01-11-2012 01:06 PM - edited 07-03-2021 09:21 PM
I know someone out there has the answer for this. I am in the process of installing an Aironet 1140 standalone AP. I have not worked with these AP's before. I will be connecting it to one of the PoE ports on the existing ASA 5505. My goal is to have 2 SSID's, one for internal network and one for guest internet only, no access to internal LAN. I want to have the internal wifi clients and the guest clients on seperate IP networks. The internal clients obtain DHCP from the existing server and use the ASA DHCP server for the guest clients. And of course, I would like the ability to manage the AP from the internal network. I am providing copies of my current configs for both the ASA and Aironet. I'm stumped!
01-12-2012 07:01 AM
Hi Steven, i had a look at the configuration and found the below:
AP: BVI interface ip address should be in the native VLAN range. in this configuration this is in VLAN 1(this should be in VLAN 3)
VLAN 3 must be allowed on the trunk on firewall interface i.e eth0/7
FW: VLAN1 & 2 is assigned to inside & outside interface of the firewall as well as used for an SSID on the AP--- i think you should not use VLAN 1 & 2 on the AP(dont use the VLAN assigned to outside/inside interface) .
assuming that you create VLANs 3,4,5. please configure DHCP relay on the VLAN for the internal network clients so that they can reach the DHCP server.
there needs to be a rule(ACL) set to allow internal network client subnets to reach the inside network as the security level of AP connected interface is 50.
i hope this helps.
01-12-2012 07:02 AM
Hi Steven, i had a look at the configuration and found the below:
AP: BVI interface ip address should be in the native VLAN range. in this configuration this is in VLAN 1(this should be in VLAN 3)
VLAN 3 must be allowed on the trunk on firewall interface i.e eth0/7
FW: VLAN1 & 2 is assigned to inside & outside interface of the firewall as well as used for an SSID on the AP--- i think you should not use VLAN 1 & 2 on the AP(dont use the VLAN assigned to outside/inside interface) .
assuming that you create VLANs 3,4,5. please configure DHCP relay on the VLAN for the internal network clients so that they can reach the DHCP server.
there needs to be a rule(ACL) set to allow internal network client subnets to reach the inside network.
i hope this helps.
---
Posted by WebUser Kumarguru Balasubramanyam
01-12-2012 07:07 PM
Thanks for the reply, but I have to claim ignorance on my part. Since I've not worked with the Aironet AP's before, it required a bit more understanding with VLANs then I had. After working a frustratingly long time with this, I ended up calling Cisco support. They were able to shine some light on what the problem was, and a simple fix it was. Unfortunately, the solution you provided, although appreciated, was not in the right direction. Here is what I had to do.
Once I made the changes, BAM! I was able to connect to the internal SSID and obtain a IP from the internal DHCP server. I could access internal resources and the internet. Now, all that was needed was to create a DHCP pool on the ASA for the "guest" connection. Then a NAT cmd from the "outside" and "guest" interfaces and BAM! I was able to connect to the guest SSID, obtain an IP and access the internet only. The key was the VLAN's on the AP needed to match respective VLAN's on the ASA. My understanding was the native VLAN only needed to match between the devices which is what I did in the config files I posted. What a mind freak it was, but now I know.
When I get the time, I'm going to create a detailed doc for others out there with this situation.
04-20-2012 01:28 PM
Have you had time to create the detailed document? If not can you setup a link to the completed configs? It might help get a better picture of the whole setup.
Thanks in advance,
02-28-2014 11:28 AM
Steven,
Can you post your config?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide