Cisco 5505 and single access point.

James Hoggard · ‎10-29-2013

I have a Cisco 5505 and have an access point plugged into the POE port 7.

I have 2 SSID'S on the access point

vlan 1 - production on the 192.168.70.0 /24

vlan 10 - guest 172.16.0.0 /24

I do not have a seperate DHCP sever so the ASA will have to act as the DHCP server for both vlans.

I need the guest network just to have access to the internet nothing else.

can this be done?

I also have the option of using IPSEC to a site which has a windows DHCP server if this helps?

Thanks

James

Jouni Forss · ‎10-29-2013

Hi,

I guess you would have to configure a Trunk between the standalone AP and the ASA5505. And to support Trunking your ASA5505 would have to have Security Plus license if I dont remember wrong.

Then you could Trunk the 2 Vlans from AP to the ASA and configure separate DHCP pool for them.

Sadly I never even touch Wireless networks/devices in my work (other people for that) so I dont what your different options there are. I just imagine that if your ASA5505 is running Base License and you cannot trunk and IF your AP had 2 physical ports then you could do around the Trunking limitation of your ASA by configuring Access Mode ports for each Vlan on the ASA and connecting 2 separate ports from the AP to those ASA ports.

Allowing only Internet access for the other WLAN should be possible with simple access rules.

The DHCP through L2L VPN might be an option but its surely more complicated to set up. If you had a Cisco router at the local site you could even use it as DHCP server. I am not sure if APs have this possibility? As I said I dont know the first thing about configuring Wireless networks.

Hope this helps

- Jouni

James Hoggard · ‎10-29-2013

Thanks for the reply.

The AP has 1 physical port so obviously this will be trunked and so will the port on the ASA. I do have the secuirty plus license.

As you can see in the config below. the actual physical IP address of the inside network is 192.168.70.254 ( port 7 facing the AP vlan 1 ) i can provide DHCP range to an interface. how do i guest the guest network to work on the ASA? and set an IP range to this network? hope this make sense?

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

switchport trunk allowed vlan 1,10

switchport trunk native vlan 1

switchport mode trunk

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.70.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address *****

Jouni Forss · ‎10-29-2013

Hi,

Well you would have to add an interface for the Vlan10

interface Vlan10

nameif guest

security-level 10

ip address 172.16.0.x 255.255.255.0

dhcpd address 172.16.0.a-172.16.0.b guest

dhcpd dns guest

dhcpd enable guest

And you would naturally need some additional configurations like interface ACL and NAT configuration depending on your needs and current configurations

- Jouni

James Hoggard · ‎10-29-2013

sorted this. thanks for you help anyway.

Jouni Forss · ‎10-29-2013

Hi,

Good to hear. Was there a problem with some configuration or were you missing some of the above configurations for example?

If any reply answered your question please do remember to mark the reply as the correct answer.

- Jouni