Domain (inside) host XXX.XXX.XXX.XXX
ldap-base-dn XXX.XXX.XXX.XXX
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn XXX.XXX.XXX.XXX,XXX.XXX.XXX.XXX
server-type microsoft
ldap-attribute-map LDAP_memberOf
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http XXX.XXX.XXX.XXX 255.255.XXX.0 inside
http 0.0.0.0 0.0.0.0 inside
http XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX outside
http 1XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX outside
snmp-server host inside XXX.XXX.XXX.XXX community *****
snmp-server host inside XXX.XX.XX.XX community *****
snmp-server host inside XX.XX.XX.XXX poll community ***** version 2c
no snmp-server location
no snmp-server contact
dhcpd auto_config outside
!
dhcpd address 192.168.18.2-192.168.18.254 GuestWIFI
dhcpd dns 4.1.1.1 4.2.2.2 interface GuestWIFI
dhcpd enable GuestWIFI
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.5.41.40 source outside
: end
Highlighted

Am I correct in understanding that port GE25 is where the wireless is connected? And correct in understanding that you made that port into a trunk port? If so I think that is your problem. I would think that the port where the wireless is connected should be an access port in vlan 30. You could perhaps leave GE25 as a trunk port and make vlan 30 the native vlan for the trunk. But I don't see why you want this connection as a trunk.

HTH

Rick

HTH

Rick
Highlighted

The access point is connected to a port on Ubiquiti Switch (Different Switch). The trunk port of ubiquiti switch is connected to port GE25 on the SG300. Port GE3 on the SG300 is connected to the ASA. There are 3 VLANs. 1(default) 100(VOIP) and 30(Guest) on the SG300. Port GE3 is a trunk port that has vlan 1 as untagged and 100 & 30 as tagged. I have attached a Visio diagram which gives a clearer picture of what is connected to what. Let me know if you need further explanation. 

Highlighted

Thanks for the clarification. I do not see an issue in the ASA config that would cause the devices connected to wifi to not receive an IP address. Perhaps the next step might be to run debug dhcpd on the ASA, then while monitoring the ASA try connecting a device to wifi. Lets see if the ASA seems to receive the DHCP request. (probably need to enable logging monitor or logging buffered to be able to monitor for debug output)

HTH

Rick

HTH

Rick
Content for Community-Ad