Solved

ASA 5510 DHCP not working

Posted on 2013-12-24
32
1,447 Views
Last Modified: 2014-01-04
Trying to setup a cisco asa 5510, a 2960 switch and a WLC 2500. the system was configured by another company but they never made it worked and I am trying to see what they did.

the switch seems to be ok but the firewall is not.
it is not giving dhcp and not recognized by the switch.

the firewall is connected to port 48 of the switch and the wlc to 47.

if I do a sh cdp nei I can only see the WLC. I can't even ping 192.168.50.1

if I also connected my laptop directly to port 2 of the router I don't get an IP either.
if I connect to the switch I don't get an IP either

could someone please review the config below and see what is wrong with it?

thank you

ASA Version 8.4(7)
!
hostname 
domain-name 
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 
!
interface Ethernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2.1
 vlan 51
 nameif voice
 security-level 100
 ip address 192.168.51.1 255.255.255.0
!
interface Ethernet0/2.2
 vlan 50
 nameif Data
 security-level 100
 ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/2.3
 vlan 52
 nameif WIFI-Inside
 security-level 100
 ip address 192.168.52.1 255.255.255.0
!
interface Ethernet0/2.4
 vlan 99
 nameif WIFI-Guest
 security-level 50
 ip address 192.168.99.1 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
boot system disk0:/asa847-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns domain-lookup voice
dns domain-lookup Data
dns domain-lookup WIFI-Inside
dns domain-lookup WIFI-Guest
dns domain-lookup management
dns server-group DefaultDNS
 domain-name ocean.sf
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu outside 1500
mtu voice 1500
mtu Data 1500
mtu WIFI-Inside 1500
mtu WIFI-Guest 1500
mtu management 1500
ip local pool VPN-Pool 192.168.49.100-192.168.49.199 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-702.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
route outside 0.0.0.0 0.0.0.0  1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.50.0 255.255.255.0 Data
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.50.0 255.255.255.0 Data
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
dhcpd address 192.168.51.100-192.168.51.199 voice
dhcpd dns 66.29.0.14 66.28.0.30 interface voice
dhcpd domain ocean.sf interface voice
dhcpd enable voice
!
dhcpd address 192.168.50.100-192.168.50.199 Data
dhcpd dns 66.29.0.14 66.28.0.30 interface Data
dhcpd domain ocean.sf interface Data
dhcpd enable Data
!
dhcpd address 192.168.52.100-192.168.52.199 WIFI-Inside
dhcpd dns 66.29.0.14 66.28.0.30 interface WIFI-Inside
dhcpd domain ocean.sf interface WIFI-Inside
dhcpd enable WIFI-Inside
!
dhcpd address 192.168.99.100-192.168.99.199 WIFI-Guest
dhcpd dns 66.29.0.14 66.28.0.30 interface WIFI-Guest
dhcpd domain ocean.sf interface WIFI-Guest
dhcpd enable WIFI-Guest
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 209.167.68.100
ntp server 169.229.70.201
ntp server 209.123.234.24
ntp server 74.207.245.227
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b1894c6cd3850171b058cbbe0f50003e
: end

Open in new window


oceansf_sw#sh run
Building configuration...

Current configuration : 16061 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$wtCm$kWf83tXUpPOohiNwMdx4t/
enable password 
!
!
!
no aaa new-model
switch 1 provision ws-c2960s-48fps-l
!
!
ip domain-name ocean.sf
!
mls qos map policed-dscp  0 10 18 24 46 to 8
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue output cos-map queue 1 threshold 3 4 5
mls qos srr-queue output cos-map queue 2 threshold 1 2
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output cos-map queue 2 threshold 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 0
mls qos srr-queue output cos-map queue 4 threshold 3 1
mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue output dscp-map queue 1 threshold 3 46 47
mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35
mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39
mls qos srr-queue output dscp-map queue 2 threshold 2 24
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15
mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14
mls qos queue-set output 1 threshold 1 100 100 50 200
mls qos queue-set output 1 threshold 2 125 125 100 400
mls qos queue-set output 1 threshold 3 100 100 100 400
mls qos queue-set output 1 threshold 4 60 150 50 200
mls qos queue-set output 1 buffers 15 25 40 20
mls qos
!
crypto pki trustpoint HTTPS_SS_CERT_KEYPAIR
 enrollment selfsigned
 serial-number
 revocation-check none
 rsakeypair HTTPS_SS_CERT_KEYPAIR
!
!
crypto pki certificate chain HTTPS_SS_CERT_KEYPAIR

spanning-tree mode pvst
spanning-tree extend system-id
auto qos srnd4
!
!
!
!
vlan internal allocation policy ascending
!
!
class-map match-all AUTOQOS_VOIP_DATA_CLASS
 match ip dscp ef
class-map match-all AUTOQOS_DEFAULT_CLASS
 match access-group name AUTOQOS-ACL-DEFAULT
class-map match-all AUTOQOS_VOIP_SIGNAL_CLASS
 match ip dscp cs3
!
!
policy-map AUTOQOS-SRND4-CISCOPHONE-POLICY
 class AUTOQOS_VOIP_DATA_CLASS
  set dscp ef
  police 128000 8000 exceed-action policed-dscp-transmit
 class AUTOQOS_VOIP_SIGNAL_CLASS
  set dscp cs3
  police 32000 8000 exceed-action policed-dscp-transmit
 class AUTOQOS_DEFAULT_CLASS
  set dscp default
  police 10000000 8000 exceed-action policed-dscp-transmit
!
!
!
interface FastEthernet0
 no ip address
!
interface GigabitEthernet1/0/1
 description Trust devices to set their own CoS
 switchport trunk native vlan 50
 switchport mode trunk
 switchport voice vlan 51
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 mls qos trust device cisco-phone
 mls qos trust cos
 auto qos voip cisco-phone
 spanning-tree portfast
 service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
!

!
interface GigabitEthernet1/0/47
 description *** uplink to WLC ***
 switchport mode trunk
 switchport voice vlan 51
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 mls qos trust device cisco-phone
 mls qos trust cos
 auto qos voip cisco-phone
 spanning-tree portfast
 service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
!
interface GigabitEthernet1/0/48
 description *** Uplink to ASA 5510 ***
 switchport trunk native vlan 50
 switchport mode trunk
!
interface GigabitEthernet1/0/49
!
interface GigabitEthernet1/0/50
!
interface GigabitEthernet1/0/51
!
interface GigabitEthernet1/0/52
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan50
 description Data VLAN
 ip address 192.168.50.2 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.28.50.1
ip http server
ip http secure-server
!
ip access-list extended AUTOQOS-ACL-DEFAULT
 permit ip any any
snmp-server community public RO
!
line con 0
line vty 0 4
 password
 login
 length 0
line vty 5 15
 password 
 login
 length 0
!
ntp clock-period 22518558
ntp server 209.81.9.7
ntp server 209.0.72.7
ntp server 164.67.62.194
end

Open in new window

0
Comment
Question by:odewulf
  • 17
  • 10
  • 5
32 Comments
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 39738810
What do you get if you do a 'show vlan' on the switch?
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39739170
+1

I don't think you've actually created the VLANs on your switch.

Aside from that, you should clean up the WLC switchport config.  There's a lot of stuff you don't want there, and you've not set a native VLAN on the port either.  You don't absolutely have to do this, but you don't want to particularly use VLAN1 either.

interface GigabitEthernet1/0/47
 description *** uplink to WLC ***
 switchport mode trunk
 switchport trunk native vlan <INSERT_NATIVE_VLAN>
 mls qos trust cos
 spanning-tree portfast
end
0
 

Author Comment

by:odewulf
ID: 39739196
thank you.
I will clean up interface 47.

I will give you the result of the vlan command tomorrow but I am assuming the only thing I will see is

interface Vlan50
 description Data VLAN
 ip address 192.168.50.2 255.255.255.0
 no ip route-cache

interface Vlan1
 no ip address
 shutdown

is there a reason that even without looking at the switch I am not getting an IP from the firewall if I connect my laptop to port 2?
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39739211
If you issue the show vlan command you'll see a list of VLANs that the switch knows about in its database.  You won't see the commands which are entered into the CLI for VLAN interface configuration - that's stored in a different place.

As we've both said, without looking at the switch the most obvious reason for this is if the switch doesn't know about the VLANs.  If you connect to port 2 of the ASA you're probably not going to see anything as your laptop doesn't do 802.1Q tagging on its NIC by default (if it even supports it).  It will just sit in VLAN1 and nothing will happen.  If your laptop NIC does support 802.1Q, just configure an interface with VLAN ID 50 and see what happens when you connect to port 2.

I actually went to a customer who had the same issue last week.  He was trying for weeks to get something working and the config showed VLAN interface config, but when we checked the VLAN database the VLANs weren't there.

We simply issued the following:

conf t
 vlan 640
end


...and that was it; everything just started working!
0
 

Author Comment

by:odewulf
ID: 39739243
great thank you. I will check when I am back in the office
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 39739298
That's what I was getting at. I don't think the VLANs exist on your switches VLAN database.
0
 

Author Comment

by:odewulf
ID: 39740289
Here is the sh vlan result. as you mentioned the vlan 50 is not active.
the vlan 50 is created though so I guess it is something on the router that is not going through.
it is seeing the wireless vlans

what do you think should be changed?

thx

sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi1/0/1, Gi1/0/2, Gi1/0/3
                                                Gi1/0/4, Gi1/0/5, Gi1/0/6
                                                Gi1/0/7, Gi1/0/8, Gi1/0/9
                                                Gi1/0/10, Gi1/0/11, Gi1/0/12
                                                Gi1/0/13, Gi1/0/14, Gi1/0/15
                                                Gi1/0/16, Gi1/0/17, Gi1/0/18
                                                Gi1/0/19, Gi1/0/20, Gi1/0/21
                                                Gi1/0/22, Gi1/0/23, Gi1/0/24
                                                Gi1/0/25, Gi1/0/26, Gi1/0/27
                                                Gi1/0/28, Gi1/0/29, Gi1/0/30
                                                Gi1/0/31, Gi1/0/32, Gi1/0/33
                                                Gi1/0/34, Gi1/0/35, Gi1/0/36
                                                Gi1/0/37, Gi1/0/38, Gi1/0/39
                                                Gi1/0/40, Gi1/0/41, Gi1/0/42
                                                Gi1/0/43, Gi1/0/44, Gi1/0/45
                                                Gi1/0/46, Gi1/0/49, Gi1/0/50
                                                Gi1/0/51, Gi1/0/52
50   Data                             active
51   Voice                            active    Gi1/0/1, Gi1/0/2, Gi1/0/3
                                                Gi1/0/4, Gi1/0/5, Gi1/0/6

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
                                                Gi1/0/7, Gi1/0/8, Gi1/0/9
                                                Gi1/0/10, Gi1/0/11, Gi1/0/12
                                                Gi1/0/13, Gi1/0/14, Gi1/0/15
                                                Gi1/0/16, Gi1/0/17, Gi1/0/18
                                                Gi1/0/19, Gi1/0/21, Gi1/0/22
                                                Gi1/0/23, Gi1/0/24, Gi1/0/25
                                                Gi1/0/28, Gi1/0/31
52   WIFI-Inside                      active
99   WIFI-Guest                       active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
50   enet  100050     1500  -      -      -        -    -        0      0
51   enet  100051     1500  -      -      -        -    -        0      0
52   enet  100052     1500  -      -      -        -    -        0      0
99   enet  100099     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    -        0      0

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trnet 101005     1500  -      -      -        ibm  -        0      0

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
0
 

Author Comment

by:odewulf
ID: 39740316
here is what I added for the interface


interface GigabitEthernet1/0/47
 description *** uplink to WLC ***
 switchport trunk native vlan 50
 switchport trunk allowed vlan 50-52,99
 switchport mode trunk
!
interface GigabitEthernet1/0/48
 description *** Uplink to ASA 5510 ***
 switchport trunk native vlan 50
 switchport trunk allowed vlan 50-52,99
 switchport mode trunk
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 39740541
You need to add the VLANs into the VLAN database on the switch. The SHOW VLAN command indicates that the switch only knows about VLANs 1, 50 and 51.

Just type this at the CLI.

"VLAN99".

Then run SHOW VLAN again from the switch. 99 should now show up. I believe 99 is your GuestWIFI. Then see if the Guest WIFI users can get DHCP addresses.

If that works, repeat that command for your other VLANs on the switch (except VLAN 1, 50 and 51).
0
 

Author Comment

by:odewulf
ID: 39740616
the fact is that even hard wired to the switch I can't get an IP and it should be on VLAN 50
it looks like the port 48 is not communicating with the asa. is that port config wrong?

thx
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 39740657
What happens if you do a SHOW VLAN from the ASA?
0
 

Author Comment

by:odewulf
ID: 39740794
oceansf# sh vlan
50-52,99
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39740963
The ASA native VLAN should be 50.

Do you have Dhcp snooping configured on the switch?
0
 

Author Comment

by:odewulf
ID: 39740973
yes the native VLAN is 50

there is no DHCP set at all on the switch. this is in fact a really simple config.

4 virtual Vlans and a switch :-/

is there some kind of logs I could check to find out what is going on. since I can't see the switch from the asa or vice versa I am pretty sure this is the issue.
I can see the WLC from the switch tough

thank you
0
 

Author Comment

by:odewulf
ID: 39741025
so I reset the switch and start from scratch. Unfrotunately still no dhcp or no router access. I can see the AP and the WLC. so it really looks like something on the asa is blocking the traffic. here is the config and the show vlan.

version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname oceansf_sw
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$wtCm$kWf83tXUpPOohiNwMdx4t/
enable password 
!
!
!
macro global description cisco-global
no aaa new-model
clock timezone UTC -8
clock summer-time UTC recurring
switch 1 provision ws-c2960s-48fps-l
!
!
f
udld aggressive

!
mls qos map policed-dscp  0 10 18 24 46 to 8
mls qos map cos-dscp 0 8 16 24 32 46 46 56
mls qos srr-queue output cos-map queue 1 threshold 3 4 5
mls qos srr-queue output cos-map queue 2 threshold 1 2
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output cos-map queue 2 threshold 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 0
mls qos srr-queue output cos-map queue 4 threshold 3 1
mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue output dscp-map queue 1 threshold 3 46 47
mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35
mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39
mls qos srr-queue output dscp-map queue 2 threshold 2 24
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15
mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14
mls qos queue-set output 1 threshold 1 100 100 50 200
mls qos queue-set output 1 threshold 2 125 125 100 400
mls qos queue-set output 1 threshold 3 100 100 100 400
mls qos queue-set output 1 threshold 4 60 150 50 200
mls qos queue-set output 1 buffers 15 25 40 20
mls qos
!
crypto pki trustpoint HTTPS_SS_CERT_KEYPAIR
 enrollment selfsigned
 serial-number
 revocation-check none
 rsakeypair HTTPS_SS_CERT_KEYPAIR
!
!

!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree extend system-id
auto qos srnd4
!
!
!
errdisable recovery cause link-flap
errdisable recovery interval 60
!
vlan internal allocation policy ascending
!
!
class-map match-all AUTOQOS_VOIP_DATA_CLASS
 match ip dscp ef
class-map match-all AUTOQOS_DEFAULT_CLASS
 match access-group name AUTOQOS-ACL-DEFAULT
class-map match-all AUTOQOS_VOIP_SIGNAL_CLASS
 match ip dscp cs3
!
!
policy-map AUTOQOS-SRND4-CISCOPHONE-POLICY
 class AUTOQOS_VOIP_DATA_CLASS
  set dscp ef
  police 128000 8000 exceed-action policed-dscp-transmit
 class AUTOQOS_VOIP_SIGNAL_CLASS
  set dscp cs3
  police 32000 8000 exceed-action policed-dscp-transmit
 class AUTOQOS_DEFAULT_CLASS
  set dscp default
  police 10000000 8000 exceed-action policed-dscp-transmit
!
!
!
interface FastEthernet0
 no ip address
!
interface GigabitEthernet1/0/1
 switchport access vlan 50
 switchport mode access
 switchport voice vlan 51
 switchport port-security maximum 2
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 mls qos trust device cisco-phone
 mls qos trust cos
 macro description cisco-phone
 auto qos voip cisco-phone
 spanning-tree portfast
 spanning-tree bpduguard enable
 service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
!
interface GigabitEthernet1/0/2
 switchport access vlan 50
 switchport mode access
 switchport voice vlan 51
 switchport port-security maximum 2
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 mls qos trust device cisco-phone
 mls qos trust cos
 macro description cisco-phone
 auto qos voip cisco-phone
 spanning-tree portfast
 spanning-tree bpduguard enable
 service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
!

!
interface GigabitEthernet1/0/46
 switchport trunk native vlan 50
 switchport mode trunk
 switchport nonegotiate
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 mls qos trust cos
 macro description cisco-wireless
 auto qos trust
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/47
 description *** uplink to WLC ***
 switchport trunk native vlan 50
 switchport trunk allowed vlan 50-52,99
 switchport mode trunk
!
interface GigabitEthernet1/0/48
 switchport trunk native vlan 50
 switchport mode trunk
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 mls qos trust dscp
 macro description cisco-router
 auto qos trust
 spanning-tree portfast trunk
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/49
!
interface GigabitEthernet1/0/50
!
interface GigabitEthernet1/0/51
!
interface GigabitEthernet1/0/52
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan50
 description Data VLAN
 ip address 192.168.50.2 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.50.1
ip http server
ip http secure-server
!
ip access-list extended AUTOQOS-ACL-DEFAULT
 permit ip any any
snmp-server community public RO
!
line con 0
line vty 0 4
 password
 login
 length 0
line vty 5 15
 password 
 login
 length 0
!
ntp clock-period 22518558
ntp server 209.81.9.7
ntp server 209.0.72.7
ntp server 164.67.62.194
end

Open in new window


sh vlan

oceansf_sw#sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi1/0/35, Gi1/0/36, Gi1/0/37
                                                Gi1/0/38, Gi1/0/39, Gi1/0/40
                                                Gi1/0/41, Gi1/0/42, Gi1/0/43
                                                Gi1/0/44, Gi1/0/46, Gi1/0/49
                                                Gi1/0/50, Gi1/0/51, Gi1/0/52
50   Data                             active    Gi1/0/1, Gi1/0/2, Gi1/0/3
                                                Gi1/0/4, Gi1/0/5, Gi1/0/6
                                                Gi1/0/7, Gi1/0/8, Gi1/0/9
                                                Gi1/0/10, Gi1/0/11, Gi1/0/12
                                                Gi1/0/13, Gi1/0/14, Gi1/0/15
                                                Gi1/0/16, Gi1/0/17, Gi1/0/18
                                                Gi1/0/19, Gi1/0/20, Gi1/0/21
                                                Gi1/0/22, Gi1/0/23, Gi1/0/24
                                                Gi1/0/25, Gi1/0/26, Gi1/0/27
                                                Gi1/0/28, Gi1/0/29, Gi1/0/30
                                                Gi1/0/31, Gi1/0/32, Gi1/0/33
                                                Gi1/0/34
51   Voice                            active    Gi1/0/1, Gi1/0/2, Gi1/0/3
                                                Gi1/0/4, Gi1/0/5, Gi1/0/6
                                                Gi1/0/7, Gi1/0/8, Gi1/0/9
                                                Gi1/0/10, Gi1/0/11, Gi1/0/12
                                                Gi1/0/13, Gi1/0/14, Gi1/0/15
                                                Gi1/0/16, Gi1/0/17, Gi1/0/18
                                                Gi1/0/19, Gi1/0/20, Gi1/0/21
                                                Gi1/0/22, Gi1/0/23, Gi1/0/24
                                                Gi1/0/25, Gi1/0/26, Gi1/0/27
                                                Gi1/0/28, Gi1/0/29, Gi1/0/30
                                                Gi1/0/31, Gi1/0/32, Gi1/0/33
                                                Gi1/0/34
52   WIFI-Inside                      active
99   WIFI-Guest                       active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
50   enet  100050     1500  -      -      -        -    -        0      0
51   enet  100051     1500  -      -      -        -    -        0      0
52   enet  100052     1500  -      -      -        -    -        0      0
99   enet  100099     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    -        0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trnet 101005     1500  -      -      -        ibm  -        0      0

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type              Ports


sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
                  D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
APc067.af58.dbaa Gig 1/0/45        167              R T   AIR-CAP26 Gig 0.1
OceanSF_WLC      Gig 1/0/47        139               H    AIR-CT250 Gig 0/0/1

sh interfaces gigabitEthernet 1/0/48
GigabitEthernet1/0/48 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is f47f.35c9.f7b0 (bia f47f.35c9.f7b0)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 00:00:01, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 4000 bits/sec, 4 packets/sec
     79 packets input, 5068 bytes, 0 no buffer
     Received 62 broadcasts (0 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     566260 packets output, 47658061 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 39741084
I am thinking you may want to try an IP Helper Address on the Cisco ASA. Could be wrong.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39741349
The ASA doesn't support CDP, so you won't be able to see it from the switch.

You said the native VLAN is 50,  but it isn't configured that way on the ASA. You have a subinterface for VLAN50 on the ASA so it's tagged traffic, not native.

On the switch port change the native VLAN to something random (an unused VLAN ID) and see if it works.
0
 

Author Comment

by:odewulf
ID: 39742013
I will try that.

if that doesnt work I might re-configure the firewall and get rid of the virtual interface.

if I use the 3 ethernet ports for the Data/private wireless; voice and public wireless then I can connect them to 3 ports on the switch

interface GigabitEthernet1/0/45
 description **** Uplink to ASA-Voice ****
 switchport access vlan 51
 switchport mode access
!
interface GigabitEthernet1/0/46
 description **** Uplink to ASA-Public ****
 switchport access vlan 99
 switchport mode access
!
interface GigabitEthernet1/0/47
 description **** Uplink to ASA-Private ****
 switchport access vlan 50
 switchport mode access

I let you know how it goes this afternoon
0
 

Author Comment

by:odewulf
ID: 39743021
Thank you guys. this worked

I can now get an IP once connecting my laptop to the switch, the APs are getting an IP as well.

the only thing left is that wireless clients are not getting an IP. I am wondering if it is something similar here with the vlan not passing through port 48. here is what I changed:

interface GigabitEthernet1/0/29
 switchport access vlan 50
 switchport mode access
 switchport voice vlan 51
 switchport port-security maximum 2
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 mls qos trust device cisco-phone
 mls qos trust cos
 macro description cisco-phone
 auto qos voip cisco-phone
 spanning-tree portfast
 spanning-tree bpduguard enable
 service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY



interface GigabitEthernet1/0/46
 description *** AP6 ***
 switchport trunk native vlan 50
 switchport mode trunk
 switchport nonegotiate
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 mls qos trust cos
 macro description cisco-wireless
 auto qos trust
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/47
 description *** Uplink to WLC 1 ***
 switchport trunk native vlan 50
 switchport mode trunk
!
interface GigabitEthernet1/0/48
 description *** Uplink to ASA 0.2 ***
 switchport trunk native vlan 100
 switchport mode trunk
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 mls qos trust dscp
 macro description cisco-router
 auto qos trust
 spanning-tree portfast trunk
 spanning-tree bpduguard enable

Open in new window


oceansf_sw#show int trunk


Port        Mode             Encapsulation  Status        Native vlan
Gi1/0/44    on               802.1q         trunking      50
Gi1/0/45    on               802.1q         trunking      50
Gi1/0/47    on               802.1q         trunking      50
Gi1/0/48    on               802.1q         trunking      100

Port        Vlans allowed on trunk
Gi1/0/44    1-4094
Gi1/0/45    1-4094
Gi1/0/47    1-4094
Gi1/0/48    1-4094

Port        Vlans allowed and active in management domain
Gi1/0/44    1,50-52,99-100
Gi1/0/45    1,50-52,99-100
Gi1/0/47    1,50-52,99-100
Gi1/0/48    1,50-52,99-100

Port        Vlans in spanning tree forwarding state and not pruned
Gi1/0/44    1,50-52,99-100
Gi1/0/45    1,50-52,99-100
Gi1/0/47    50-52,99-100
Gi1/0/48    1,50-52,99-100
oceansf_sw#

I tried changing the native port on the WLC and the AP to 100 but then i wont be able to connect to it anymore.
maybe this is related to the WLC itself as well. here is the picture of the interface

¿WLC¿

thank you again for all your help
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39743365
On the WLC you need to tell the wifi-guest interface the IP address of the DHCP server, so the Primary DHCP server address will be the 192.168.99.x address on the ASA.

Add the mls qos trust cos command to Gi1/0/47 too, so the WLC can apply QoS marking correctly.
0
 

Author Comment

by:odewulf
ID: 39743759
thank Craig,
the WLC is already configured that way. I will add the QoS to the interface to see if that fixes the issue.

appreciate all your help

G
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39743773
The QoS bit won't fix the issue.

Can a wired client get an IP address on VLAN99 if you configure a port on the switch in VLAN99?

Can you post the client statistics from the WLC by clicking on a client's MAC address when trying to connect to the Guest SSID?
0
 

Author Comment

by:odewulf
ID: 39746604
Craig,

yes I get a DHCP 99 IP if connected to the switch with port configured in VLAN 99

there is no statistics that I can see. if just says connected but no IP.

is this related to the native vlan again? the issue is that if I change the native vlan from 50 to something else then the WLC and APs are unreachable.

all the vlans seems to be allowed through those interfaces as well so I am not sure what the issue could be there :-/

should I set the AP in mode access instead of mode trunk?

interface GigabitEthernet1/0/46
 description *** AP6 ***
 switchport trunk native vlan 50
 switchport mode trunk
 switchport nonegotiate
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 mls qos trust cos
 macro description cisco-wireless
 auto qos trust
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/47
 description *** Uplink to WLC 1 ***
 switchport trunk native vlan 50
 switchport mode trunk
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39746742
This shouldn't be related to the native VLAN.  Can you post the client statistics page for a particular client from the WLC when it connects to the Guest WLAN?

An AP should be in access mode when connected to a WLC unless it is in FlexConnect mode.

So, you'd need this for the AP and WLC...

interface GigabitEthernet1/0/46
 description *** AP6 ***
 switchport access vlan 50
 switchport mode access
 spanning-tree bpduguard enable
 spanning-tree portfast
!
interface GigabitEthernet1/0/47
 description *** Uplink to WLC 1 ***
 switchport trunk native vlan 50
 switchport mode trunk
 mls qos trust cos
!

Open in new window

0
 

Author Comment

by:odewulf
ID: 39747116
ok so I changed the interfaces to be exactly what you have up there but still no luck.

here is what I get on the WLC client side

stat1stat2stat3
if I do a sh arp on the router here is what I get:

       Data 192.168.50.113 c067.af1e.480e 11
        Data 192.168.50.115 685b.3580.6444 61
        Data 192.168.50.2 f47f.35c9.f7c1 476
        Data 192.168.50.112 c067.af58.dbaa 823
        WIFI-Guest 192.168.99.3 dca5.f401.fdc4 401

so it looks like it sees the wifi-guest interface of the WLC but it is just not relay dhcp
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 500 total points
ID: 39747137
Ok, on the WLC go to:

Controller -> Advanced -> DHCP

Untick 'Enable DHCP Proxy'.
0
 

Author Comment

by:odewulf
ID: 39747265
I thought we needed DHCP proxy to send DHCP requests from the client to the configured servers.
I will check that and let you know
0
 

Author Comment

by:odewulf
ID: 39747384
Craig,

thank you a million. it works.

I will do more testing tomorrow as I had to run out of the office then I will close the question.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39747765
It's badly worded, but DHCP proxy is actually only needed if the WLC is the DHCP server.

No probs - let me know how it goes :-)
0
 

Author Comment

by:odewulf
ID: 39755531
Craig,

looks like I close the question too soon. everything seems to be working fine but the clients are not getting internet.

they are getting an IP address.
I can ping 8.8.8.8 from the asa
I can't ping 8.8.8.8 from the switch or the client
the switch and the client can ping the asa.

I am a bit puzzled as there is no rule on the asa that blocks traffic going outside.

any ideas what could cause the issue?

let me know if you would like me to create a new question

thx
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39755967
You'll need a NAT statement to allow access to the internet from inside, but you should really create a new question so people can find the answer later if they need to.

If you create a new question, post the link to it here so I can see it :-)
0
 

Author Comment

by:odewulf
ID: 39756190
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now