05-08-2014 10:36 AM - edited 07-05-2021 12:47 AM
I have a Cisco 881-W router with a built in access point.
The Fa4 WAN interface connects to the provider on a pubic /30 point-to-point.
The Fa0-3 LAN interfaces and the built in wireless access-point service an internal 192.168.1.0/24 network through DHCP.
I am looking to verify the correct template for getting this to work.
Specifically, I want any device connecting on the LAN ports or through wireless to get an IP in the range of 192.168.1.0/24 and go through PAT on the public WAN interface when it communicates to the internet.
The template I have is as follow (with significant config output omitted for brevity):
ROUTER CONFIG
!
hostname ROUTER1
!
...
!
ip dhcp excluded-address 192.168.1.1 192.168.1.2
!
ip dhcp pool DHCP_POOL
network 192.168.1.0 255.255.255.0
dns-server 8.8.8.8
default-router 192.168.1.1
!
...
!
interface FastEthernet0
description Customer LAN
no ip address
!
interface FastEthernet4
description WAN-LINK
no shut
ip address $PUBLIC-RANGE-B-END$ 255.255.255.252
ip nat outside
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
!
interface wlan-ap0
description Wireless AP
ip unnumbered Vlan1
!
interface Vlan1
ip address 192.168.1.1
ip nat inside
!
....
!
ip route 0.0.0.0 0.0.0.0 $PUBLIC-RANGE-A-END$
!
!
ip nat inside source list 50 interface FastEthernet4 overload
!
access-list 50 permit 192.168.1.0 0.0.0.255
ACCESS POINT CONFIG (gain access to to AP by using "service wlan-ap 0 session" CLI command)
hostname ROUTER1-ACCESS-POINT
!
!
dot11 ssid $SSID-NAME$
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 0 $SSID-PASSWORD$
!
interface Dot11Radio0
no ip address
no ip route-cache
no shut
!
encryption mode ciphers tkip
!
ssid $SSID-NAME$
!
...
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no shut
no ip address
bridge-group 1
...
!
interface BVI1
ip address 192.168.1.2 255.255.255.0
no ip route-cache
no shut
!
ip default-gateway 192.168.1.1
Can someone verify for me that this general template is correct? I am not sure if I need an ip nat inside command on the Access-point - I have tried to enter the command under BVI1 but the command does not seem to exist. Perhaps I need to put it under wlan-ap0 on the router config?
Wireless users are getting a DHCP IP but I need to make sure they can gain internet access as well.
If there is specific output that I have left out that you would like me to add let me know and I can add the whole config.
Thanks in advance.
Solved! Go to Solution.
05-08-2014 01:58 PM
Hi Steven,
You have to enable "ip nat inside" command under wlan-ap0 interface.
Also change the encryption to aes-ccm.
Regards
05-08-2014 01:58 PM
Hi Steven,
You have to enable "ip nat inside" command under wlan-ap0 interface.
Also change the encryption to aes-ccm.
Regards
05-08-2014 02:19 PM
Hi Christos,
Thanks for that. I will be able to test this tomorrow.
Just to confirm though, you are suggesting I change the encryption to aes-ccm because it is a stronger encryption, not because it will have any affect on PAT and routing functionality of the setup - correct?
05-08-2014 02:29 PM
Hi Steven,
You are using wpa2 as key management so encryption should be aes-ccm.
Yes it's more secure than tkip and doesn't effect the routing-pat functionality.
Regards.
05-12-2014 12:28 PM
Hi Christos,
Worked first time. No issues. Thanks so much for the help :)
05-28-2014 03:55 PM
You need to enable ip nat outside command over the proper interface.
09-09-2015 09:52 PM
Answers like yours are pretty much worthless. He is asking for advice on if the template is correct. What would actually be helpful is if you told him(us) which interface was the correct one for ip nat outside.
From what I see it is on the correct interface.
interface FastEthernet4
description WAN-LINK
no shut
ip address $PUBLIC-RANGE-B-END$ 255.255.255.252
ip nat outside
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide