Please Help! Configure ASA 5505 and Aironet 1140 Multiple SSID's

stevenmorgan · ‎01-11-2012

I know someone out there has the answer for this. I am in the process of installing an Aironet 1140 standalone AP. I have not worked with these AP's before. I will be connecting it to one of the PoE ports on the existing ASA 5505. My goal is to have 2 SSID's, one for internal network and one for guest internet only, no access to internal LAN. I want to have the internal wifi clients and the guest clients on seperate IP networks. The internal clients obtain DHCP from the existing server and use the ASA DHCP server for the guest clients. And of course, I would like the ability to manage the AP from the internal network. I am providing copies of my current configs for both the ASA and Aironet. I'm stumped!

kumarguru1 · ‎01-12-2012

Hi Steven, i had a look at the configuration and found the below:

AP: BVI interface ip address should be in the native VLAN range. in this configuration this is in VLAN 1(this should be in VLAN 3)

VLAN 3 must be allowed on the trunk on firewall interface i.e eth0/7

FW: VLAN1 & 2 is assigned to inside & outside interface of the firewall as well as used for an SSID on the AP--- i think you should not use VLAN 1 & 2 on the AP(dont use the VLAN assigned to outside/inside interface) .

assuming that you create VLANs 3,4,5. please configure DHCP relay on the VLAN for the internal network clients so that they can reach the DHCP server.

there needs to be a rule(ACL) set to allow internal network client subnets to reach the inside network as the security level of AP connected interface is 50.

i hope this helps.

fb_webuser · ‎01-12-2012

Hi Steven, i had a look at the configuration and found the below:

AP: BVI interface ip address should be in the native VLAN range. in this configuration this is in VLAN 1(this should be in VLAN 3)

VLAN 3 must be allowed on the trunk on firewall interface i.e eth0/7

FW: VLAN1 & 2 is assigned to inside & outside interface of the firewall as well as used for an SSID on the AP--- i think you should not use VLAN 1 & 2 on the AP(dont use the VLAN assigned to outside/inside interface) .

assuming that you create VLANs 3,4,5. please configure DHCP relay on the VLAN for the internal network clients so that they can reach the DHCP server.

there needs to be a rule(ACL) set to allow internal network client subnets to reach the inside network.

i hope this helps.

---

Posted by WebUser Kumarguru Balasubramanyam

stevenmorgan · ‎01-12-2012

Thanks for the reply, but I have to claim ignorance on my part. Since I've not worked with the Aironet AP's before, it required a bit more understanding with VLANs then I had. After working a frustratingly long time with this, I ended up calling Cisco support. They were able to shine some light on what the problem was, and a simple fix it was. Unfortunately, the solution you provided, although appreciated, was not in the right direction. Here is what I had to do.

On the AP, I removed VLAN 2, retained VLAN's 1 and 3. Reassigned "guest" SSID from VLAN 2 to VLAN 3. Assigned VLAN 1 as the native instead of VLAN 3.

On the ASA, I reassigned the native VLAN from 3 to 1. Removed the "switchport access vlan 3" cmd from interface E0/7 (where the AP is connected to). Also, changed the allowed VLAN's to 1 and 3.

Once I made the changes, BAM! I was able to connect to the internal SSID and obtain a IP from the internal DHCP server. I could access internal resources and the internet. Now, all that was needed was to create a DHCP pool on the ASA for the "guest" connection. Then a NAT cmd from the "outside" and "guest" interfaces and BAM! I was able to connect to the guest SSID, obtain an IP and access the internet only. The key was the VLAN's on the AP needed to match respective VLAN's on the ASA. My understanding was the native VLAN only needed to match between the devices which is what I did in the config files I posted. What a mind freak it was, but now I know.

When I get the time, I'm going to create a detailed doc for others out there with this situation.

michae1c1 · ‎04-20-2012

Have you had time to create the detailed document? If not can you setup a link to the completed configs? It might help get a better picture of the whole setup.

Thanks in advance,

fbarnett · ‎02-28-2014

Steven,

Can you post your config?