11-18-2014 08:12 PM - edited 03-07-2019 09:34 PM
Hello all. I have setup a few trunks before between Cisco ASA5505 and CISCO 1252 access points, with no problem... However this one will not work for some reason, and I have been unable to find out why.. If I put the port into Access Mode, I am able to access the Access Point's Management Interface on the Native Vlan (1), but once I enable Trunking Mode on the port, all communication stops. The goal is to provide a trunk for 2 VLANS running on 2 SSID's.
EDIT: I did notice that the "switchport trunk native vlan " command is missing on this ASA5505 (only gives option for switchport trunk allowed), it does seem to appear in other versions. Is there a command I am missing somewhere to make this work?
Please help!!!
ASA5505:
ASA Version 8.0(2)
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 20, DMZ Unrestricted
Inside Hosts : Unlimited
Failover : Active/Standby
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 25
WebVPN Peers : 2
Dual ISPs : Enabled
VLAN Trunk Ports : 8
Advanced Endpoint Assessment : Disabled
This platform has an ASA 5505 Security Plus license.
Switching Config:
interface Vlan1
nameif inside
security-level 100
ip address 192.168.9.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxxxxxxxxxxx 255.255.255.248
!
interface Vlan3
nameif inet
security-level 50
ip address 10.10.0.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
description TO ACCESS POINT
switchport trunk allowed vlan 1,3
switchport mode trunk
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
ACCESS POINT CONFIG:
Cisco IOS Software, C1250 Software (C1250-K9W7-M), Version 12.4(10b)JDA3, RELEASE SOFTWARE (fc1)
dot11 ssid INET
vlan 3
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxxxx
!
dot11 ssid Inside
vlan 1
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxxx
!
dot11 ssid Inside-5g
vlan 1
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxx
!
interface Dot11Radio0
no ip address
no ip route-cache
!
!
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 3 mode ciphers aes-ccm
!
broadcast-key change 3600
!
!
ssid INET
!
ssid Inside
!
mbssid
channel 2437
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
encryption vlan 1 mode ciphers aes-ccm
!
broadcast-key change 3600
!
!
ssid Inside-5g
!
dfs band 3 block
mbssid
channel dfs
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
no cdp enable
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.3
encapsulation dot1Q 3
no ip route-cache
no cdp enable
bridge-group 3
no bridge-group 3 source-learning
bridge-group 3 spanning-disabled
!
interface BVI1
ip address 192.168.9.254 255.255.255.0
no ip route-cache
!
interface BVI3
ip address 10.10.0.254 255.255.255.0
no ip route-cache
11-19-2014 03:22 AM
Have you tried connecting the asa trunk port to a cisco switch with a trunk port? I believe your ap connection is directly connected to the firewall.
HTH
Reymon
11-19-2014 07:37 AM
Hello,
Unfortunately I don't have a Cisco Switch to connect to at the moment. Is there a command missing on either device?
Thanks kindly,
Steve Tolzmann
11-19-2014 04:16 PM
Hi Steve,
Can you do a show ver from your ASA? You should have a "security plus license" in order to configure trunk port on ASA FW.
Please rate if this is helpful.
HTH
Reymon
11-19-2014 04:23 PM
Reymon,
I did post the show Ver in my original post. This ASA does have the Security+ License, and has 20 Vlans with Trunking Enabled.
The ASA Software version is 8.0 as well.
Thanks,
Steve
11-19-2014 05:25 PM
Have you tried removing the native vlan on below config since the ASA FW doesn't support this feature?
interface Dot11Radio0.1
encapsulation dot1Q 1 native
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
HTH
-Reymon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: