Hello all. I have setup a few trunks before between Cisco ASA5505 and CISCO 1252 access points, with no problem... However this one will not work for some reason, and I have been unable to find out why.. If I put the port into Access Mode, I am able to access the Access Point's Management Interface on the Native Vlan (1), but once I enable Trunking Mode on the port, all communication stops. The goal is to provide a trunk for 2 VLANS running on 2 SSID's.
EDIT: I did notice that the "switchport trunk native vlan " command is missing on this ASA5505 (only gives option for switchport trunk allowed), it does seem to appear in other versions. Is there a command I am missing somewhere to make this work?
Please help!!!
ASA5505:
ASA Version 8.0(2)
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 20, DMZ Unrestricted
Inside Hosts : Unlimited
Failover : Active/Standby
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 25
WebVPN Peers : 2
Dual ISPs : Enabled
VLAN Trunk Ports : 8
Advanced Endpoint Assessment : Disabled
This platform has an ASA 5505 Security Plus license.
Switching Config:
interface Vlan1
nameif inside
security-level 100
ip address 192.168.9.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxxxxxxxxxxx 255.255.255.248
!
interface Vlan3
nameif inet
security-level 50
ip address 10.10.0.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
description TO ACCESS POINT
switchport trunk allowed vlan 1,3
switchport mode trunk
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
ACCESS POINT CONFIG:
Cisco IOS Software, C1250 Software (C1250-K9W7-M), Version 12.4(10b)JDA3, RELEASE SOFTWARE (fc1)
dot11 ssid INET
vlan 3
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxxxx
!
dot11 ssid Inside
vlan 1
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxxx
!
dot11 ssid Inside-5g
vlan 1
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxx
!
interface Dot11Radio0
no ip address
no ip route-cache
!
!
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 3 mode ciphers aes-ccm
!
broadcast-key change 3600
!
!
ssid INET
!
ssid Inside
!
mbssid
channel 2437
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
encryption vlan 1 mode ciphers aes-ccm
!
broadcast-key change 3600
!
!
ssid Inside-5g
!
dfs band 3 block
mbssid
channel dfs
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
no cdp enable
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.3
encapsulation dot1Q 3
no ip route-cache
no cdp enable
bridge-group 3
no bridge-group 3 source-learning
bridge-group 3 spanning-disabled
!
interface BVI1
ip address 192.168.9.254 255.255.255.0
no ip route-cache
!
interface BVI3
ip address 10.10.0.254 255.255.255.0
no ip route-cache
Have you tried connecting the asa trunk port to a cisco switch with a trunk port? I believe your ap connection is directly connected to the firewall.
HTH
Reymon
Hello,
Unfortunately I don't have a Cisco Switch to connect to at the moment. Is there a command missing on either device?
Thanks kindly,
Steve Tolzmann
Hi Steve,
Can you do a show ver from your ASA? You should have a "security plus license" in order to configure trunk port on ASA FW.
Please rate if this is helpful.
HTH
Reymon
Reymon,
I did post the show Ver in my original post. This ASA does have the Security+ License, and has 20 Vlans with Trunking Enabled.
The ASA Software version is 8.0 as well.
Thanks,
Steve
Have you tried removing the native vlan on below config since the ASA FW doesn't support this feature?
interface Dot11Radio0.1
encapsulation dot1Q 1 native
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
HTH
-Reymon