Cisco ASA as DHCP Server for Guest Network

This is one of the most common deployment where you want Cisco ASA to lease IP address for your wireless Guests. We have a Windows Server in internal network, however for security reason, we want to completely isolate Guest network and do not want an internal server to lease IP address for Interface 1/3 in ASA is configured dedicatedly for wireless Guests and connected to a switch port 0/20.

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address

interface GigabitEthernet1/3
nameif wireless
security-level 0
ip address

On the switch side, create a dedicate VLAN 192 for Guest network and assign it to switch port 0/20.
Important note: Do not configure SVI on switch for this VLAN.

Now you configure ASA as DHCP server. Specify DHCP scope and assign it to ASA interface. You cannot specify the default gateway for DHCP clients, ASA will assign its own interface as gateway, in this case, it is

dhcpd address wireless
dhcpd enable wireless

The default lease period of DHCP is 3600 seconds. You can modify by following command.

dhcpd lease 86400 interface wireless

You got two options to specify DNS server. You can specify your own DNS server as below.

dhcpd dns

All in One WordPress Hosting
HostGator $2.75 per month
24/7/365 Technical Support, Free Site Building Tools, 4500 Website Templates, Free Shopping Cart Software, Ideal for WordPress, 45 Day Money Back Guarantee
Starts at 30$ per month
All in One WordPress Hosting
High optimized WordPress hosting, secure firewall, HTTPS, Backup, hack-fix guarantee and many others at 30$ per month

or let ASA assign the DNS servers that it got from internet provider.

dhcpd auto_config outside

Configure NAT and specify default route to internet provider.

object network mt_office_wireless
nat (wireless,outside) dynamic interface

route outside

We must also know some facts about Cisco ASA acting as DHCP Server

  • You cannot reserve any IP address using MAC address, literally you can reserve IP address by any other means.
  • The number of IP addresses of pool cannot exceed 256 address, which is a limitation of ASA.