Office Extend AP NAT Problem

greg.murray · ‎01-24-2012

Hi

I have a wireless LAN Controller 5508 that is connected to a dmz on a ASA 5520 that will provide wireless services to home users.

I have primed the access point(s) with the external IP of the controller. I see the requests come in through our permiter router and hit the ASA. When I debug the controller it sees the request and replies, however the port it sees is 5257, I thought this should be UDP 5246 and 5247. See debug on the WLC below

*spamApTask7: Jan 24 13:44:57.422: ec:c8:82:c3:71:60 Discovery Request from 91.102.62.46:5257

*spamApTask7: Jan 24 13:44:57.422: ec:c8:82:c3:71:60 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 25, joined Aps =0

*spamApTask7: Jan 24 13:44:57.423: ec:c8:82:c3:71:60 Discovery Response sent to 91.102.62.46:5257

*spamApTask7: Jan 24 13:45:07.424: ec:c8:82:c3:71:60 Discovery Request from 91.102.62.46:5257

*spamApTask7: Jan 24 13:45:07.424: ec:c8:82:c3:71:60 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 25, joined Aps =0

*spamApTask7: Jan 24 13:45:07.424: ec:c8:82:c3:71:60 Discovery Response sent to 91.102.62.46:5257

*spamApTask7: Jan 24 13:45:17.425: ec:c8:82:c3:71:60 Discovery Request from 91.102.62.46:5257

I did see there was a known bug with the WLC and the NAT and have siince upgraded to version 7.0.220.0

I have run the packet trace on the FW from the outside -> dmz and from dmz to outside and the packet goes through.

Any thoughts on what might be up would be useful

Thanks

Stephen Rodriguez · ‎01-24-2012

can you post the NAT config from the ASA?

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

greg.murray · ‎01-24-2012

Outside Rtr

===========

interface GigabitEthernet0/0.1

description ### Link to Internet ###

ip address 94.136.227.xx 255.255.255.248 - external ip

ip nat outside

ip access-group OUTSIDE_IN in

!

interface GigabitEthernet0/1

description ### Link to Firewalls ###

ip address 172.16.100.254 255.255.255.0

ip nat inside

!

ip nat inside source static 172.16.10.1 94.136.227.xx - controller NAT

ip access-list extended OUTSIDE_IN

permit udp any host 94.136.227.xx eq 5246

permit udp any host 94.136.227.xx eq 5247

ASA

===

global (wireless-dmz) 1 interface

nat (wireless-dmz) 1 172.16.10.0 255.255.255.0

static (wireless-dmz,OUTSIDE) 172.16.10.1 172.16.10.1 netmask 255.255.255.255

access-group wireless-dmz_access_in in interface wireless-dmz

Scott Fella · ‎01-24-2012

I was just testing this yesterday andgot it to work.... The ap will use udp 5246 & 5247 and when I was tesing, I didn't use an ASA, but had to do nat translation on m y router (test lab). The port will not be 5246 or 5247 since the other router will nat using a different port. Here is my log:

udp 72.57.26.241:5246 192.168.221.27:5246 71.238.159.119:5266 71.238.159.119:5266

udp 72.57.26.241:5246 192.168.221.27:5246 --- ---

udp 72.57.26.241:5247 192.168.221.27:5247 71.238.159.119:5266 71.238.159.119:5266

udp 72.57.26.241:5247 192.168.221.27:5247 --- ---

*Jan 24 02:41:08.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 72.57.26.241 peer_port: 5246

*Jan 24 02:41:08.001: %CAPWAP-5-CHANGED: CAPWAP changed state to

wmmAC status is FALSE

*Jan 24 02:41:09.491: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 72.57.26.241 peer_port: 5246

*Jan 24 02:41:09.492: %CAPWAP-5-SENDJOIN: sending Join Request to 72.57.26.241

*Jan 24 02:41:09.492: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN

*Jan 24 02:41:09.697: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG

*Jan 24 02:41:10.123: %CAPWAP-5-CHANGED: CAPWAP changed state to UP

*Jan 24 02:41:10.343: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller WLC-2504

-Scott
*** Please rate helpful posts ***