Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1211
Views
0
Helpful
3
Replies

Neccessity to use Catalyst 2960 to connect Aironet CAPs 1552SA through ASA5525X to connect a PC

Go to solution
german_molina1
Level 1
Level 1

‎01-10-2018 08:54 AM - edited ‎03-01-2019 06:20 PM

Hi everyone,

 

I have to connect the tablet to the server with Remote Access through my APs (CAP1552SA) and Firewall ASA5525X. The question is if it´s neccessary to implement a Switch between RAP and ASA5525X or not.

The CAPs are in Autonomus Mode because we don´t have WLC.

Please see the pictures and tell me what´s correct and how to configure:

 

Picture 1:

 Image1.png

 

Picture 2:

Image2.png

Thank you guys!

Hope to see any help.

 

Regards.

German Molina

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nixpengu1n
Level 1
Level 1
In response to german_molina1

‎01-11-2018 01:55 AM

Hello,

 

By default ASA5525-X supports subinterfaces to act "like a trunk" to connect to other switches or APs (in your case). First you need to ensure what VLANs you need to pass to the firewall: is it only VLANs for SSIDs or BVI interface as well? Lets assume you want to pass VLAN 10 and 11. One for SSID, another for BVI.

 

Second you need to configure subinterfaces on ASA:

 

interface GigabitEthernetX/X
 description ** To AP **
 no nameif
 no security-level
 no ip address
 no shutdown
!
interface GigabitEthernetX/X.10
 vlan 10
 nameif vlan_10
 security-level XX
 ip address XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY
 no shutdown
!
interface GigabitEthernetX/X.20
 vlan 10
 nameif vlan_10
 security-level XX
 ip address XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY

 no shutdown

 

You can also use VLAN secondary option if both of your VLANs requires same security-level. By default ASA5525-X is using dot11q encapsulation, same as AP.

 

More information could be found here:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/interface-vlan.pdf

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Ben Walters
Level 3
Level 3

‎01-10-2018 12:06 PM

It is not necessary to add a switch between the firewall and AP, it only matters if you plan on adding more APs to that firewall interface zone.

 

The switch really add much it would just extend that area off of the firewall so if you only require the one root bridge you can go directly into the firewall.

 

If you feel like you might require more root bridge APs connected to that firewall zone in the future then you should put a switch in there.

0 Helpful

Go to solution
german_molina1
Level 1
Level 1
In response to Ben Walters

‎01-10-2018 01:29 PM

Well, I thought the neccessity of the Switch in there is because I had to configure the following lines in the port where AP is connected,

 

Switchport mode trunk

Switchport trunk encapsulation dot1q

Switchport trunk native vlan 1

Switchport trunk allowed vlan 1

 

I believe ASA 5525X can´t receive those commands. Don´t know.

All the connection has been made through VLAN 1. 

 

Regards. 

0 Helpful

Go to solution
nixpengu1n
Level 1
Level 1
In response to german_molina1

‎01-11-2018 01:55 AM

Hello,

 

By default ASA5525-X supports subinterfaces to act "like a trunk" to connect to other switches or APs (in your case). First you need to ensure what VLANs you need to pass to the firewall: is it only VLANs for SSIDs or BVI interface as well? Lets assume you want to pass VLAN 10 and 11. One for SSID, another for BVI.

 

Second you need to configure subinterfaces on ASA:

 

interface GigabitEthernetX/X
 description ** To AP **
 no nameif
 no security-level
 no ip address
 no shutdown
!
interface GigabitEthernetX/X.10
 vlan 10
 nameif vlan_10
 security-level XX
 ip address XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY
 no shutdown
!
interface GigabitEthernetX/X.20
 vlan 10
 nameif vlan_10
 security-level XX
 ip address XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY

 no shutdown

 

You can also use VLAN secondary option if both of your VLANs requires same security-level. By default ASA5525-X is using dot11q encapsulation, same as AP.

 

More information could be found here:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/interface-vlan.pdf

0 Helpful
Customers Also Viewed These Support Documents