03-26-2009 07:08 AM - edited 07-03-2021 05:22 PM
Our wireless system is completely off our internal network. Its on its own cable broadband connection. The only thing that can touch our lightweight AP's is our wireless server that has 2 NIC cards. One NIC has an ip just to manage the AP's on there seperate c2960 switch and the other NIC has an internal IP so we can remotely manage. How can I hook up these phones so it can reach our internal voice LAN without compromising the network. I have attached a diagram of our wireless setup. I was told i have to use one of the gigabit ports on the switch the AP's connect through and connect it to my ASA box. Please advise. Thank You.
03-26-2009 04:05 PM
Have you read the Cisco Unified Wireless IP Phone 7925G Deployment Guide?
www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7925g/7_0/english/deployment/guide/7925dply.pdf
03-28-2009 02:22 PM
I have used GRE tunnels with Policy Based Routing in the past. This would require a L3 switch at the Access Points.
03-30-2009 04:04 AM
I would suggest you create a different SSID at your APs only for the telephones.
Set different security for this SSID, for best results use WPA2 with AES encryption.
Make sure this SSID is hooked up to a different VLAN, for example VLAN 99.
Make sure your Access Points have a trunk connection with the switch.
Create the vlan99 at the switch.
Statically set one of your switch ports to VLAN99 and connect that port with one of the ports of your ASA Firewall. Make the correct firewall settings so that you restrict access of that port only to the necessary IPs of your voice VLAN.
** Make sure you use a different IP subnet for your VLAN99!
04-14-2009 10:02 AM
"I have set up my network so that my wireless clients have no access to my internal network. How can I get some of my wireless clients access to my internal network?"
As things stand, you can't.
In order to make this work, you have to make a connection between your TOCWirelessSwitch and your internal LAN.
Now, there are obviously ways to make this as secure as possible- using an ASA and/or ACLs would be the obvious choices- but you will no longer have the complete physical isolation that you do now.
Of course, you would put your wireless phones on a separate SSID and VLAN from your data traffic, and make sure that the only traffic allowed to cross the new connection is restricted to the phone addresses and the specific ports your voice traffic uses.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide