Solved: Connecting third-party AP to Cisco 897 ISR

RokasK · ‎04-03-2021

Hello

I can't get my MikroTik access point route to internet. It looks like I can ping internet from ap itself and clients connects to it via DHCP but I suspect something is wrong with ISR configuration.

Georg Pauwen · ‎04-03-2021

Hello,

which IP address do the clients connected to the Mikrotik AP have ? Make sure the IP addresses are included in the access list used for NAT on the ISR.

The access list you currently use has the wrong wildcard mask. You are also missing a static default route. Make the changes marked in bold:

Current configuration : 5234 bytes
!
! Last configuration change at 17:36:51 UTC Sat Apr 3 2021 by noname
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco_isr
!
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$wyMt$1Di1CSiiQTzThkCvExLLl0
!
no aaa new-model
ethernet lmi ce
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.5
ip dhcp excluded-address 10.10.10.3
!
ip dhcp pool cvo-pool
import all
network 10.10.10.0 255.255.255.224
default-router 10.10.10.1
lease 0 2
!
ip domain name yourdomain.com
ip name-server 8.8.8.8
ip name-server 1.1.1.1
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
license udi pid C897VAG-LTE-GA-K9 sn FCZ194393LQ
!
vtp mode transparent
username cisco privilege 15 secret 5 $1$lzEQ$iESwCjupCP1rWoLZh4GLi/
username noname privilege 15 secret 5 $1$/gNb$r3Rs2Dhf0v6U1JpfAENv20
!
controller VDSL 0
!
controller Cellular 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
no cdp run
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Cellular0
no ip address
encapsulation slip
shutdown
dialer in-band
dialer string lte
!
interface Cellular1
no ip address
encapsulation slip
!
interface Ethernet0
no ip address
!
interface GigabitEthernet0
no ip address
spanning-tree portfast
!
interface GigabitEthernet1
no ip address
spanning-tree portfast
!
interface GigabitEthernet2
no ip address
spanning-tree portfast
!
interface GigabitEthernet3
no ip address
duplex full
speed 1000
!
interface GigabitEthernet4
no ip address
spanning-tree portfast
!
interface GigabitEthernet5
no ip address
spanning-tree portfast
!
interface GigabitEthernet6
no ip address
spanning-tree portfast
!
interface GigabitEthernet7
no ip address
spanning-tree portfast
!
interface GigabitEthernet8
description $ES_WAN$$FW_OUTSIDE$
no ip dhcp client request tftp-server-address
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.224
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet8 overload
!
--> ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 overload
!
--> access-list 1 permit 10.10.10.0 0.0.0.31
access-list 23 permit 10.10.10.0 0.0.0.7
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line 3
script dialer lte
no exec
line 8
no exec
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

View solution in original post

Georg Pauwen · ‎04-03-2021

Hello,

which IP address do the clients connected to the Mikrotik AP have ? Make sure the IP addresses are included in the access list used for NAT on the ISR.

The access list you currently use has the wrong wildcard mask. You are also missing a static default route. Make the changes marked in bold:

Current configuration : 5234 bytes
!
! Last configuration change at 17:36:51 UTC Sat Apr 3 2021 by noname
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco_isr
!
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$wyMt$1Di1CSiiQTzThkCvExLLl0
!
no aaa new-model
ethernet lmi ce
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.5
ip dhcp excluded-address 10.10.10.3
!
ip dhcp pool cvo-pool
import all
network 10.10.10.0 255.255.255.224
default-router 10.10.10.1
lease 0 2
!
ip domain name yourdomain.com
ip name-server 8.8.8.8
ip name-server 1.1.1.1
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
license udi pid C897VAG-LTE-GA-K9 sn FCZ194393LQ
!
vtp mode transparent
username cisco privilege 15 secret 5 $1$lzEQ$iESwCjupCP1rWoLZh4GLi/
username noname privilege 15 secret 5 $1$/gNb$r3Rs2Dhf0v6U1JpfAENv20
!
controller VDSL 0
!
controller Cellular 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
no cdp run
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Cellular0
no ip address
encapsulation slip
shutdown
dialer in-band
dialer string lte
!
interface Cellular1
no ip address
encapsulation slip
!
interface Ethernet0
no ip address
!
interface GigabitEthernet0
no ip address
spanning-tree portfast
!
interface GigabitEthernet1
no ip address
spanning-tree portfast
!
interface GigabitEthernet2
no ip address
spanning-tree portfast
!
interface GigabitEthernet3
no ip address
duplex full
speed 1000
!
interface GigabitEthernet4
no ip address
spanning-tree portfast
!
interface GigabitEthernet5
no ip address
spanning-tree portfast
!
interface GigabitEthernet6
no ip address
spanning-tree portfast
!
interface GigabitEthernet7
no ip address
spanning-tree portfast
!
interface GigabitEthernet8
description $ES_WAN$$FW_OUTSIDE$
no ip dhcp client request tftp-server-address
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.224
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet8 overload
!
--> ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 overload
!
--> access-list 1 permit 10.10.10.0 0.0.0.31
access-list 23 permit 10.10.10.0 0.0.0.7
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line 3
script dialer lte
no exec
line 8
no exec
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

RokasK · ‎04-03-2021

Thank you for your quick reply I use DHCP range of 10.10.10.15-10.10.10.30 on MikroTik

and when I try to set default route

cisco_isr(config)#ip route 0.0.0.0 0.0.0.0 gi8 overload
^
% Invalid input detected at '^' marker.

whether its in config or in if-config mode

Georg Pauwen · ‎04-03-2021

Hello,

sorry, my mistake, that has to be:

cisco_isr(config)#ip route 0.0.0.0 0.0.0.0 gi8 dhcp

The access list should be:

access-list 1 permit 10.0.0.0 0.255.255.255