Can't ping Wifi devices on ISR

[utnalove]

Please take a look at this schema:

Computers connected via cable can ping each others. Can ping also 192.168.0.1, 192.168.1.1, 192.168.1.2. But cannot ping wifi devices, for example: 192.168.1.12, 192.168.1.23...

The ASA and ISR can ping both cable and wifi computers.

If I try to ping 192.168.1.23 (a wifi device) from a windows computer 192.168.1.21 connected via cable to the ASA I get such error:

C:\Users\me>ping 192.168.1.23
Pinging 192.168.1.23 with 32 bytes of data:
Reply from 192.168.1.21: Destination host unreachable.

Anybody know what's wrong?


Here is the ASA config:

ASA Version 9.2(3)4 
!
hostname xxxasa
enable password XXXXXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.2 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
boot system disk0:/asa923-4-k8.bin
ftp mode passive
clock timezone Warsaw 1
clock summer-time Warsaw recurring last Sun Mar 2:00 last Sun Oct 3:00
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network SSH_2222_Raspberry_Pi
 host 192.168.1.23
 description Raspberry_Pi
object service port_100
 service tcp destination eq 100 
object service port_443
 service tcp destination eq https 
object-group service Port2222 tcp
 port-object eq 2222
access-list outside_access_in_1 extended permit tcp any object SSH_2222_Raspberry_Pi object-group Port2222 
pager lines 24
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-741.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
 nat (inside,outside) dynamic interface
object network SSH_2222_Raspberry_Pi
 nat (inside,outside) static interface service tcp 2222 2222 
access-group outside_access_in_1 in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=192.168.1.26,CN=sergioasa
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca XXXXXXXXXXX
 quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
 certificate XXXXXXXXXXX
 quit
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0 
dhcpd auto_config outside
!
dhcprelay server 192.168.1.1 outside
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0
username XXXXXXXX password XXXXXXXXXXXX encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
 inspect icmp 
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous
Cryptochecksum:XXXXXXXXXXX
: end

Here is the ISR config:

Current configuration : 7657 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXXXXX
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 XXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login VPN-LIST local
aaa authorization network VPN-NET-GROUP local
!
!
aaa session-id common
clock timezone Warsaw 1
clock summer-time Warsaw date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-XXXX
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-XXXX
 revocation-check none
 rsakeypair TP-self-signed-XXXX
!
crypto pki trustpoint tti
 revocation-check crl
 rsakeypair tti
!
!
crypto pki certificate chain TP-self-signed-XXXXX
 certificate self-signed XXXXX
 quit
crypto pki certificate chain tti
dot11 syslog
!
dot11 ssid xxxxx
 authentication open
 authentication key-management wpa
 guest-mode
 wpa-psk ascii 0 XXXXXXXXXXXXXXXX
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.9
ip dhcp excluded-address 192.168.1.29 192.168.1.254
!
ip dhcp pool Home_PCs
 import all
 network 192.168.1.0 255.255.255.0
 dns-server 62.179.1.63 62.179.1.62
 default-router 192.168.1.2
!
ip dhcp pool RASPBERRY_Pi_Wifi
 host 192.168.1.23 255.255.255.0
 client-identifier 01f4.f26d.1212.ad
!
!
ip cef
ip domain name yourdomain.com
!
!
!
username XXXXXXXXXXX privilege 15 secret 5 XXXXXXXXXXXXXX
!
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
crypto isakmp keepalive 10
!
crypto isakmp client configuration group vpngroup
 key XXXXXXXX
 dns 62.179.1.63 62.179.1.62
 pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
 reverse-route
!
!
crypto map clientmap client authentication list VPN-LIST
crypto map clientmap isakmp authorization list VPN-NET-GROUP
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
crypto ctcp port 888
archive
 log config
 hidekeys
!
!
ip ssh time-out 60
ip ssh version 2
!
bridge irb
!
!
interface Loopback0
 ip address 10.11.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0
 description To Cisco PC
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 ip policy route-map VPN-Client
 duplex auto
 speed auto
 crypto map clientmap
!
interface Dot11Radio0
 no ip address
 no dot11 extension aironet
 !
 encryption mode ciphers aes-ccm
 !
 ssid sergio
 !
 speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
 power local cck 17
 power local ofdm 17
 power client 17
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 no ip address
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip local pool ippool 192.168.5.2 192.168.5.3
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 101 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.10 5801 interface FastEthernet4 5801
ip nat inside source static tcp 192.168.1.10 5802 interface FastEthernet4 5802
ip nat inside source static tcp 192.168.1.10 5900 interface FastEthernet4 5900
ip nat inside source static tcp 192.168.1.10 5901 interface FastEthernet4 5901
ip nat inside source static tcp 192.168.1.10 5902 interface FastEthernet4 5902
ip nat inside source static tcp 192.168.1.10 5800 interface FastEthernet4 5800
ip nat inside source static tcp 192.168.1.18 9100 interface FastEthernet4 6969
ip nat inside source static udp 192.168.1.15 7 interface FastEthernet4 7
ip nat inside source static tcp 192.168.1.15 3389 interface FastEthernet4 333
ip nat inside source static tcp 192.168.1.22 9100 interface FastEthernet4 6868
!
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 10.11.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
access-list 144 permit ip 192.168.5.0 0.0.0.255 any
snmp-server community public RO 1
route-map VPN-Client permit 10
 match ip address 144
 set ip next-hop 10.11.0.2
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
end

The ASA has a DCHP client. It has not a DHCP server. It has a DHCP relay.
All the IP addresses for both cable and wifi computers should be given by the DHCP server that is in the ISR router, because the ASA5505 does not support IP address assignment to specific MAC, and the ISR does. So in this configuration the ISR is the only one giving the IPs to both cable and wifi devices, and the IP addresses assignment is working fine


It looks like to me that both ASA and cable computer as well as ISR and wifi computers are in the same network 192.168.1.0/24

 

[USAFRet]

You have 2 different subnets, and 2 different DHCP servers.

The WiFi point needs to be in the same subnet as the main router, and have its DHCP OFF.

 

[utnalove]

You have 2 different subnets, and 2 different DHCP servers.

The WiFi point needs to be in the same subnet as the main router, and have its DHCP OFF.

The ASA has a DCHP client. It has not a DHCP server. It has a DHCP relay (not a server, all the requests that it gets are forwarded to the dhcp server in the ISR).
All the IP addresses for both cable and wifi computers should be given by the DHCP server that is in the ISR router, because the ASA5505 does not support IP address assignment to specific MAC, and the ISR does. So in this configuration the ISR is the only one giving the IPs to both cable and wifi devices, and the IP addresses assignment is working fine


It looks like to me that both ASA and cable computer as well as ISR and wifi computers are in the same network 192.168.1.0/24

 

[Zenthar]

If what you have is really a wireless ROUTER and not a wireless ACCESS POINT, then USAFRet is probably right, the problem might not be the ASA, but the wireless router. Most off-the-shelf routers, by default, isolate the LAN (including Wifi) from the WAN by creating a subnet for the LAN and block most calls done FROM the WAN unless you have port forwarding rules.

What brand/model of wireless router/ap are you using and how are they configured?

 

[utnalove]

If what you have is really a wireless ROUTER and not a wireless ACCESS POINT, then USAFRet is probably right, the problem might not be the ASA, but the wireless router. Most off-the-shelf routers, by default, isolate the LAN (including Wifi) from the WAN by creating a subnet for the LAN and block most calls done FROM the WAN unless you have port forwarding rules.

What brand/model of wireless router/ap are you using and how are they configured?

Hi, it is a Wifi router. The model is Cisco ISR 851w.
How is configured? I pasted the configuration in my first question. I see that both cable and wifi clients are in the same network. What different networks do you see from the configuration?

All the cable and wifi clients are getting the IP from the same range, in the same subnet and have the same default gateway.

I think there is missing some route somewhere. but not sure... when I try to ping the wifi devices from the cable devices I get "Destination host unreachable" - which probably means that the packets didn't even enter the cable.