Re: 891W Guest Vlan WIFI unable to access internet

paul.sheehan · ‎04-09-2013

Has anyone had an issue creating a guest vlan to use the WIFI on an 891W router? The IOS is version 15.1. I have created discreet Vlan's and setup subinterfaces on both the WLAN_AP0 and GigaEthernet 0 interfaces with dot1q encapsulation. The client will receive an IP from the pool but cannot ping or connect beyond the default gateway.

The external interface is using Nat overload and all wired clients are successful in connecting to outside addresses. I have insert a permit any statement in the acl which affects the external port but still no success.

Ideas?

Stephen Rodriguez · ‎04-09-2013

Did you set ip NAT inside on the guest interface?

Can you share the router side config?

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

paul.sheehan · ‎04-10-2013

Hi Stephen;

Thanks for your reply.

I will recheck the ip nat inside for this wlan interface today when onsite. I assume it will need to be applied to both 2.4 and 5 GHz radios as it is unknown what device the guests would attach?

Since the corp users need to exit the gigaEth interface too this interface has an IP set on it to allow NAT overload outside. Will this impede the subinterfaces on that physical in any way?

paul.sheehan · ‎04-10-2013

Hi Stephen;

Here is the last config. Thanks for all the advice.

Abhishek Abhishek · ‎04-10-2013

Hello Paul,

As per your issue of not able to create a guest vlan to use WIFI.I can suggest you the following solution-

Make sure that the trunk has been established between the interfaces. And moreover on the access-list you are configuring you must be specific in permitting the users from the guest user. Make sure the access-list is applied on the proper interface and in the correct direction.

Hope this might work.

paul.sheehan · ‎04-10-2013

Hi Abhishek.

Thanks for your reply.

The outside interface has no outbound ACL but one inbound. This ACL had a temporary permit any any applied for testing with no success. However it had a permit for the guest network prior as well.

Both the guest VLan and the physical gigaEthernet interface are configured as subinterfaces with the same VLan tag established. The same SSID and Vlan ID were placed on both of the 2.4 & 5 GHz radios.

Stephen Rodriguez · ‎04-10-2013

router side, interface vlan 17, you need to add ip nat inside.

for your nat acl/route-map, either add the 192.168.7.0 pemit statement to ACL 103, or add a second entry to the RMAP_1 with acl 104 allowed. Personally I would just add the 192.168.7.0 statement to acl 103.

test that and let me know if they can get interwebz access

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

paul.sheehan · ‎04-11-2013

Stephen;

We applied the nat and acl as suggested but with no success. The client has also stated he cannot receive an IP from the pool. When creating the pool do you need to define for both 2.4 and 5 GHz radios?