This is one of the most common deployment where you want Cisco ASA to lease IP address for your wireless Guests. We have a Windows Server in internal network, however for security reason, we want to completely isolate Guest network and do not want an internal server to lease IP address for Guests.
Gigabit Interface 1/3 in ASA is configured dedicatedly for wireless Guests and connected to a switch port 0/20.
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 80.85.8.146 255.255.255.248
interface GigabitEthernet1/3
nameif wireless
security-level 0
ip address 192.168.190.1 255.255.255.0
On the switch side, create a dedicate VLAN 192 for Guest network and assign it to switch port 0/20.
Important note: Do not configure SVI on switch for this VLAN.
Now you configure ASA as DHCP server. Specify DHCP scope and assign it to ASA interface. You cannot specify the default gateway for DHCP clients, ASA will assign its own interface as gateway, in this case, it is 192.168.190.1
dhcpd address 192.168.190.50-192.168.190.100 wireless
dhcpd enable wireless
The default lease period of DHCP is 3600 seconds. You can modify by following command.
dhcpd lease 86400 interface wireless
You got two options to specify DNS server. You can specify your own DNS server as below.
dhcpd dns 8.8.8.8 8.8.4.4
$2.75 per monthor let ASA assign the DNS servers that it got from internet provider.
dhcpd auto_config outside
Configure NAT and specify default route to internet provider.
object network mt_office_wireless
subnet 192.168.190.0 255.255.255.0
nat (wireless,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 80.85.8.145
We must also know some facts about Cisco ASA acting as DHCP Server
- You cannot reserve any IP address using MAC address, literally you can reserve IP address by any other means.
- The number of IP addresses of pool cannot exceed 256 address, which is a limitation of ASA.
